alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Checkin Generic 2"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; fast_pattern; content:!"|0d 0a|Accept|3a|"; content:!"|0d 0a|Referer|3a|"; content:"GET "; depth:4; pcre:"/^\/[A-Za-z]{2,}\/\?[a-z]\sHTTP\/1\.[0-1]\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+?(?:\x3a(443|8080|900[0-9]))?\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?\r\n$/R"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:command-and-control; sid:2017784; rev:5; metadata:created_at 2013_11_27, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_17;)