# DNS conficker rules by Jack Pepper ( pepperjack@autoshun.org ) # regenerated periodically from the domains file at F-secure.com # The URL for the f-secure site: http://www.f-secure.com/weblog/archives/Downadup_Domain_Blocklist_February.txt # The source URL for this http://www.autoshun.org/downloads/rconficker.rules # # # Tue Feb 3 16:26:34 CST 2009 # sid 1800001 includes 107 (0 - 107) 10 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.biz)"; content:"|0a|";content:"|03|biz|00|";nocase;within: 13;pcre: "/(a(amkeraqwo|mpbgjsfvy)|b(ixxvjcdzn|xpbpvimtd)|c(escytqpen|laroxbkfa|mnnrntmpd|pgyhbfkit)|d(iczkdzssh|jpisfrikq|mfhftovxy|xlouhuvoi)|e(ifxezizxr|jhgbrcnpm|odmjysgqj|wrrosjaeo)|f(erjmlsdwi|lkmbvbvhb|pfdgwdgqv)|g(aquhzicul|ejprnxnsb|fcwpzvwuu|lshupfgoo)|h(aipjuvizr|k(rlouinuw|synsccig)|ouqsexozo|x(nnfsmszw|scizozzg))|igqnysvneg|k(glezqgnpx|ijjpvwcjm|pfczebeqy|sdirtszwm|ujggnorxq|v(fvpszaxv|jdwaticz)|yilqhaevt)|l(eplvkseal|gyqllchsv|knkaotkis|pqnuhjbay|tawdivtyy|ucwagmlpm|xijqgcudv)|mmdcvkyiyh|n(baljxublq|dyxkxaxvd|steqzugfr|wynlwamyi|yczxutmuy)|o(alvvdzcvn|buifmafnt|jajhzzdyk|rhaumsxfk)|p(ffthvezbf|ibroopgkl|kvcrldepy|lggejcsni|vgwblseru|ynlnnyxrl|zvjejamkv)|q(byemqblya|cimjafucd|hicobspqz|juymtkvuz)|rcavymltxt|sisokevdud|t(cngaetsid|slzsbjfqy|uqmkyjjtr|xdqaaltce|yhmkzncif)|u(biywmgsgr|ctsowwgmi|egouowokq|fazrsmrmc|kqiawhtqd|ldkodnkep|nvndijxzq|wwglriisw)|v(kiekjsibs|ljtjpucxi|phgegmhae)|w(exznxcezl|gtylzoqwk|nlhztbubp|vpuoywimo|xopucfwtv)|x(abjxjlmzl|jepksyzmr|lzbhthtxo|qfdelcoqf|rgcklnazu|uudqhtfai|wlhjfvcut)|y(hrneiztdj|oviqamreg|s(lqppecdy|yaeqbjzg)|yjpjnaeph)|z(iwhnrnrov|lqmzbokhz|n(xmxzanms|yzflhjde)|rzzvqkiip|ywwigoqzh))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800001; rev:0;) # sid 1800002 includes 115 (0 - 115) 11 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.biz)"; content:"|0b|";content:"|03|biz|00|";nocase;within: 14;pcre: "/(a(e(bskftjgol|rfyhlbugi)|mjucvfiokz|u(aspuwdjpf|yqegujfls)|xeeqhdgknw)|b(f(gzkwtsvzq|qfaqmjnxj)|l(akefcokqu|ojvbcbrwx)|uoxgakbizl|wipiihmmmy|xrffqzecsw|ztczfhfhfe)|c(doieiindmj|phjsluuspe)|d(dwwmybtbpc|gcnyesjxer|hljymmhahb|ixfyswnmhz)|e(ahvrdpgmgq|gukwpexppg|oelvvflooz|qwauheoyhv|ubimxqhowo|vfelcrrvyq)|f(fzxnojbfeo|gikqowcruv|hvseyjxgyd|iwwgjtpzqs|lglmiearxs)|g(qeerzxtgpu|yarxlexksc)|h(abreiqryje|erhuhszxux|g(csfsrhffr|oqepyhfxs)|hmlgjutfwb|ozzlvzkzfc|r(ppkvcnrwu|zeaazfxrk)|zpgrnyoddf)|i(luspqutisq|tupksabkgh)|jevvluzpmab|k(byzjgjkpze|c(nsvrtmljc|yqqyfribr)|evnbgtnqss|jqkifyytlb|kigwlybrcj|rzzebiokxn|siskjsfmpw|zlqfkcupqk)|l(amhplpadkn|b(adyevykqa|etgwwshrf)|htptyaqbzw|lhvgqnfgbp)|m(cpkgybyakw|djywdrouxp|nauqgvvwtg|wcurnaancd|yvthpfzrfg)|n(brdtgtfbkd|r(exxafiger|rqqbmrqhl))|o(htvfslpnqy|ikbyktfted|tptmxbfspk|vybjclfiix)|p(khwqbtgnax|meggbpduug|nldwlxihka|siommmawqw)|q(fxahfnzrey|gvdewfrugn|sliadryqdl|tfiwzoynvt|ztsgdxmpqu)|r(mktfaklohq|oigsnrtvds|ptnsiqmjko)|s(heibwdyuvp|prqpgmxgxu|uoporuovok)|t(fzpfwcmldg|keyobhshvu|xylpyufnwf)|u(ckilshenha|gnkuzoqgki|l(dnbkdkumm|ffjtkvrji)|ojjvetarlp|pupibjpwqv|q(cazwzegzn|msduvtgww)|weacujeuoi)|v(bbhdrbbfwt|cgsjfkeuhy|zhbblmarub)|w(dvgdthzylc|onkbberwbl|qvmvfoxadp)|x(etmditkqyc|f(sfipdnphq|yenknrbpg)|xjvxbcauub)|y(edecppeapc|mkbmxhzbix|vyyovfzglu)|z(cutlqarzlc|gqutsstjmq|y(jigaurnni|trjibjoiv)))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800002; rev:0;) # sid 1800003 includes 104 (0 - 104) 5 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.biz)"; content:"|05|";content:"|03|biz|00|";nocase;within: 8;pcre: "/(a(lxwa|prcn|wpuz|xkpp)|b(cehx|fsjt|rcjp)|c(dkdz|g(brw|vgv)|ixth|p(bvv|mcd)|qzru|vngf)|d(bexz|cfdh|fhon|iwrw|mgsn|xhqp|zpsu)|e(foln|nbzu|pddc|tfma)|f(cuvh|ecmb|fcbc|nygm|odda|qmzh|reum)|g(kowe|owhx|pegc|xkea)|h(brfm|kzsu|w(gdz|ouq))|i(flda|zswl)|j(lbnx|qfkt|uatw)|k(arqt|ntkt)|l(iwpt|teiz)|m(bspx|gvji|ziqk)|n(h(ajj|lhb)|knnj|owlk|sles|yhfo)|o(n(aet|vgc)|wcpa)|p(dyyz|fvzu|ilai|jjqp|lnct|xvus)|q(dwod|hewh|qzcj|sjnu|utyj)|r(byzt|zvvq)|sqans|t(aaeo|nyoe)|u(drgx|ijgu)|v(lzlu|mgdd|rhuj|vqsg)|w(b(jlu|rkx)|fqox|nsxv)|x(goqk|jbbh|onyr|rcle|shzw|wmrl)|y(a(dzo|wby)|z(ojm|xlo))|z(bour|ebpn|r(qxa|ugt)|x(krt|xno)))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800003; rev:0;) # sid 1800004 includes 104 (0 - 104) 6 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.biz)"; content:"|06|";content:"|03|biz|00|";nocase;within: 9;pcre: "/(a(eczbt|iaywa|sjvcd|yjkda)|b(mimdb|nibzk|qmbmm|rjqym|wvesq)|c(crxzr|febgt|i(dlfq|hijw)|jmgrw|nzvin|rkjjl)|d(dyhfp|hbbru|ndsqg|z(ixww|qnps))|e(flqgu|qmmhb|sumyy|zznrk)|f(baluu|ingwr|kwwjv|rrjns)|g(cdqdb|pxnut|rvcmt|tdjjg|wtvgm)|h(sjrlm|zambh)|i(ebyty|grvkc|pwrtz|xmvfz|zlplv)|j(e(efjz|pfle)|houed|lewvk|uqsxv)|k(aakdh|kmexb)|l(qwapn|vwgbr|wncni)|m(gikfg|svbau)|n(hzfuv|inefa|jowau|kctdt)|o(bmaqa|glyuu)|p(dejiu|fdgmi|v(bbml|vixs)|zdivk)|q(qxpzy|zbvem)|r(bifty|inisz|mrhxq|trqsk)|s(axvxv|cskkm|exgtf|igyyi|otwuj)|t(azrfn|fyobg|lgors|ptllc|sdxhq)|u(fboli|mvcnk|plniy)|v(aaswk|rfxnw)|w(dplwc|grrrr|lybsg|qcbuw)|x(avltz|cpmja|evxvx|rrccq|veewl|w(eric|sifg|tfxz))|y(murba|zywkn)|z(e(gjit|tuoy)|llecr|ozytj|yronm))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800004; rev:0;) # sid 1800005 includes 109 (0 - 109) 7 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.biz)"; content:"|07|";content:"|03|biz|00|";nocase;within: 10;pcre: "/(a(ttausv|uzxwok)|bwhifrq|c(erwsrh|flzxlu|rqjnek)|d(gjgkps|kankfs|rjwika)|e(eulxrk|ikansq|ltiufo|utssdv|xngczg|zlcvdd)|f(bdqqce|eolvfh|i(cxqhr|skbau)|tucmdw|vrcqnx|w(bvbic|fhumc)|zhsrcs)|g(itskff|vdcemg)|h(nizfyd|phktpl)|i(nlnjmn|xiwnul|zrxssv)|j(gucvhb|hhqexy|ioczsa)|k(ethoya|itkwkt)|l(cotclj|dziqmb|hujhva|rbmaqo|ttulxd|yujfjg)|m(cddeko|fkmwbx|lxqtmq|middag|ne(nsoa|xtjl)|osoigh|pvygak|rbqvtx|wkcflh|zunech)|n(bzhnxj|ekwcep|fkzzpk|kgdszv|yjhbwe)|o(gmzriu|ktijqy|m(akefd|wyymh)|npvphk|uvtxea)|p(djxefs|iutixv|nvmelx|pfsimy|wgojac)|q(fuvhuc|jfxbvm|xcxpni)|r(lgyzxg|z(bytcy|nslgg))|s(fkstad|leksch|rtsegh|tiueoc|u(fkibs|qiseu)|wdfxny)|t(bgcgpm|cjxugz|ggfaxy|jtsxja|lpigmj|qierhr)|u(kuqsmn|lktqmy|ttlowt|xpqlqs|ztphoq)|v(rpacjf|xvesdz|zzhznw)|w(gswqfz|lrcobl)|x(bdjhvt|cjgshv|qyzrta|svmvno|wzjwdr)|y(bwirzc|ijxxuz|nmeiwz|uirssu)|z(imdpyj|xlpnul))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800005; rev:0;) # sid 1800006 includes 228 (0 - 228) 8 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.biz)"; content:"|08|";content:"|03|biz|00|";nocase;within: 11;pcre: "/(a(ejxfzsj|fxbtzjp|g(bwulvj|ycocmq)|iwqogpp|llheamn|pzpcgrd|ryeayxz|t(feqisj|mxuvik|uorecs)|uebveer|v(gnbjkv|ikvnfw)|yarzubz)|b(aaxajgd|dcksudd|elsshgn|fqbsfhg|kbjejrh|lvdrosx|rpixjss|sqctomf|wwpbsra)|c(ggjgahe|hsxcoco|jfqcwit|kuzoxjo|nvhkquz|pealcdr|rzuhufb|sbpehua|tdhpwyg)|d(dpjxlgy|fublguj|khanpkw|p(lbrjzf|vgefth)|rjvgmfg|v(ckjzlo|rpczbu|wdypxp)|xiywpau)|e(ayilito|blxvaso|f(gduexu|oovbgr|sxbnyc)|g(gwkmzp|iofvxk)|kgcuaqx|ligidtg|yeffipe)|f(iwaoora|l(bcgigc|iykkar)|mtpjedq|qjysdce|rykdnxg|tudrbcs|uzhwrgo|zorwpwz)|g(aliycmj|c(jjoipk|rcffcy)|dyndevx|fasucmc|m(mtepxl|nzxonb)|tfhpzky|zqaxjrh)|h(cqqambc|dydhgsn|fqxwuol|heghnpz|jtufjxj|kbeyklv|l(exjuht|wditcg)|scqcent|t(aqyvwg|xpbhty)|w(laaogx|pawxgf)|xjlzumq)|i(mzwbwfn|ppoztyo|tzhyjaa|vlvqfeq|w(hbpxlg|wlkvcu))|j(azament|cvyykdu|mvmgpng|qzrmwtj|rwnfxyf|xgycvdx)|k(danmgsc|f(bijxzg|mjyzee)|slyqhld|u(esazza|oyqqzv)|v(nvwkah|uyljpi)|zzkemba)|l(a(qbfukn|szjkmr|wserfp)|ezftefv|fudaptg|mmqxqsz|qfhtgxj|wktihsz|x(erzody|yafyer)|ybewksz)|m(ejjfudw|otdurqq|uujffay|wlmvtvs)|n(cfbxpvx|klljcuj|mxnzldj|n(kaaqsi|xxojcp)|pdbblym|shrbhct)|o(m(frygsv|rdbojp)|nwkyhvs)|p(crdqkvw|hjosxji|tfburxw)|q(asjficq|bkvqkjj|falhafl|ghegpum|iayjduc|jhmxkxd|sqzphbn|tjeguoq|ub(vgudy|yrikn)|yrijhdd|zgyjhup)|r(aalbadv|bjeqpnp|gfypgjh|h(ntrjxx|zxknos)|jvlwhvr|naghjxv|reveufl|sfezsgy|wkqtoqf|xorldpg)|s(bbswcha|cmzswqu|hmvimbc|kgqvrxd|rvfpsfy)|t(g(ebxytw|qkxnuw)|hyxxmsk|immmhkx|jdgdlqf|oqkacan|qvwpiwc|vrdaqhl|wtvwecs|yujkges)|u(cmuaxul|exeygfy|h(veylzx|ysixxy)|jgrynec|l(iwlzca|mejlhz)|n(cibjec|fvvsov)|sgfgyrh|vlspttu)|v(a(fgbrzo|ntmmsh)|b(eovpdn|jstafi)|eudsqsw|fguvpbt|hjqxvsh|igaiqjg|rdnipky)|w(ahyqjim|f(fkjjhb|qzygvi|ubxhuk)|i(mmugmq|vgwlsw)|jtqbfkn|lpqoktb|oacrktk|pfugtqb)|x(bkrklrg|e(ishhte|wglfxe)|vlgoazi|xemzqzs|yfdhrfe|ztuvntk)|y(axhrsph|cgezydw|fyegobg|gtvvefc|izcfmds|lgdbucx|mhrxbrc|nfgzwzb|q(dzzlbq|fajzju)|sbavwcm|waeiheb)|z(aoycymp|eherorl|hajnucx|irhbkaz|qtbdube|rqbocaj|tkxgblm))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800006; rev:0;) # sid 1800007 includes 101 (0 - 101) 9 character domains in the ".biz" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.biz)"; content:"|09|";content:"|03|biz|00|";nocase;within: 12;pcre: "/(a(iidiucwj|jviqwmmr|nmcwrztn|uvejsbbc)|bqgkritan|c(cpegjaii|ixaditon|nrqvrqkc|riltlcrd|w(iyvmpvp|pjmqmgq))|d(dphytane|eibqudfb|grizsxwt|ujafnyxs)|e(hlvmrqzi|ljnrvvkn|zxrkmqtf)|f(bhqyjtvj|vctnnkxv|yvjsklfn)|g(bagivkqp|loebahum|qjxwjgal|znkasvfs)|h(fesgyvnf|t(mnunrxk|pwfptbu))|i(bbivsfpz|ef(flqkly|kljxai)|hrwkuubg|q(dpqfkxn|iinulci)|rmicrxdv)|j(fplbyviw|jteatfjc|oyqfalat|pyagsafi|zsscmysg)|k(f(dbwlqhs|sbaxsjz)|gxofkwww|mmynovlf|yiyfagnz)|l(bxxncoun|esxnjput|fbhhsmfb|icvefkyv|x(toihiqr|vulvmvk)|yrgukfxv)|m(g(mounaoe|ylumwcw)|olyifjjy)|n(f(qptcqdw|vrhoina)|nlzvmxye|zmglfzml)|orxxuegoe|p(cmoqgkdm|zbtwhrky)|q(logqutck|plszkmhy|ssxelpaj)|r(bzcikvmd|eouydwdm|fuwbtpao|mbojgpsd|s(xnpbosc|yzyumhu))|s(qnumlqlo|ronnqvge|wbshwcwn)|u(afqnxnne|bsovnqdv|dvddawlm|lgfprulq|ovpetznu|sszqbnqg|xzjhuowp)|v(hasqxmxj|mxbpigde|qhjzyqmx|smidbelr)|w(ffdwuanc|gvfkydxg|hkwdbtil|txrphhwb|w(lcowdrm|sxlytbv))|x(ffieknyr|lnouzabw)|y(cevyefwa|mwekewuo|oygepkfm|tfzqilyi)|z(ahqcgizo|fyihnrwg|groktdeu|qoldhzbs))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800007; rev:0;) # sid 1800008 includes 132 (0 - 132) 10 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.cc)"; content:"|0a|";content:"|02|cc|00|";nocase;within: 13;pcre: "/(a(aeouvcifn|bhpxnxial|lsmqnfryj|nwekildcr|opmjpzmyh|qpuocfxei)|b(hsthnnesg|nfhiadhlr|ouqoslqgp)|c(duwccteoa|epxpctejf|gwlpvonlf|pwqgtohlk|tukmewyvg|vzlavptpn|wytfhenjk)|d(f(fxsxdybp|pumgiccz)|gyvmgbtah|hfxzitetc|kgfinbuld|npjgeearm)|e(artlsihbo|hxjcvfidv|kocpfstso|msfoxhhdt|okzmrisbw|rsbgkldab|wunbboqjs)|f(aezuisajd|eagexlsrs|salbmcoiz|tmilvvcyy)|g(fkkggjxde|jnxmdmvlw|lnjccmlql|sbcgxxohz|t(rxpwcdxl|xovrxwwa))|h(crwqwffsh|ixpdvaisp|kkoczgrne|oiniynjkw|vzgszerqn|ytydhqpcu)|i(azamxcjkd|gsnxavlug|tsuxznqcx|w(ernulnbj|zfaiieuz))|j(cdequdjrq|ijdlwbnzd|o(fldfwigs|rrvqjqom)|q(avkuoiku|ylzsheej))|k(fthavdmot|g(rlhunjov|teuptkgn|ztwfbwna)|hjngshgdc|ibzrdqbgg|kzhkyqbsa|wzspahcrj|ypjuqrhlz)|l(waeuuvymi|y(edqacpfn|sjzdzeij))|m(ncoksdofb|omisnkipr|rpojwbgnt|srvpbpchw|tbbiuqwyf|ujuxgtsfu|xussdjldq)|n(c(cjotfkcs|jxuiltfq)|jaccaekcq|xxhkgbbdf)|o(d(khgyrnfa|pdqroawc)|eomsuurff|oeszoohgf|qurpucmfv|skggydzpr)|p(jyugshvrh|leicphsrz|mulwmzcew|poosnzawk|vmhqcxxur|zxqqydsfd)|q(adgtwfqhj|gdqzyylpz|hrtqufcby|jmokzhkje|opwuuexkz|tasozeikv|zyrvndwoc)|r(gqrrwfeoa|hgyydcyyo|kbqytwqds|sazathuel)|s(cjmdvgmrk|snhicgcgh|u(jofaaews|saodlavq)|xtpninvky)|t(ivftzsxby|sqpmkeeck|wezyyjnxf)|ugeflvltyv|v(dahomfvfe|gggxseofs|i(gqlmbhmy|pynuzcwv))|w(jqbogswat|kvbczdzsj|mfkzwuiol|nreurumhj|rmrvrxfow)|x(fghwqbgob|nnwtwmqzy|r(yzbbnvct|zrafikkg)|wvlbnrcpl)|y(gysdugrzm|yjbeywcfn|zzgmzrklh)|z(dazqvhocb|t(aoghqsbs|moiqwxnn)|wtgmzrwma))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800008; rev:0;) # sid 1800009 includes 116 (0 - 116) 11 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.cc)"; content:"|0b|";content:"|02|cc|00|";nocase;within: 14;pcre: "/(a(flentvnvhe|goyaarjlln|nylzraford|oeteumgbam|zmmtjodaxs)|b(eqgcdnheui|p(wjnrmefot|xquouktsz))|c(ocgxlqajcl|wdxsxgndsj)|d(bipvrjegvs|hpbwrktwux|vrcyqnpklu)|e(doucaxispy|llvccimjba|mwiutgowmj|nbjfkkbyxt|oixsjeihsm|rujsjwdxah)|f(bzhayltupe|evfjnzgefs|gazzafmydl|itwghtohos)|g(dnspwtxaxs|knqpbccvvt|q(nqagxaqyy|qddfhbdbs)|tfpghtsrbm|uoxsxrolht|wajcfdzqfh)|h(cfjwodbxtm|ewykckjsgg|hgytdmrflc|icqkwsfgtn|nolgwbancf|pnujgimvys|s(cymmqyuej|voxztemat)|wleikymxdh|xcmauwtjsq)|i(fqxprebvbi|kagylezdbj|qqoxervyqe|sjfyzwoagg|yqfebgsogm|zegcfcipku)|j(bxvllxwrle|rsiwwopmoo|uddqhftyxs|xuwdnzqnno|zysmmczegi)|k(ceokxnrxub|kntluxogmn)|l(evtcezncju|kagyesmorz|mdxyqjklje|qjofntbgtn)|m(jyyuhljsay|serrqhaxws|ubyeytzvqb|x(banxbmuxw|yelfolbvk))|n(ewyvspvfwa|jkmwgqqxuj|mpaybkjqje|otmtlszuac|tsmrlecsnz)|o(edunyrouek|ffgvtenzcn|iwrqviazhu|jnzagowqiy|ojjzsgnctp|rexgraxdrl|ufrgpzaqjn|yqduhbmbyi)|p(amyfcdjozl|lbdwipvxmu|rrwxpdujtg)|q(dolfvphqey|ejwksoprdq)|r(eobqwkilit|ivvkrcowlr|jazqxfxmsd|peckjzfomf|zqzjvsifdf)|s(ixneijywxc|naagvfdlpv)|t(bpttujamcz|jwdqoeamkf|nzfyibhbtw|qzjmvlyeeb|tzdmasoznn)|u(bgqhviieje|czjckcyrkw|ddgabutnpi|etromhtnxk|ivjqfnulmh|mqfuqwmktu|ynbrymwazc)|v(kmjhrjguxd|laxurwstxe)|w(cnwtqgrwsi|qkbfpdckvi|wosffqdrms)|x(bxyocsckcf|shnizorkrh|upqqpocybv)|y(hbysxjcdee|indfyhpmbl|spvsbznejc|wnhkpcpgee)|z(bo(ppntrtwt|ycplmkhc)|hexbhrlzvj|nptaqencjo|zuljlnmlbq))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800009; rev:0;) # sid 1800010 includes 108 (0 - 108) 5 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.cc)"; content:"|05|";content:"|02|cc|00|";nocase;within: 8;pcre: "/(a(eqow|hdys|j(ngp|rqk|ztp)|scud|tvpo|x(hsi|lpz)|zdba)|b(amfj|dovf|fhcq|mkom|pfkg|udta)|c(aarb|fmvy|hrnk|jxar|kmku)|d(awfh|pmwr|zvka)|e(arxt|jrcg|qvyc|scur)|f(ksyx|mpml|yumy)|g(bkuc|crpu|ivxt)|h(fhty|gbcc|qjjd|yims)|i(dnvc|ewel|ndff|spxs)|k(iyql|nmas)|l(fraw|uurq)|m(coil|dmdo|eckm|gmrr|kkdx|m(lpp|rnq)|rjaz|skrf)|n(kloe|pleg|qfww|szjv|wgct)|o(atct|dtla|fcmy|lorb)|p(ecsj|zwgh)|q(j(awq|kew)|ooqx|ugqb|y(mfl|ohr|tgc))|r(ejze|jqjm|niew|ucfs)|s(crfe|geaa|jaqg)|t(carx|j(aat|spg)|mvnj|phvx|shds)|u(gjqk|r(hyk|tme)|ylik|ziii)|v(fwrb|vwvy|zbgh)|x(lnpg|nwfg|yfdb)|y(a(idi|jre|yuk)|iggf|qwtk|ymte)|z(ckdb|ebyj|odrx|sjan|viix))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800010; rev:0;) # sid 1800011 includes 121 (0 - 121) 6 