alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?email="; fast_pattern; http.accept; content:"*/*"; http.connection; content:"close"; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|Host|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept-"; reference:md5,a80440b3d9cb09898c0f12aaa05980c0; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:command-and-control; sid:2025020; rev:9; metadata:created_at 2015_02_12, malware_family Win32_Nivdort, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_19, reviewed_at 2024_03_26;)