# 25/08/2008 XPantivirus2008_v880421.exe Trojan

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"XPantivirus2008 Trojan"; flow:to_server,established; content:"GET "; depth:5; uricontent:"XPantivirus"; nocase; pcre:"/XPantivirus\d{4}_v\d{6}\.exe/Ui"; classtype:trojan-activity; reference:url,www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/page4.html; reference:url,seo.mhvt.net/blog/?p=390; reference:url,virscan.org/report/a61cd44fc387188da2ee3fbdeda10782.html; sid:9024; rev:1;)