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.cc)"; content:"|06|";content:"|02|cc|00|";nocase;within: 9;pcre: "/(a(ivkwy|pgtko|rqmhc|yklhg)|b(kxuvf|t(goyr|zasl))|c(ahgmk|dpykj|h(jfnv|opzk)|l(nldb|qysz)|mxkls|neads|vpjoz|ydggz)|d(awrue|lbuet|qstfp|rfeed|tpsrb|y(jhpn|snep))|e(f(czmc|iwyb)|ldsbh|nrsmi|yhxig)|f(jnqay|mrqbr|wgflj)|g(bffvt|g(gjio|ikyl))|h(flilb|tsaur|ymiif)|i(amkej|pbyyd)|j(ayyxq|blejs|mkdiz|pfxuz|rifph|vwxmd)|k(a(kvak|xzee)|ducgq|mqccb|oaznx|zunuz)|lbukbh|m(blydu|jbowx|lrsqe)|n(lplac|nkcvg|upydh)|o(cfwxn|nrehh|ujtlm)|p(ccjfb|e(sfnk|zwyu)|jmdtn|sbmqr|yfuwi|z(jlgd|uvoz))|q(bwwzr|cjxiq|gpyxv|qnacg|rbjxq|zkaju)|r(celnq|fwywk)|t(agcoi|cegtg|dzdgj|mdoki|uwgbh|vysbw|xzzhw)|u(gjnzl|mvvkf|quzon|rfztv|vtstx)|v(i(xsdo|yjls)|nggfk|ubptn|z(hxgk|jlek))|w(bqmay|kcdfa|mpjwl|nvilf|rldwb|taofs)|x(brvxo|lnrxj|qjjsl|tvdqw)|y(jknkl|shaza|tjlen)|z(blmqh|d(stty|zkzq)|jiviv|nveqe|optbj|q(ibkk|pupd)|sjijn|tlxpe|xkcax|ypudl))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800011; rev:0;) # sid 1800012 includes 110 (0 - 110) 7 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.cc)"; content:"|07|";content:"|02|cc|00|";nocase;within: 10;pcre: "/(a(bxakpu|idktvn|rnqdil|vumhmj)|b(iirqjf|ndhboy|x(uqjow|xnelw))|c(attgga|cfjpdm|lghvwi|nykthi|qfyjgh|uayqea|wgaepd|xywfen|yzbdsc)|e(isilpv|knhcde|sykjec)|f(jfaaiu|mpwuyq|ojpmxu|rjoyni)|g(gcguzg|ikjztx|mgbdit|sxcseg|zvmkvw)|h(hfxevk|mygaka|nmqwui)|i(chlvhk|fecfmh|iipoqk|pvvqlg)|j(ezypdb|l(qqquu|rjxlw)|mtgteu|pomdad|xcmyiq)|k(cnfufr|hgtkee|rcping|zecvfp)|l(d(eoxmn|wbkwx)|epgqph|gfqxup|hscgxy|ijalqz)|m(quyktp|rvzqme)|n(bckhzf|vuttbh)|o(ljiaiz|rncsbe)|p(czlmwy|qhomof)|q(abktvp|cyacnx|gjoigz|hjwjbl|ldphap|mfadrq|olzlkj|stvmix|taldgw|vmzqye)|s(elnrar|frasqf|h(iofev|wojlx)|lszffr|yncmgv)|t(cgarwt|dbhddt|hcuopn|k(ubynh|xkhyv)|laxvwr)|u(dbvqhv|leytss|qafvtq)|v(elrwcm|hvxfpo|prizkn|wgdbmr|zpyqbo)|w(b(mhbsj|wvhyp)|cqvpjl|ouzxeg|zgldft)|x(fwczdx|losfht|rqddhe|tswjzf|vfjmuc|zlyjft)|y(ixphqc|lzaxpb|unanzx|vlkxvd|zwehez)|z(fgpodz|gazgcb|skbwzk|tfxuvm))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800012; rev:0;) # sid 1800013 includes 219 (0 - 219) 8 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.cc)"; content:"|08|";content:"|02|cc|00|";nocase;within: 11;pcre: "/(a(aklpluc|bvbiija|cghygqi|dfjrlia|ezlxgcx|fmxfrfg|kxzthho|oysuint|rgbezcy|tgzobcx|uncnspx|wtwetcc|xlqrxaw|zvvdkdg)|b(clircfo|eovhvii|g(aydxpk|scmgzs)|ibcpivt|neoizhz|w(atelmj|jofsxa)|xlxtppi|z(jikokq|psyaxu))|c(cvlcdrt|ojgbpfr|shlfoqv|xukbezv)|d(bgnqstw|gceynjm|skqzdfz|t(lncxfy|nahvxy|olhzzu)|ugpxobq|wrnlkyn)|e(arlwwms|jkwkosp|pdccupo|rqlyllq|skgrvtw|vezwmwf|wzzkjit|zmpxkgq)|f(bihkota|htvnvwr|kjmsedy|pmtybfm|rdmwdwn|ygctzbm)|g(hyxdqeq|ktilxlp|muhxmcc|nutzhvx|rcolfqf|uvsbark|wwsfvob|z(httnxl|tpirfi))|h(eihtmik|hbuvpfq|lxpxjfw|pidyuuw|tkkojbe|xffkptp|zqyydbl)|i(d(hiplky|vstsoh)|hgtdpee|i(fibanq|iiuduh)|khljcjo|ygiuyek)|j(fkdhaqi|ipbtrgm|nprfevp|twnqket|vbggpns)|k(ez(cessl|foyqs)|g(ppjzyr|zhvssg)|keatzqs|noxewxx|tetadil|vnrzofj|wfnwepb|y(fftsec|lkzice)|zwiabol)|l(apqqhkh|emfbgsj|kvfxxja|mieabyz|naiwrwq|z(nfzvab|zwlkzz))|m(bjededa|ezuqgrj|hlnizfu|mffanql|tevsuyj|ukmrmno|v(flrtre|sslocb)|zeeudnf)|n(bljxmys|e(hruxvu|qnpqzy)|hmhpsal|nvyztjs|qbmeswl|sllitjh|tnsdavk|zlklaul)|o(cnuutdc|e(ekevbz|pmoayf)|lpebcxu|pnnugxf|qchexbc|uyjpvjp|xeaqcqj)|p(aykdzee|ftpsgkh|hkajemq|nvkyvti|oyzizdi|qujjjqz|wurarmh|yyfqtsc)|q(gayfsvv|kzsjlke|lbipppa|onsfxge|sdevuhx|tmmqlhn|ybgneto)|r(djctqxy|g(ebqfky|knkeug)|hcypryu|ljsboda|uiwqgem|xchcthe)|s(a(mhhlsm|ngcegp)|bmnoiof|cszulix|r(mxxnfw|txytfi)|tgerfil|vtcljcb|w(unekex|veigmu)|xvqdldn|zdhzuiy)|t(bvovmyd|dbt(hwxq|ypmn)|gzhmsde|i(gysjnq|sqmlsg)|jjcikcy|kphdaca|naaqjqu|tzzvrfo|xkffqzb|yoitrfd)|u(evprsie|jbrkhpx|mkiozwh|qgpswra|v(cyogmb|rlzdip)|xpaksbu)|v(cnuzztt|ifqhgub|nwkfwgz|xvonuud|zslzjbk)|w(drmldpi|foreqsb|iwjpxuh|kgxweno|osnxmoz|swnahsk|zmdclkw)|x(dndrkjz|esbtreo|ijacexv|j(lvdsol|wkfgeo)|oaofixy|qllsdhf|uptopvu|wwcvhbv|xhykrdy)|y(ajhavxl|byjaovs|c(dfursl|kvdgrt|oosytm)|imstmwg|jyzjdds|kvojyql|nglotot|oegvilh|rewowur|zweshaj)|z(eljmeno|f(jvhdlj|tdulye)|rdbhbdg|ygrxwct|z(buvjcz|eeqsgt|oxyjeo)))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800013; rev:0;) # sid 1800014 includes 116 (0 - 116) 9 character domains in the ".cc" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.cc)"; content:"|09|";content:"|02|cc|00|";nocase;within: 12;pcre: "/(a(f(alcxxud|gdwhnjk)|gbbtcvhf|ukacrogz|vqiviqta)|b(k(tkrekes|wkbdyqe)|lausfeud|nzzyzvkm|zvayaswy)|c(mhfojsbc|p(agaffxj|uaewccn)|qznazwgc|sgwmmijp)|d(elecqmzg|h(eyrizjy|kwzgbmz)|mdentzvg|tlufngow|u(dffpbkz|zgtgqza))|e(fzvssfpk|n(drdhijx|gfnydmq|rxsxtty)|sollhnsg)|f(ibmkcfrt|kgonzvva|odfxxwpi|rmlsseyj)|g(gzkdcpuz|jispmhqk|k(whafwuk|yhhexyz)|sknspimf|vemhlvsa)|h(dxdbjlqc|nxhoclbg|v(ciypjrm|evjvulq)|wismfiyo)|i(igfekefk|nfwthxxb)|j(atvinicj|dnf(jpvhb|nkxkt)|nvuoqjke)|k(gbdnmzvw|tagernat|uonxhmii|xnfjgrob)|l(epguwufg|pjuvnrtz|uvffoalh|zdfoxnxr)|m(gvxfadyf|sjzongmj)|n(amamiowq|fjzkmykw|uaavsdpf|zhchgibx)|o(lultbfvq|n(odrptvs|xhwefxi)|vcdhzcjr|wzhzjjbm)|p(jrauosyz|ktlyyxwc|mxymhvom|okguqaip|ppwovlwg)|q(hpolvizd|jpifsgyq|mjajbhlz)|r(nyktvxtf|vbdrqudg)|s(hylqiuiq|jhkdarvt|lhvdudnf|pjcshgyf|uznbpapa|zkaboqsz)|t(kingcups|roiiabfc|udeimpru)|u(awcbjxis|fhraloau|xanqeotk)|v(fdnzeurq|hpupovxy|jsmabscj|lsenoqzo|nftvuwsc|qxwpjbon|wfaonhvn|zzuvgpkx)|w(evlmmten|l(drwyjcl|iwjdtky)|s(bbwkdhm|mxdailo))|x(jqzsrigh|ldrytzgs|myifuhae|trfnjzzu)|y(csmybgme|jabarftt|tddxgfjb|z(inlwjnk|johginc))|z(fmpafgwj|liqzcgfs|mfyxvjqk|nkbbrhlf|rjambdjy))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800014; rev:0;) # sid 1800015 includes 102 (0 - 102) 10 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.cn)"; content:"|0a|";content:"|02|cn|00|";nocase;within: 13;pcre: "/(a(aqzxqrwba|bfhhibxci|hsudvdedr)|blvdpxjkel|c(ckefhvhig|diehhkvmh|fgljwjrdj|wkscypway|xcfgyvsip)|d(ftnpeqzit|kxdwtutub|pjvgkgffa|ubxvdrbns)|e(dlkankacz|fjyojsuqe|s(hsjmvlri|pfjcrwmx)|vhwipqkzh|wcygdsezo)|f(fcwvlgamx|snblkgqld)|g(clkcjbolr|hhnojyeoq|ifmekgtvv)|h(aoatqbljr|edadqfnby|kdvmrewie)|igatihupxy|j(jwnwottaj|pveivgaql|sypnhvuro|xtmwtvwvr)|k(hlvzelnrw|jhyjocuwc|mghsdkdlc|q(ctexogkt|lzfodpxt)|rffyfbjum|xorgujdni)|l(dlllczroy|slboxexyt|ukufcsgrn)|m(atlmuftmd|kncvambqb|mjofewfbz|oftrbtjjl|pyoutvhks|qgqmwvlno|wzdozwwei)|n(apxvtggip|bkjvivknp|g(fgzrwwrf|ukkkjnxd)|ibfscsrke|uhfpcccvd|vqfsypomx)|ogfgrlsggb|p(qhhhkwxhx|rxkdfhuko|u(imofzpcl|vrduzqas))|q(efeblddml|huuaxmcmm|xrnjpyctb)|r(cbyhvcrwa|v(fykydvwi|ultcjbuo))|s(aqxofwayc|cahghjcie|gacxqoybh|javozdtlq)|t(hdcwdksjm|jjiztwcou|kafooxvch|rootsvamx|yzatriduf)|u(bzlifughs|eelnmvdnk|gyhpbprwr|lvpjjkvcu|rdxcorsqk|uowweqohk|zyyqpoips)|v(colhdduik|dkxnnbwfm|vwqqbvotv)|w(dqfchpyit|epvixvkqg|tkbtzzcqu)|x(fcycbggaw|mv(gwbvwlo|owigylg)|pgvysyxnj)|y(dknbsnwfr|hlgrmmkwc|iqwstlwgv|xsepqiarq|ywxvwexbr)|z(dmbenveex|fkioxrnhy|lplfbredw|vxiohgelf))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800015; rev:0;) # sid 1800016 includes 112 (0 - 112) 11 