alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.PZE Variant CnC Activity"; flow:established,to_server; content:"|00 03|UPDATE users SET uname|20 3d 20 27|"; offset:3; depth:28; fast_pattern; content:"|27 20|WHERE hwid|20 3d 20 27|"; content:"|27 20|LIMIT 1|3b|"; endswith; reference:md5,39d55aa51967c001b7cc85f539055637; classtype:command-and-control; sid:2030848; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_08, deployment Perimeter, malware_family Win32_Spy_Agent_PZE, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_08;)