# 16/10/2008 eCard Email Malware Attack

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"eCard email malware attack - Trojan"; flow:established,to_server; content:"|0d 0a|Subject\: You have received an eCard"; nocase; content:"e-card.zip"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/; sid:9032; rev:1;)