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.cn)"; content:"|0b|";content:"|02|cn|00|";nocase;within: 14;pcre: "/(a(mtzlrqexos|pctjvvflgm|ststnvshyc|veplabpiog)|b(dqdnndwmym|jcwkttwbaw|kzsafhfrhe|txswozbfoy|xlcmnyqcrc)|c(divowggxft|euasyixfib|tmxojrvexc|yeayuhnnwz|zddtfetczp)|d(cwvcrgbdkw|feomxyiead|rhimkgcklo|witpxsrgni|zwwjielewg)|e(dijzgqpsgf|kldfkakeil|pzcihpcpeg|qjekjexswb|tcssegbnvf|xrphdccltk)|f(aineadnehy|bnimxodunc|cpbqmpfoyq|jymrjejshu|keqemstlpz|qhgwgfyawr)|g(ayvdpcospp|e(psnfwwwoi|zfinkpsus)|mhbyopfxop|zgoltqemuh)|h(dkoezzfigq|wruxuyrubv|yqhmvzjtei)|i(a(fsjrrtuiw|nwvwtdmjl)|lscytqktce|n(surlqvhvh|vpimlqjcv)|rtrjrulskr|smqzyjyijq)|j(gaalkipqbg|kynqrjvurl)|k(anoxaugeio|b(cmxwrcxwx|jedftxmpr)|inrxruowoi|puxelzixhf|qixatuuvmx|vxqioqbtlt)|l(ctbfosxawh|gbjsbsouxx|jwvjzaugyq|tztfnxblmo|xpdehemrtw)|m(dqjopxpqll|futamkisyt|vusjwyuqvb|xkrwbyzsax|zbakypyzlm)|n(cxupghplol|gagvhudmle)|oi(fthutacvk|tbytoeqfx)|p(gcuxsrjgpd|nkioypwjcw)|q(aqwmfjynmk|pfvfblzzpv)|rxccxskrbga|s(cpakoggetx|nkcfzxaheq|rtysfesysj)|t(ogmnpwjhle|v(mfjtdpaqd|zbrtjyzuz)|zpkgjpxuoi)|u(dhptrbaazm|mqtarbxcmw|soqghuemmw|tbimmusuxn|yzhcxigfuy)|v(ehlidlesti|jserartvqy|lbmfokvnne|pczdekreiw|xfquswvuig)|w(apbyseplma|bvwzllblbx|dcegogbqvj|lxjtkxrbyk|njfjuouots|tkgtnjqlwj|zdmkmilbab)|x(avpwmhbudw|dwgebaauin|fuzwxumlfl|qdmhmahmpq|shvtqskhlr|whusrhizah)|y(jlzdprmirt|owejpctrmk|wckrimplau)|z(kgcfaueaeh|lxdfhppqfa|q(cvteljuex|mwypunqap)|ykimwbbtqp))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800016; rev:0;) # sid 1800017 includes 87 (0 - 87) 5 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.cn)"; content:"|05|";content:"|02|cn|00|";nocase;within: 8;pcre: "/(a(jblt|yhir)|b(paqq|vdax)|c(ctfj|mopx|nlqi|vczg)|d(dkss|jedo|nepm|snte)|e(caul|tiue)|f(fhms|nesw|rswi|yhij)|g(czah|nmzn|tfgu)|h(dzfw|gnns|vkaf|zoyt)|i(amws|efhg|pgjm)|j(alhu|bhkh|hzyi|nari|x(evw|xjj))|k(qafq|rplb|sulw|wsdx)|luhkv|m(gepx|hhmw|jgfk|kzwv|ufqf)|n(asyo|nwyw|phnr)|ojeoa|p(lprt|vwhx|zfnc)|q(f(dzi|gid)|nafc|sfzy|twsu)|r(byrn|gbzv|rwjj|wvfb)|s(havy|iluo|rbzb|sgdi)|t(qpmv|tjii)|u(srqx|tdfk|wgey|y(iah|sqj))|v(c(lci|mau)|dsde|fmpw|jwyu)|w(fghs|olhe|xgnq)|x(innv|pwme|zqpj)|y(iqpp|ydso)|z(ntip|unfg|zlay))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800017; rev:0;) # sid 1800018 includes 107 (0 - 107) 6 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.cn)"; content:"|06|";content:"|02|cn|00|";nocase;within: 9;pcre: "/(a(chrhv|nvdqm)|b(mypvq|zfucl)|c(aamsw|cvtiy|ewijt)|d(gdiqv|wrdnt|ydgtq)|e(dagts|hhoxk|jejyz|siess|vddpm)|flnwod|g(bkzjx|sr(qsk|zir)|ubpsy)|h(fdeld|klkvm|ntlbr|w(npnx|ppfw)|ycprv)|i(anmsx|binyx|ltnkk|rkiak|wnqje)|j(jsrxk|ltvge)|k(b(maae|qsht)|fccpk|hekue|j(ekqf|rvhq)|qzsks)|l(hxtzh|ysepw)|m(exnww|rfpor)|n(gbpwz|kiduf|lggvh|sanoz)|o(alwqc|baddg|i(qeyv|rrxu)|jhzoa|nxatx|oxkgg|uegyd|wdbff|xukct|ynqfu)|p(otzxw|qumck|vitfu)|q(nacqa|uqkos|wusil)|r(aqmrl|ncreh|v(hvbi|tzck))|s(agosv|m(lkhu|nqjo)|qshug)|t(khdrx|mtrpg|ramqz|zqfiz)|u(jdomf|sczgt)|v(cjpll|dikzl|eabkr|h(euyj|hfwy)|kwhdn|teqnx|unoxb|xopad)|w(bwxwj|j(ejuk|mtwr)|uiatp|x(cdra|lfit))|x(izpgl|s(hoij|jcsl)|yxbqh)|y(anint|oguwx|pgdkj|rvdzk|xwnwn)|z(gymxn|kzoxh|xsrni|yeonc))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800018; rev:0;) # sid 1800019 includes 110 (0 - 110) 7 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.cn)"; content:"|07|";content:"|02|cn|00|";nocase;within: 10;pcre: "/(a(gyzryd|nqkide|usxpxc|vqdzen|zzdglq)|b(amzgpe|cbeocx|iodqqe|nnbfha|pjdppq|ywcuie)|crpgssq|d(aytmnr|kkblaw|mglpsf|nkiwhp|r(aitvi|ovztn)|yitgyw)|e(fenajn|hwllke|mthrek)|f(dyoqme|ngjkux|ogaivo|peyvbp|zvvwxb)|g(gunool|tubkaf|waoohi)|h(apaymy|dqrfbi|eygsbv|gfagsl|xjzfpo)|i(babwjh|dedpwz|npetsc|roknwv)|j(eadywp|ohgkmk)|k(skqtgp|vzqusr)|l(hdtyww|imvvft|lgkffu|rzdbdi|vawhes)|m(lpwttj|rllufm|vbposr|wrqsaw|zcypzn)|n(gwottm|hkzdzh|msfpoo|vvqyds|wrfldb)|otyqlgj|p(avjzde|d(eifrv|mcgvo)|xvkhdd)|q(dofhtn|kutpgy|lnffol|nrfhab|yujxpk)|r(imtnxo|mampuk|snxwtl)|s(ahjbzm|gxykke|q(jwhcl|pftcg|zsuya)|shnzek)|t(clfvhw|klekgu|pkbumd|qxzpdw)|u(ldhoic|rrglga|y(gmqsa|pnsgg))|v(exdtva|kvluvl|qwnnus|zuqako)|w(g(cqzae|tesvq)|inzhhi|lzslrk|midqpt|xzbnun)|x(cawtpe|d(jngyq|xeqtz)|eeeute|fnaalb|usqayr)|y(baoouf|oupirm|urewvc|ylsjrg)|z(arozmg|biajjb|nirdem|sjevzi|txxnjh))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800019; rev:0;) # sid 1800020 includes 226 (0 - 226) 8 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.cn)"; content:"|08|";content:"|02|cn|00|";nocase;within: 11;pcre: "/(a(cmaaefk|g(bhqpqz|iqwzci)|i(gcvzwp|mmuemd|pcauis)|m(ehmkfu|qbqnvi)|obsamla|peezqhw|qgccokv|sucwrnu|wmgizdq)|b(fqwkxts|ikirkud|jcmziji|pbgpzul|twktebh|wbiwdpk|yrzvtym|zjmrcbx)|c(deutnnc|fhknbqp|j(johueb|wuueox|xehyzh)|rknjjsq|vtzsmyt|xwupsmm)|d(dbkfesl|fmjdagt|gdijhiu|mkqedir|vikggki|x(nzqgyp|xtguww))|e(awzzxbg|cpsmjco|d(istcvd|snqvfb)|flcewpc|gzyupcv|qbuzdnv|s(ppshar|wmmntu)|xkebigz|zowtdkl)|f(drcfmmf|fhnifsb|gdiupvv|lnrzruu|matgosv|quzyntd)|g(adlzeyl|f(hsnlop|nrmquw)|khxjkbp|lpwjfjw|n(evkdwk|lswyuo|omeyzb|qtjvnz)|ropthyw)|h(ahkghrm|ckkibuc|ezmeimj|fqbxujt|hygebtt|wmbwoms|xfdutvk)|i(czxjalk|ekamarx|fpwpjvs|pbxqjtw|rnfflmj|ujoavyb|vg(ctiat|hjuxg)|yomneyn)|j(a(itzdar|licbea)|btdotcr|cfcvjdq|hahkyes|nebuhti|qdcrkmy|riqggkw|utrnpkh|ygotrvf)|k(dptjjvz|fskvbab|tzewdtw|vgfibjs|wsrgoee|ymuzqkr)|l(bjuztui|d(fvnlxp|xsrges)|eilbiao|grhkzke|igztnjq|ptzfueg|qacxgic|rrfeazw|ssulgcm|t(bnatvp|gdjtnj)|v(knkzxc|oefbgi)|zlwgyrk)|m(cbcalew|lhoniua|oquzkex|rykgkhn|sqkrrbl|u(jvbaqi|lcgtwc)|wvyukdo|y(lecqfa|muunbe))|n(abncyuw|bxgmngk|fpmleaq|hpytflz|oefynik|rjsiqfj|ss(qcoqj|wxruk))|o(eysrnzp|fuvcfiw|hetniiy|izfxbzc|jzimrxe|m(ajejfm|gzhckz)|ojxabfn|qoyswtg|zrrpjpw)|p(bkcnrcn|gupikjt|j(ebusno|mggaxx)|o(jhbuws|usjtvx)|ralfura|tnldwav)|q(autntgf|cjfpwki|dlinqkj|gzbblvj|j(hjdhlz|jrkniy)|lpwryfw|mtpueij|ohzshqs|qpnaajt|rweyxte|tdpwbqe|vdzfaho|ylslhes)|r(alhutpu|flzjrum|hfkejzf|javlutq|lslxdey|rzspoaf|ukczmad|xczbmld)|s(dxysffj|nrehamj|zsbgama)|t(dvgojfy|hxdquzq)|u(abunivo|bjodoye|cnnloin|gkoregg|hpbnqlc|luljjjs|qfzolyp|zvnheey)|v(g(cyhzoh|kejpqr)|kszqxrh|lkhsahn|pxzacqm|r(nxwzaq|tdipjb)|wcylhjx|xvtklfi)|w(clcusdc|gythzbq|htoggsn|lkxnlrq|pyllvth|r(dbxtbc|ecujjv)|wfelzbr)|x(dihjups|e(amunuu|pfjzwc)|ggorldk|mqvvfhk|o(ecpucb|kdyfov)|qdvmavs|s(dprttq|pcwvxa|wqjgwi)|zpcpocu)|y(e(dahlup|nrkesj)|tcagtse|wdrwurh|z(ekqdhy|leypgz))|z(c(bsjuzm|iyretl|zeirxt)|gqekvtm|harbzer|n(jziqkc|mbbkqb)|wmlovmt|yxtnoyl|zycqxtf))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800020; rev:0;) # sid 1800021 includes 114 (0 - 114) 9 character domains in the ".cn" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.cn)"; content:"|09|";content:"|02|cn|00|";nocase;within: 12;pcre: "/(a(jrtspspa|nhxtjewx|prhlfybx|zwwswcie)|b(l(ktrhaya|wcmcjem)|rddnubaq|uciscbyi)|c(byjmgbdz|ijzeqtqo|sqrqlhrt|vgdxowoy|wqjlwbsy)|d(dxmqnzze|jzulzibs|qnxltlia|szozhogy|upslopgh)|elncpwxyy|f(dvlwxoan|ibdelhxw|ohjgjtkg|rqawjlzx|upavdvgx|yikjxexk)|g(o(efxuebv|tpusfxj)|pykbxvji|zamvpzgr)|h(eqsokxwg|fauaroym|hfufauvc|jdsoovbn|kpimltdx|phoghscy|qrgjwwrl)|i(bzoerucq|hfoykixm|islvzxhn|jbzaasaf|ohtposyx|wgaxdscz|xutcqcgx)|j(abnutnss|ifctzetg|nbashdbd|wkzoouzo)|k(izufgjwr|jyoqaedp|p(iajdeig|znavaza))|l(dnlnovmr|mvvxbwwi|oqixmtww|rmvadlzz|uyfytecc)|m(adkhgqkh|gyeqxmja|hofzwquj|rygdnlqk)|n(boegmfwt|szeqidjr)|o(fupwdeoe|i(lofxlwa|xjuxchk)|zfzumjzm)|p(ibtjbfio|nqaliunq|txphpezq|uvjauzak)|q(i(nuerjgx|ulotxgo)|uhadtzhf)|r(dexbtmbl|jxwaaely|omkeunpx|tdqveaty|vtamwuej)|s(fewlklal|pxkyjpsp|qfhtowtw|rhecfvsr|sjqbgpfj|urldonyx|yzjnqadt)|t(n(agofimk|rujiwcv)|tayfnqfm|vvheukpa)|u(bhgfypid|dborfgbg|it(ecyjld|rihnoh)|jrnewgru|psjmozhl|vrxxqewe)|v(azhiuxkv|izrmmimz|wcfpqfrp)|w(lpgvwvnu|mkcopyel|tjobooih)|x(eembzial|jienyyvu|nzuqhiov|u(aqxyger|buzbxib))|y(aedwfuvk|pqhgbcgn|qyexlgpz|usgncpgt|yajfcpyg)|zx(ajzsixs|cbkiise))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800021; rev:0;) # sid 1800022 includes 121 (0 - 121) 10 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.com)"; content:"|0a|";content:"|03|com|00|";nocase;within: 13;pcre: "/(a(clsflfvww|qshyoourn|rinvwzila|uazxosspu)|b(f(amqifcpn|mkknnlcg)|tmtldorfa)|c(dgpatgdzj|jtcbdegmn|sozbudxtp|tpakvlnsm)|d(ecmxgwovp|i(hmyunxaz|msobzulu)|oritwbdhn|rtfocskxq)|e(fkqpawrpy|jjeretjii|nwznydaxv|sslegoqsd|zdjyshzvr)|f(dopslagux|mambmyufd|nofdijadj|xqvyuqnuh|yvwsdpbpj)|g(d(ezvsllle|wrnrxkpz)|edtghgrip|snptjdwme|wagzlkkqp|zslzitroz)|h(djhrzvpzi|j(hfixzlou|uninikba)|lmcbijktk)|i(darkgrzhm|h(mlzcsjgf|qrjgfqui)|vzgpxusxs|ykoikpqxf)|j(cohbhugmr|nszzzydkb)|k(ervuhfmwe|l(ckjsuvot|sgwyuyni))|l(biacffzyq|dhhxmyjow|jrbkqcrqi|ntimtmspd|zuqkzfcxu)|m(abacgdzoa|bnzawmwrt|elerqenkh|g(uurdduja|xzmlwxdk)|hiyluence|moczybprb|qklzodtzq|srdyogbsk)|n(bftpalrld|ewemwkafz|gnoumvclz|uxkievael)|o(dhtvaylwe|hidtymkyn|idysqqpnk)|p(ezzxftfnl|lunhhbgqr|uimtlqhzd)|q(uzzvbzxjr|vsmrqmdrm|wrocvcxdj|xdkkpacly|zrggnrqst)|r(cyimutglo|dfarfyewl|flqrvdydx|lfwtkpfei|vmiyrsaqg|zgffapkxq)|s(bilhpphnk|jixpmmmdc|n(pminjjim|rsdiqlwn)|pt(aheyzvf|rhoxqkt)|rmbfkjcmn)|t(cevzrnoct|gvbjlcfej|n(hqtzyqtp|ptkkdfxh)|xvjauhdpi)|u(ipbktpoky|p(cmlutiiq|jcspkige)|rlwsnisgv|yjdlpiunh)|v(bwhhlfafi|k(qieqptln|wmjysckw)|veyjzawmv|zeokljpnr)|w(vfuetusyx|wlfqnytkk|xwemyyxdk|ywqsiczcj)|x(abntimrwb|m(ctgjpflf|zssuqhrt)|zyijkpxgw)|y(ebmykujlp|gvkfwxfdl|ipkvjmvri|jwgaoxpix|pytwkvkim)|z(eltfcskzj|lamablafs|rvabaekbr|tajzcyxnf|uqphtnsho))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800022; rev:0;) # sid 1800023 includes 94 (0 - 94) 11 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.com)"; content:"|0b|";content:"|03|com|00|";nocase;within: 14;pcre: "/(a(jxjyfbivbt|qdozwedpoa|vzjgvbyocf)|b(ugfeqqjphr|zectmxdset)|c(hwdeixwjdr|j(amwhmyaes|eaioqieyl)|nttjrpdegq|vlkapwddjo)|dblxgnroeov|e(cgojdrezfs|pghxnzcayb)|fbddsjiamuk|g(cntlbtqmwh|drvixainrz|godfldwxne|hkaaolhybf|okfnptwkkj|ueaqvefjho|vkrngljbkc)|h(acylwhxomp|dnxgzotctb|gqidnxgljt|iggbpwladh|qcenmglolb|vwhnogvlph)|i(bsyrwfioli|dgfmfssgab|ofwzcvyndi|wrbccncrch)|j(ecsydlgmqx|lzohprrsur|rtowbqzzya)|k(azkesyscua|btgvwkxubt|ggnzotkewf|hqofxcesuc|mdxvmegqnm|v(dlfcmvdtw|wjrhbizco)|yvccblhttl|zrhezfoszp)|l(bbgspxcapv|c(lzxcgyoqm|nomkjdmhe)|qbcjdegrrf|tocgoztntx|ymysnsgmfy)|m(aznkkspwni|bnkmhmyyaw|eqdksbpwwk)|n(izwodmqxhq|m(czivabshy|xtrtmqytd)|qlzonlldoi)|o(rrpuexbmpy|xhtvqggeeu)|p(bgvtmvtqcv|dnayfcardt)|q(cczqdwvbul|gdbibgvtvx|jofdixzldq|swtpkukowa|vnfaywhwhw|zooymslxej)|r(dwtyuufalt|ivyunrkskh|jz(keijkmnv|uxroyrbj)|xczeejwkou)|s(hoiserbdcg|ntxwdytxpx|oaflmpywku)|tvwnxuykkhf|u(gtwzfwpxva|hzgcgkujvs|okxbwcbrmf|wfszkzrcxt|xieimjfdma)|v(lpqeenasaf|qouxuylewm)|w(epsyxzntrb|nblaillueg)|x(hduumfkgaw|rclthrjydr|xtsnhgtofx)|y(bihllfqqik|mucxcpjxea|nbrcsthxfo|popvfrkjzt|qybykkajfh)|z(gmaqgdwqqv|noqzcykmgb))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800023; rev:0;) # sid 1800024 includes 103 (0 - 103) 5 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.com)"; content:"|05|";content:"|03|com|00|";nocase;within: 8;pcre: "/(atgdx|b(fzyk|jums|mwby|oksm|xejv)|c(g(hnx|itm)|qkyd)|d(hklv|jabl|mtye|p(ies|mqm)|qdxk)|e(aagp|tunw|xwub|zyrq)|f(hxfo|jjnu|qwrb)|g(fzjg|ival|pbhi|qyek|wzou)|h(chhm|dpsf|gezd|wevk)|i(brcc|dpaj|hsgu|opca|rxjj)|j(b(mcj|zqa)|nkyq|p(gcu|pgt)|tvdd|wpzs)|k(bnoj|gtev|iqzc|jqlf|soae)|li(cvt|smx)|m(e(dmk|xxn)|gvjk|prmj|stpa|yvgh)|n(njtk|tblx|wech)|o(q(xjh|yik)|sawq)|p(f(wjd|zkp)|llph|njsc|qbvq)|q(uegn|xsxb)|r(bpbj|ifav|j(btl|sav)|t(cjo|pzc))|s(bzyy|faue|rojy|sflk)|t(avac|feyn|prcc|vqan)|u(glsg|mngw|nqho|ovfy|vayt|zugx)|v(bbjv|gwyv|heid|r(tzt|xen)|xxuh|ztfd)|w(cxel|d(fzz|upy))|xclzr|y(iwvj|rbfi|sakp))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800024; rev:0;) # sid 1800025 includes 97 (0 - 97) 6 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.com)"; content:"|06|";content:"|03|com|00|";nocase;within: 9;pcre: "/(ausnnt|bueybd|c(hvayz|jhdky|rxgmy)|d(bhcvl|p(yrim|zbdq))|e(aqzjv|djtst|iprau|jkvud|zsfvc)|f(gqruc|isggm|mexsu)|g(abmks|dkmlu)|h(dnjfo|lrigz)|i(exzrm|qrrzg|wvznh|xbhiw|zuhuq)|j(d(ibvw|jeqr)|gnhmf|h(hotv|qdnr)|i(lrxp|mlst)|vsrws|wxjma|ygsai)|k(knbtz|mioqd|nsoyz|wvjag|zlrpv)|l(acxit|bpkpo|ejfuw|wperm)|m(dfwiy|nvxuk|pkjde)|n(gofma|irywy|vxsyr)|o(akimf|bghnl|rpahn)|p(bfbqs|cirpm|h(lmpb|vvfa)|mppml|ngjlp|s(kjnr|zyrt)|z(stbb|zlnb))|q(kbhug|qcszt)|r(gxcau|hctgs|nymyg|xudub)|s(bdjgg|ezsag|ilhfh|somoo|ylwsr)|t(iztqf|mhgtv|radgt|wkmzh)|u(fhmuk|jzpza|kxgal|onhoi|uourp)|v(azhyu|litjm)|w(bdhui|liljo|yhjqt)|x(gffbh|mgxtj)|y(bbrbg|cpzzw|x(icsi|uyut))|z(inypi|tyikz|wunba))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800025; rev:0;) # sid 1800026 includes 111 (0 - 111) 7 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.com)"; content:"|07|";content:"|03|com|00|";nocase;within: 10;pcre: "/(a(bmgdht|jyjsqc|k(adolx|kqaxj)|xqouoy)|b(boihkj|mjdjdp)|c(hvkrte|iopwvz|sghxdf|vglolm)|d(baactx|ltjrwp|qcwkgo|wmvelw)|elqdcpl|f(aosoqe|dftlwv|yqnxvp|zcflak)|g(dqhyxg|fxdoxl|jjlzpm|trjopb)|h(rplufz|tdxoot|vwqhdp)|i(cktefq|k(nybbl|sdhzy)|pnnijl|ssddaa)|j(dycjib|qicrmy|shzaor|xnkjfj)|k(hemkno|ojvkur|vquwwr)|l(gxzctv|oswpqt|qcmuqj|rdpygr|xmxwti|yxbaas)|mivxruy|n(f(dcndk|mkwlm)|ivldfg|p(jlmsd|wyxhr)|zajrrx)|o(f(njghd|qyhhp)|hnuaru|mfjmvk|vsjypz)|p(gvmdwi|nxtgaz|tdpket|wpjyed)|q(pwxnkr|rtrfgr|vzypxf|yvsfov|zjyrml)|r(s(kthnv|rkxnd)|tjisxo|wqxxbu)|s(c(bspcf|pintu)|ksrgbf|z(iwsac|lubrt))|t(a(gxdwy|wnzjz)|fnfxwe|h(esgcu|mlxku)|iernyo|oelhed|wqwuzz|yzxflu)|u(bvlpfg|fnmpxs|oqbvls|tmmrnd)|v(ineonu|mvkzoh|suydde|zzewdf)|w(azviaf|bacuwr|fsldzh|luffxa|oydjyl)|x(djpcxs|felbel)|y(d(glzvb|pzqus)|emvtcg|gdukwm|ozysvf|uahomj|xtjcrd)|z(bmxatm|hcqdyn|u(drgvb|qyzsg)|xzambd))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800026; rev:0;) # sid 1800027 includes 218 (0 - 218) 8 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.com)"; content:"|08|";content:"|03|com|00|";nocase;within: 11;pcre: "/(a(cgxplen|qswtwmb|ukthsdd|vyuzbak|wdkevyh)|b(ezsvzpf|hgxslwz|qeexwso|smqqgck|urdyzhx|zihpngz)|c(bkzmxbu|fpffwnz|kmbligh|l(bvcvei|wnjkpp)|mbfwqek|nnqxjze|p(asjcga|ymrugh)|vzijyyt)|d(hwbzxqh|meysqcr|n(jqhfur|psujbn|ufangu)|puhnoqi|rpmvwyl|u(vjraro|wwcuev)|wlaijvr|yoouqvd)|e(appcljq|c(jkqnas|mxgsce)|ejrtzrg|fhxcdaj|hbeszwe|kiiuavn|mivbbff|npqjqbu|pwkqaob|sutqtvj|uuazgzb|vnftyus|xyzcrts|zpeztav)|f(aapames|dzonqrx|fzcboof|h(lctjmo|sstswy)|idhhjho|mteirja|otkmvaa|pcgokkf|rqwnruo|tbslbab)|g(corvmft|inpxsrw|kbzwfcy|n(ezfcsl|igqosy|rkqhfv)|rhpbtfu|ubportb|wcbfrxd|zbuzgak)|h(daznyee|mixpoki|p(btgulk|hpzdbb)|vbbdplo)|i(cztfixe|dirtxpl|gorkoik|pvrkykk|vckqjgu|wtejhwq|xgljkrl|zoqbyos)|j(a(bdvcqw|idlnhm|mrozes)|czgbwun|ejhdxwk|fqzhxey|jfmemmg|kejhatl|nuwkczn|pqnubgg|uyjjdxm|vxrlzpn|ysgukwf)|k(dmiasze|eixqfjd|fkoikgz|ifeimeq|jhmgnsj|l(bzkuzv|kmxtog)|n(appoiw|zezxln)|qefnaxx|yphofer)|l(ftaypcw|gydzbrf|nldlbgh|rcrdqob|smentxo|umubdwc|xwcgsuz|yxyugie)|m(byzncpg|gkqlrlb|nkjinla|prfyqyr|rgmvjxq|ukmktbs)|n(ijhtaox|j(miygto|onpfjp)|kedchqy|mnxiglh|nigqsyy|xmgwgby)|o(bhkvusv|egayrau|fyfhbhq|jtjddkp|l(hqilfe|jmclqg)|n(bvqkoj|lscvma)|otmtqae|qvdckpq|xzpkitp)|p(bdjrpkk|c(ohieyq|svjvcd)|ewjtmzr|gnztnin|jwetixp|pjkkyfz|txasmae|vdewrpl)|q(eahojvb|hcrcvaj|nepvnyi|rdrrlxk|sxeivsx|tbmhtzr)|r(afkqbyd|d(cszutu|jqownr)|f(deesry|qczmtl)|oqqvqrc|rsdfiur|tlgvsbu|wetoiko|yqxzcty)|s(clmtmct|edkmzgp|lvahkhn|mgvmkdp|nylypvt|olmaxpr|pzufxgx|tnqmjyz)|t(alnbhlp|nkjprzx|pgdkpjv|wiyhxlv)|u(fgnahag|owottva|qpocmyi|rtdwcew|tahikra|ugnbcdx|wqigcjz)|v(clswjqb|iecrkik|qiuygpe|rgoqyot|ssnitrn|twarykv|vuudmwr|zljnwli)|w(apowlqx|ekgfuxf|i(bsuoiv|clhowq|exvexd|iqojrh)|k(tsmmjr|vkdjlr)|lnszbqd|rnmevfu|whcbcni|yaxnexy)|x(onjjbnm|ryywddo)|y(dtcsvbu|jhnmyvd|ppvwckd|scuxpho|vadbxck|y(cmccfi|oviysa)|zdatvla)|z(hzgijco|kwkzokp|omtxafd|ryuanve|v(rqxial|uvmgeo)|yydopur))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800027; rev:0;) # sid 1800028 includes 113 (0 - 113) 9 character domains in the ".com" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.com)"; content:"|09|";content:"|03|com|00|";nocase;within: 12;pcre: "/(a(euufbtnh|ixduqmxb|sghlvkij|t(kpuddpw|rpvocry)|zgqvqevw)|b(dkqzegiw|eeirccas|jentvzbw|sampcjxc|tmzfufvi|zejbppve)|c(kfcuhnrn|ohsfwggk|qusiwtif|r(ggrtfpf|rnoopzv)|wtbcpdzx)|d(doegxjta|rfxqjcmb|tfrxazap|wljrbjjw)|e(b(buuwiyc|phfxxzp)|dhtppnig|exlifooo|fpznxxsa|ojygumsa|telbhwwt)|f(jggkekmf|lajwrxyv|vgjyfjvh)|g(cdrtajyg|ldsbitfl|ntcvjhyw|upwplgdi|wcespgov|zjddrbwy)|h(asfjojfv|opzspbbu|txtpkeuu)|i(fnnkasls|ol(tnwekp|ymghkq))|j(hwpfsjdd|j(hudjxxo|rezyhyr)|lskldbtz|nyojvxhu|ppyebxcx|ysifldtt|zadxxpqo)|krgtlwvon|l(geqvhecc|hxgjjrve|uhwerfsm)|m(aslnqqwe|dofmvbdf|etxonkwm|jwnoybbf|kdzgisjk|v(kkpkuhb|tjesvan))|o(nwiegcvz|xrgugolf)|p(g(ajclfqw|kgqqvso)|hionhdql|l(cptcqjl|myoskqb)|nowaayxr|rxsexgxb|swjxdfeu|tdjiasqf|ztvqgjmf)|q(oannyakv|uzwxckdf|xyzgnspv)|r(cziownth|todbdvcl|uskhlngd)|s(mfmltmoj|nxhgzscf|pgjeejxb|rjwfhbfo|vvmatkit|xgmnprmz)|t(cnhupykd|epnrnkun|ivjpcirp|umewmzmu)|u(gaazvewq|ovwjgizn|ppnhowvl|sxadarmv)|v(alzdgbsf|jxondoml|mawtnjld|ygrbrlxv)|w(gdjcvlvf|kdcxbete|vsqjknnv)|x(crhxwrvo|dteidyiw|loopavgv|pbbuplwr|ueudqloc)|y(bzrkprrl|decrmbuh|ohgqkpom|wilexikc)|z(ptgambnz|tzdqvtzi))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800028; rev:0;) # sid 1800029 includes 108 (0 - 108) 10 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.info)"; content:"|0a|";content:"|04|info|00|";nocase;within: 13;pcre: "/(a(gsalfvavu|jusevkoxk|kugzhcjvi|oghxomlrd|stcfropbf)|b(beislnsgx|drbmxkpep|fxnikbhpm|mclrexdim|osoqkzegp|wyiypkkzx|yebkdrxln)|c(agindwldu|yxqlqetkz)|dkgluspjxy|e(bneiezepm|crzfrhdcf|jysgnqeze|rmujhvqpk|vuybuexuw|wfdzzidwp|ydhiuqvjk)|f(byjvlwxyd|ddpbfxyye|nneldnrrk|o(qhoibane|sibqcgmd)|vpcbozhch)|gkbzkhwkgm|h(cvogsuxgg|tfbkmhply)|i(eoffqovta|mzgslvkdw|xcvsixkbv|ztcjhsjjm)|j(abckeofdi|lhvtjrqgh|v(epsoqivk|wcrgyjkh)|xgdvhqvuy|yesywspbw)|k(d(nzuuzege|rbgmtwuv|sgsjowet)|fnihjmics|gyjnowjge|qigshunns|wggzmqdyy)|l(twwvbyorw|xqtljlcht|zvqagvtvp)|m(fvtiudwwi|hztcumwlu|rgesqhwko|sqibulnes|zozrvtfqe)|n(iqcvqrbjc|puelamonq|xxvvfjwrf)|o(kzfucipyr|o(dpsikbhx|gqgycqss)|ppzriiqtm)|p(i(fvbcnerk|gwshfcze)|mzznlgwls|tpgteqrzl)|q(doujdxfkv|uzvccfmdv|yjltabsst)|r(btecgfirq|hrahyqpsw|uzegzybxv|wfgarryuy)|s(l(btqhyncj|xpfijgkz)|ppxdumavx)|t(jvefqxqlr|mkexwuqjf|vlkfranbj|xjgvcfekb)|u(ajnpswdqt|beeiukdvt|iswfyjxcc|orfhkepws|zsxgxyhbz)|v(cpszndgka|qbdbdpqbq|rubpihsie|s(fmbniupz|nxgaelfa)|zlfvfvezh)|w(akhxbdmtf|bqzfcuyro|cahkwnptg|e(onzjsfkp|prtcnohd)|gikdfuxvk|norqcsdsi|s(hwtnllsr|jiyynagm))|x(iparekzsg|jrdzxmpvt|rvvhixdfy)|y(hdcptopaf|qcxxjbpay|umhjdufns|zrifnmukv))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800029; rev:0;) # sid 1800030 includes 107 (0 - 107) 11 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.info)"; content:"|0b|";content:"|04|info|00|";nocase;within: 14;pcre: "/(a(cgmebtwmmp|hmluldaxhd|kkbnmghmgp|rlzzjfacbn|ywsxsnmobs)|bbxqplnjhxa|c(rrrmomocxo|utiaettxgb)|d(blzkynqmcs|q(wwtaywbhi|xfgimcrbg)|urvytbeuio)|ebtjondleqw|f(mjseeaebra|prwsonuoog|v(abohzyilh|faqdwfkck))|g(dpsogumtwh|fgfsyqfbsc|rrvockqnmb|woypupwolv)|haanbutwuar|j(ihjohensha|jnbonpddws|lovoypgyqa)|k(ffqiyleidb|iojxtduwkx|l(vjhlqdjnt|wippuwyww)|nfjhsstibw|rkyolxxori|vhowuxsrgv)|lyosgrojluf|m(gnslenjfpf|hpdlmpivsz|xmqjzhyqdw)|n(asprbydngk|coowydqaqe|fgjxdvpfqz|gnnxyvdjri|hteuyuoogk|idlnyceyrl|t(jxesyrhsy|rieugsqmu))|o(bidhyeckde|droramzprf|ixtgyuercx|kkdsvolpkq|lrutghdiaw|napcsjyfqo|puifiqlgaj)|p(t(ajknqazsg|tryvuhfpl)|ugtlizpukh)|q(bjeznsdcwf|httgwjumgy|inenxowbfq|kwkisxjrda|s(phossoosm|xcmwzhazv)|vfgggsqtng)|r(dvawqzqijj|gdcynmhntg|ncmbpeafbp|uldhmqxjcx|vbslbhdvrf)|s(bakzupwmng|ddqcvwejja|s(mfcaqxjux|yysilqyia)|wdyhkqbohy)|t(ernejxaejt|jwzznowwui|qtnrxkweyx|uhtxdoajob|vxwoajfwad)|u(aneenztbom|rksolrnpen|tlojstinfb|urcnwltksv|xrmhfgorzv|znqdyrfxig)|v(jlgzxjsqmy|lypmcfvyoj|n(fofosikdn|vwemcjnme)|qjxnfzgwpf|rrwkskscbo|uraosyhqnk|w(rooxouznd|wqlgpnyna)|yplikblxxc)|x(giwdsgcpyl|qrivxkwont)|y(fgqozvpbwn|lyhrkjcvtt|ufqprkpnsf)|z(ggltknyouj|hjyjoofqlq|j(jxdtnujmh|xpwpgxkfq)|p(kltchysba|lvwmajnuq)|sonstovgzr|tlwmkfvkjf|uzuyrqpmxr|yiohipakcn))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800030; rev:0;) # sid 1800031 includes 90 (0 - 90) 5 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.info)"; content:"|05|";content:"|04|info|00|";nocase;within: 8;pcre: "/(a(pycc|syff|znuy)|c(bidz|scua|zhaq)|d(i(cio|xyw)|jjvi|lpct|x(gmp|zcf)|ykhx)|e(mxjo|opkn)|f(eyyf|iggq|jwbg|w(quo|tav))|g(mycf|nnmz|vlaa)|h(bvfi|d(hvq|xxi)|omce|qkxc)|i(fxjx|rhqx|ulje)|j(jiwi|lekv|tfpb)|k(gqyd|lczi|xkkh)|l(ibau|tptp|xnqt|zzyb)|m(cipw|daav|elmu|hsis|tikx)|n(q(cct|kyy)|uqpq)|ommse|p(besk|e(dab|qsw|you)|ifme|regr)|q(dqcj|kmgw|nurw|oabx|rlnw|vueu)|r(acsx|glmx|jdii|qqku)|s(b(tjn|vgg)|wpor)|t(edmy|hnry|i(nyi|pfu))|u(dokf|lyfi|vkwq)|v(asfb|fscb|hfai)|w(lmza|rxks)|x(hqza|khdy|lykv)|y(ckvo|pesg|vxzn)|z(pryh|qvjb|tmje))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800031; rev:0;) # sid 1800032 includes 102 (0 - 102) 6 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.info)"; content:"|06|";content:"|04|info|00|";nocase;within: 9;pcre: "/(a(gtlri|pyyay)|b(eqbhz|iomzm|ttyaq|xsmhr)|d(qentt|w(mles|vofs|wbib))|ebtxxa|f(l(febt|wbsm)|nidfz)|g(cdtgi|snqpx|yjqxz)|h(hwoym|korhz|nbrkv|rmyef|yuolk)|iwccyx|j(awedt|ditsr|hirru|wztbl)|k(b(cnyg|kcck)|d(eaeh|rjek)|hxcpo|iwrta|kglvs|obsus|quxcv)|l(fhfip|ilvmg|jagwg|okfjm|qvlqs|xgebl)|m(bpgqm|hzhhw|oscej|v(glvs|ujps)|zjchh)|n(anvar|codjj|hkrds|mwxfs)|o(bapte|jrnbm)|p(azndc|lihtv|qovrf|sowcm|tafuh|wgimx|ywett)|qoimnv|r(akaxu|jjgyb|o(ftjc|zkig)|vavwk|ybkid)|s(c(fsyn|njeg)|efcfa|ndfqy|pjask|tvlyz|wmmvd|xyoll)|t(lwosy|ommhm)|u(bgmrw|ffput|zfwob)|v(ihxht|uphfe)|w(cduvz|dlsie|hpknp|moyqa|vwoiq|wqggh)|x(jnpta|mguae|oxrmb)|y(bidhb|gmmvz|khmfg)|z(asquv|bgnrk|dksja|ggdwl|n(uogf|zfmv)|oirzz))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800032; rev:0;) # sid 1800033 includes 111 (0 - 111) 7 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.info)"; content:"|07|";content:"|04|info|00|";nocase;within: 10;pcre: "/(a(iczfzc|kzxbye|lhtkmz|o(emgmz|oqrgc)|qffqxw|uhnzbf)|b(mmxppp|ttdpbp|uczkaj|vpqliq)|c(cekdbs|jadofz|khexsd|q(tbedw|yuhwq)|uqtymd|wqwzhi)|d(dcbfvl|oauwgl|rspujt|skprnd|tu(puwa|tfnw))|e(aqrujq|dmgotp|ilaxjg|o(r(pivy|uaav)|wevoo)|xjerwi|ztdsxh)|g(vqygpo|xcstwr|zsigac)|h(a(icqng|ygzig)|pcifaq|qwcmaz)|i(adwxhf|bnoirv|ggepgp|iopjpl|yqkpow)|jfdesaw|k(bqjfej|m(eypjz|naavb)|ulsvon)|l(abswbl|q(pmoou|qksbh)|y(guudv|qxnsl))|m(cftdle|dndmze|wsoqwp)|n(bwuozs|kttqnz|nbjppf|peeqka|tpqwjq|zznpge)|o(behqyl|fdrkim|jpxsaq|oiteqa|pgbuuq|qedfns|ypjnyo)|p(lafeaw|ulpmpy|wrdlvf)|r(elrzcn|ibnhdd|ugpnqj)|s(iswyys|kemtel|mkdzas|omhljq|pdnlov|qalakc|vlfxvm|ynbzqr)|u(kqwemk|wgdzbx|yirxqr)|v(aexmpw|ggnylv|jtapco|p(pxyts|stnlx)|rhgjrm|w(bvabm|lfawc))|x(fvjjlg|mxavpz|uxldhu|xhddhr)|y(girany|pwpggu|sqlxmr)|z(c(lryxi|tibhw)|mqsofn|qtaxae|rjnqly|viyvvu|wttfhf|yghrku|zpvqqq))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800033; rev:0;) # sid 1800034 includes 218 (0 - 218) 8 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.info)"; content:"|08|";content:"|04|info|00|";nocase;within: 11;pcre: "/(a(celjhpb|lvjftba|vgcnnac)|b(cqslndj|evtaxpw|ggxcdbp|h(btvtbx|mrhcuz)|ijtplhk|lyrsatd|wpgoeem)|c(djfvcup|g(ilyjva|pnuliu)|ifjbtke|jzsnnec|kfkxkic|slrwnkh|vrykzax|ycgihaj|zotvdbl)|d(dszbzed|g(dedndh|iaptmj|zbkest)|jsayhjv|ploqubg|sonuguc|ujskwcn|vaqkzfp|ygsgcjj|zzadxgr)|e(afwpiaw|eyssslc|kbzzrru|nlbalyp|rpdmffu|xuqrnur|yuqrqss)|f(aekgbji|ecbhynd|gjispkn|tupxbdb|v(foiwxi|puqxjf|tiibvf)|wisafiu|zjnilsx)|g(dppqdcc|mvpoolv|r(cvdfps|fjmicp)|vxionig|wvflctn|xgutnyf)|h(citmaje|invlamb|n(rajnff|thmhci)|rwypfie|vcthxzw|zcrecio)|i(dblbcud|invgqqg|onhpanp|qjbvesw|srdvprl|yonguda)|j(epnmsku|hwxuiwa|k(jickip|ltoeid)|qgcrbsy|rhxnvof|tydjmpz|yfzrdnv)|k(fhthppe|ghudljm|kyhuxsx|rpucnkn|sdwngsj|tuipkox|youuzjw|znbxxjl)|l(bzhloql|djadfao|evkkxfx|i(laqgzv|sqdbpp)|lzeiptp|nyzxnau|rpopiir|svppptj|tmewvkv|xfacgnj)|m(cwpxpdz|gfzdmbc|jqicajd|l(qrtrdn|yffffy)|qozqzag|s(btvnlm|xeexip)|uxkdepx|xxbclpy|ytzttva)|n(b(pvdelb|qneusf)|cefmsid|gknrlga|k(khqbbv|zlsppd)|mnjmwgy|tyrmvae|uesjksh|vvqskhb)|o(efdwwuj|fgjfbrb|lvmjhie|qvnrbpo|xshpfhj|yanhrxu)|p(hhqibjf|nmglysn|oiuklft|rj(jtzvu|xytaz)|ybsxwqz|zszkeqw)|q(dfyhwsj|ekdrpuk|iemhukm|jpearsx|ksanemv|l(fdkrct|lpfooy)|o(dltlxq|kjsrql)|pxysphd|uwhdjti|wfcxgnc|x(kvlqwi|tjbnjh))|r(bekhsjm|dbauksv|fejugue|i(hbrnoa|qknkgj)|mpvverw|niousog|peychzz|qaxubzq|rhovohs|u(afhrzv|kfugqs|umtptj)|ynvoara)|s(czwwxhl|gntwzrr|kcyikvd|tmxnlyn|vvefxal|wbemops|yunjiyy|zrkexnx)|t(efyuyjz|f(cvbmab|ixdiwu)|hslqpqy|ihdxuyc|nuxckwi|pksdgdw|ryfhkfn|sycqmvg|w(dpjzbj|gwehjx))|u(jpthkga|kmpxytz|ligasxj|obezqzg|p(ghkiye|wiyquy)|tdqhiex|vvaipuj|x(spcbmj|tjksje|ulkhuv)|yzlvwfb)|v(cqztqbj|d(tmjhqy|xssrdc)|glwbgkd|novsiyi|zyzblan)|w(esgfnul|fjsbzzw|hozgfgo|jzvlpbb|oynkuri|vaniodf|xnollmx)|x(dq(ufheh|zyayi)|wjzhtjp|zctegku)|y(fzklaex|j(clmiyt|yqctsg)|mlwifld|qkakhmh|rpgqoqu|sfuiqst|zudycfi)|z(gggppln|lppnkvr|nibgzjx|qjulbsu|tmeexmr))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800034; rev:0;) # sid 1800035 includes 125 (0 - 125) 9 character domains in the ".info" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.info)"; content:"|09|";content:"|04|info|00|";nocase;within: 12;pcre: "/(a(efkbyksr|tvsrizwy|ukrsemje)|b(azemwujt|coihzusg|eyaggbtd|ouvzjefe|uhclciem|xosdqtjl|yeqfekyr)|c(axzmxaeg|bsmfmyeg|nwmnonpo|opcmxvvh|wvenakhd)|d(iftnyxev|vmcibmur|wnabrhzx|y(iwpuasz|xjmxztc))|e(bocpvzeh|dqtbltiq|eokupkkv|g(cudvhgf|dspjpfl)|mfhcurlg)|f(eshsqumn|kmkqgjtx)|g(hfjjdqsb|iedglnvc|lwcyfphg|npjhuvfw|tntdfpac|ulochwlf|xkchtkxx)|h(egygawvo|nermdtkd|uplaiubl|wqmildox)|i(deetwrwy|hszwuvxj|qymrsnpj|uiwmyzfv|wiksokfc|xnvjpkdv|zxzwpiep)|j(rhcbsuow|tcsiupbx)|k(dbgcsdgi|qfjjrcrs)|l(efphevoo|gpwfrtwg|pwtdzbvm|raimnezh|uhiivbou)|m(fuvsyglt|r(kvlvkcs|vwayvvi)|tjdqobmf)|n(bwijmcrv|hvsxbrvo|nthrgfwp|ohdybzjf|uklxlmrl|yfeqvhhq)|o(anpghncr|ozamywwi|qodnnuux|xucdsstx)|pifedkvwz|q(edckhvug|ifpvwidp|piyveyem|qulhbnqr|xenfobwl|ybdhoaha|zleqgznf)|r(dprelwvb|ewjywqqo|ugpyolul|vbfbogka|xixiiuue)|s(hcgasmdx|ofguqubt|s(etffuvs|ufijjwb)|vvibknhg|wfcssglq)|t(dymddlff|e(bvspufw|wipgyjp)|potbxzpo|qnaeermt|rwvnulzy|wmabfjya|x(bhanwri|pkkokog)|ydokfamq)|u(kwvwfaiu|pcthasiy|ubjjpmxz)|v(ctfuwpev|ggcvrzqf|sacmlzsp|u(ildthqw|jyjleli)|ymavkyhw)|w(higezriq|k(bvdauis|npnwvgl)|qmxcrfkx)|xt(bnbovhe|wnkmbhs)|y(amkrmwsi|p(fkpseno|nttkrum)|rinxisdg|ujnjqjse|xmqplyne)|z(bugoulmg|oqlwoqdg|pgyjthkw|rmcuychv|utkhvyph|zmxeytsr))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800035; rev:0;) # sid 1800036 includes 107 (0 - 107) 10 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.net)"; content:"|0a|";content:"|03|net|00|";nocase;within: 13;pcre: "/(a(adogtgywq|dstkxadce|h(awjyscjw|bxkicgou)|iguaeiiyn|lbfcrrxbc)|b(bjeyzudfy|duksxwovl|lvnguwjji)|c(jzylrhnyr|suqeskliy|urwsdpxhf|vjfxfolju)|d(qnothvocj|renhlkoqo|sxlhkotjn|vtrtcrzul|zjegfehru)|ekviizvdof|fj(ivvjxomd|ojaqjpal|pvduuytn)|g(glaoubbyx|hvcaswhuh|jnfgxhymm|mojbolexq|ujhsyisqj)|hrzajnbvyp|i(iyruifshj|kliomeyia|mlmvsmeqg)|j(dwfmswtqn|eogvtmpkw|svsvxhhji)|k(atifafuar|emxyqqvwm|mldbkdzuq|qciogecta|valczyrqx)|llqkvwuwjn|m(bvcslynaj|dzzukorvc|nwnakghxo|rklmakknn|w(jlsssawr|znmxlggg))|n(djvtcsyrd|eoqvxrvfr|orelvuzfe|qpeffcnrz)|o(ftdrssvhz|qwrflyhrh|wjawshaih|xpuoootny)|p(bbdxcunuq|jnevopquf|knmjtjcxc|slyfarvil|tratbfswi|veervbudc|wyktiugsl|ywyrxsoyo)|q(uszmfjxua|z(ivyjquml|pbloczji))|r(gchrvllei|w(eccbkpzr|mwqdsvqr))|s(c(ipqzxrer|lqaespjj)|ijvoeskno|jytbweiau|mvrvxlltv|toyqvmgnn|zbptthxxz)|t(etdazdemi|lndeejpds|y(nydhcexa|ptgoruqt))|u(ctrusufjz|fpxknzxnb)|v(bssgsgybj|dmykunuce|l(eymecsnw|zhbjngjm)|tyneumdae)|w(cvefnxyed|keezcsvft|lninxzpry|prbrimehm|rcknvxkwf|siyqwajpj|vqxqsyymq|xiqylrilq)|x(lzpvixoiz|msbzwrkin|upjnovhom)|y(dgppkrxyr|qccbtgjnb|xxvynxrrc)|z(cechlasbx|ddomeoygh|icumelxge|l(bbdijtaw|dvitucgr)|mrhggnywy|ocgpgbixi))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800036; rev:0;) # sid 1800037 includes 125 (0 - 125) 11 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.net)"; content:"|0b|";content:"|03|net|00|";nocase;within: 14;pcre: "/(a(aqcxvmpasm|ibhevfxtbq|uxxxxkqtwz)|b(bsobbqxoom|criapbknlf|mayvsqpiih|scqfcdfqrj|zoshunxdio)|c(nhxltgtswa|vgnhfhgoyk|wwpfcmxrvp|xwyvmpzcgg)|d(gmwqcgdljw|mtmxupfeur|pzbtccgswk|vkyoywyepa)|e(ohlchnfoha|r(boymlxlcw|janqsuwri)|s(lgxrzolyu|tbwdniqbs)|uaflifduyc|vptchlqcfx)|f(efshrvghtk|hfmsgixznq|jfdymmeelh|nmlhwdfhmo)|g(leccseuyxm|mqwohjofda|roprlhvbug|yzfososjbn)|h(dgblieiumf|fkkwmczvxb|luriudgpxc|pzehnuvyww|qhamuipuod|x(dhhxwcgxv|qwcjkcgsf))|i(ameifnjkqx|jjlghqdnfr|k(kuhgejyjq|qxqpcbytu)|lxdhiyphqw|nosdsvppzg|qmeoiopqnf|sgfrlexwsh|t(hbxuynrhf|ijqfnycgb)|u(abxcnifae|nyjiqpjck)|xydnwzoypf|yyaguwfnfs)|j(ccwlxvqtjv|kksaiurzct|poazbdbxqn|tcwtgktgnq|xfmlmocanh)|k(rkxsfnewph|zcovjoobnl)|l(ayxzdlrsmk|fcaxwpgvfx|oyzloynwrh|rrkcmirgqz|tawctpzslx)|m(fzxmdimdwf|gbfexsezhd|omkvzbskyw|rpwsrceckb)|n(aefajswurq|qhnthklobr|urvxpjzpkr)|o(blystkuckq|dwlzsdyayb|fkrzffsnlj|hbuqevllgb|qrhxreiuvj|rpemlcudgx)|p(fntajhsyim|imqvsyxbgf)|q(a(aumeimjgn|skyfvghpv)|ezcylybpes|kwtuqsvosx|tznkfhtubt|yebtoqbjfk)|r(mjdpkwptlz|suwwqeavwk|uqokftfajk)|s(e(xleluipbl|ydyurxviy)|k(cyjnhyepe|ilxwvitvx)|r(siugzezhh|wepeuiqvj)|uesywytrkn)|t(cmtxyktjzn|dzodwfldqh|gboedaobyl|unpxrzrdyc)|u(avdrxponer|etplwwcdmy)|v(ibyewhrkna|jpejpftzlf|ovtrjccrsl|qotwoktgfz|unmterotnw)|w(eusmtyrqtu|jujqikaeln|mrgfsvntrt|osrockrpzj|vfobdwhveb|wouhqhnjva|xkxwajermu)|x(fgjrzyrvuc|hhgkpikdre|lfjsnkjpsl|mphimfexan|puxbfskdml)|y(eevkmesyeq|ilxgkzkgkq|rthnvyrmdt|ycmfdoctbo)|z(dhbshwfrqz|pqcdldqarz|yotkfbrybu))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800037; rev:0;) # sid 1800038 includes 110 (0 - 110) 5 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.net)"; content:"|05|";content:"|03|net|00|";nocase;within: 8;pcre: "/(a(agvz|khjs|qxns|sndw)|b(dpbx|haxe|nsbx|ocgc|tiak|wczx)|c(hpxy|togu)|d(bbcb|fkxl|gqut|liep|ogri)|e(dltu|iyqa|lkfe|oiep|ymcq)|f(blqc|fxuf|iulu|ryuy|xpeq)|g(asvc|epdx|ioke|khaj|pgcp|vnja|ysdx|zxjw)|h(gpwm|z(jbn|mev))|i(hocb|rlja|tkhv|vaja)|j(siwx|tktu|yypl)|k(hrbs|nxjt|pwus|rhtb|uklv)|l(gyzi|hgwx|jlod|nfjl|rvqf|uvml)|m(akbw|dqdb|epoe|qcxc|vfvj|ydvx)|n(ajrp|bupy|ckzk|rlwg|tsbd|wahq)|o(katg|q(naj|shl)|sqya|ug(qp|xb))|p(fxhr|ntwu)|q(guxq|irgo|zlfh)|r(jcbd|mhyh|nsbb|tqgn)|s(hyvo|lrhg|qhos|stpu|zpeb)|t(fifi|htad)|u(djxu|mluy|ogmr|pzsy|rcve|vmfy|ypye|zvlv)|v(nuqq|oabb|vhpv)|w(bajb|rllp)|xvwla|y(fjqp|yivf)|z(eotq|jwwq|r(czd|mgk)))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800038; rev:0;) # sid 1800039 includes 117 (0 - 117) 6 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.net)"; content:"|06|";content:"|03|net|00|";nocase;within: 9;pcre: "/(a(agofl|dboov|ehrbb)|b(gqhrd|myhrg|wijdj)|c(gcvdb|jdscb|lhuso|uivth|zonus)|dcgxqw|elbcqd|f(a(deie|nqha)|ctvmw|kvoqh|pvmss|tdlqh)|g(cldgq|vrkul)|h(e(bptv|ulka)|noydi|oydby|rwrus|yiqej|zglxr)|i(nkkmd|obboe|qlvjs|rfinh)|j(akcuf|cmihq|hcxjl)|k(bfgkd|m(kejz|udwd)|orbrc)|l(iylpe|nnffu|vihum|ywxdl|zjvpm)|m(gbipb|hdngy|jiawe|l(tqzt|yeem)|sexzr)|n(myqyz|pzqkj|svzvw|z(nqxf|omay))|o(ggojd|j(chbr|hlsq))|q(a(ftkr|sxda)|brtoc|cnpdp|tomwj|zgnxw)|s(fwdoh|hsicq|nrwfw|vgohz|yiqhl)|t(etbkm|fhzlr|nlmtx|qrbgf|xnolh|yaeyf)|u(hepry|mjrct|nbhkg|uazku|xzohv)|v(ddiqr|e(lbll|zihx)|n(ccge|qgih)|omzyf|xerdo|yzvxu)|w(alwzm|cwcea|ibsai|mcdgj|suket)|x(cidgt|gwbws|hmfmm|rgxmv|s(ayxr|pjsd)|vasux)|y(dwcfs|iovbk|ktttj|lbytp|oarqr|pjfrw|qeouk|r(gcmu|zpmc)|seyfv|x(brec|tiia))|z(horlp|iqnyn|mgysq|pvedw|rhpzz))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800039; rev:0;) # sid 1800040 includes 106 (0 - 106) 7 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.net)"; content:"|07|";content:"|03|net|00|";nocase;within: 10;pcre: "/(amibfgw|bdeehxc|c(lzsuxp|mjismw|pawukh|qcbnse)|ddzfogg|e(gzvdrp|uqzgfm|yfepuy)|f(anbofa|lkikcd|rozkbt|spienu|vorxzy|wnwfqe)|g(acbpih|gftslt|hjdkrg|lbmdcg|opfgie|qztrfz|rmsjmb)|h(idyjov|jxkmma|skyfyt|xeiofq)|i(lmslht|pygmwg|qkxvqb|rqcrig|zzfmhi)|j(btcwcz|cutnre|ewjpmp|nvdomb|qohmoi)|k(c(fqgdj|oqaac)|gssnhi)|l(ihwxrb|lybsti|rveyml|sjarjt|xdlenc)|m(iojere|mghogm|rcgikc)|n(gcrxsu|kelxhu)|o(aztenc|bhmpfi|crelli|fvafnn|lwewzl|qdnlrv|syzzoh|tcyhpx|v(lnnan|thwzd)|wmfpfr|xlvyfe)|p(cezpmk|mecvyb|pkpjeu)|q(u(ijpkm|luaum)|zxydhk)|r(enxmbz|h(ehnaj|ztuit)|iynlba|kfunmd|rsdvsj|scstrg|thetwm)|s(lssfkn|oepchc|rxjzio)|t(cgkchw|q(jhjpk|rvcxo)|zprbjc)|u(mdnoct|pmulhd|vslvfs|xlzgnr|y(eyaru|yghgb))|v(evngpv|jkhxcm|rlrqeh)|w(hbzalb|scnhuf|vwcyhi|xkpxxz)|x(camfhy|mlpihy|pvxrtc|wvaial)|y(fdourt|oxbvfu|wzlkcp)|z(nikwuy|ugsqsq|ygibeq))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800040; rev:0;) # sid 1800041 includes 208 (0 - 208) 8 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.net)"; content:"|08|";content:"|03|net|00|";nocase;within: 11;pcre: "/(a(aadokfn|hlxicrj|iojcnip|l(jluexo|vfmtyl)|qgwvklz|wfrudpz|ychrjrq)|b(fvmyjzl|npzhtyd|o(mjfurf|rpbawx)|qwvxaes|rhusyvk|styghgg|urpqotr)|c(f(kwvepm|pmwyxx)|ozscdqh|tmwyygc|v(qtdgis|tzgkzy)|ycrsaem)|d(kxvwteb|lsmvxql|sveywic|uwcxujb|wcnxzru)|e(dxbacod|i(mcckjs|vshxfc)|jrpafnv|kjnvxtf|lbeutnj|oixwdrf|pwsbtes|y(ofbcim|remptj))|f(a(bzakwz|gmdmrz|uzmpoh)|cmsatik|kskyuwk|lyewxvj|m(erekew|jmpppo|kluvqk)|qbveufj|ujwnjem|vducacq|zcstkaf)|g(cunzsuv|hjcauha|jmkkxsu|mnxhtuk|rxoiwkl|yoyfrks)|h(alwmlpn|bkvvpzo|lxrrtzc|sfdkobm|xzlpqcz)|i(ioqyztv|m(fopvwy|snquvl)|wfdncsc|yjlxqnd)|j(eqrdwgk|hwkxfto|mzbsfdi|o(jkqzqg|nonzqx)|rsjvysq|s(hhubvb|udsdqs)|tgxbsjb)|k(d(wojboy|ywjcvf)|j(aiiokb|n(iifil|nbsgv))|kwyfsnm|ljdmivs|mosedju|prejxre|ueosxtp|z(ccgbcb|npfaks))|l(b(cdyiaf|sdttye)|dttpgbn|l(bqhwaa|juaywj)|nznoplv|pcjlpaa|rebbebg|tltrqrf|wuldrah|ydjdghk)|m(albdjkx|exiwgyu|fmaivwv|gdqpmyd|h(dgmupo|q(mwrwz|tofwt))|lilkizb|uowrkoz)|n(d(dnwpae|lrqtjo)|nmkuzok|omefzvl|qjhourq|rymqjhc|spsfmty|tzrvwpz|wmetnxe)|o(brwroqr|cloqgxd|exsfppc|myblwst|o(enjbdp|kovwml)|vxffupv)|p(anlxsvs|j(jjamzy|xiglmb)|kedutyz|mriiidb|nvekrsi|oanzsug|qaroidl|szasugv|ymssfad)|q(bupwqpp|jsadoxp|nywyohh|o(iwnsds|rtwaop)|qxxwmvc|szdsach|tqkzrdq|vwckjrf|xstvnsd|zpvisbi)|r(ktgbmry|rjmfzxb|uuhvtto|wiyqzly)|s(cdfpwon|kgmqkpg|ymgojsh|zkxcfuo)|t(dxdunvz|fzulmlx|gcgikjn|lbbalyz|onpusaf|zwarqjb)|u(cqrsken|lvlpxdw|otzjjnk|tlannep|wuounkr|yxmoxyj|zuosebt)|v(aogjyxq|bpeqzpt|dygyoqe|fjhftwm|klqfsex|pldhuci|qzhnzta|szdkanx|tuaadhk)|w(cwidsgf|dbgtuwp|f(kvsxro|luedra)|kbtsutp|zzslteh)|x(dcxwqcz|gfrdqez|m(gstrtk|jnaifd)|neyfpbm|oyyoyga|qscazit|tljqkbw|uhagghw|v(cqjmuf|pqmsha)|zdcxhtc)|y(b(jtdvji|psbdzf)|jbqbnto|mtvjedm|nyewrpa|pwdmaae|rwckmdl|xzklmdk)|z(a(plicub|tvtwot)|efigoxg|pyrfuwg|xwaexvh|z(imgszj|ubgfjx)))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800041; rev:0;) # sid 1800042 includes 105 (0 - 105) 9 character domains in the ".net" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.net)"; content:"|09|";content:"|03|net|00|";nocase;within: 12;pcre: "/(a(g(yierylu|zcepomb)|rsgplnlt|zwhncvwo)|b(dvxwgucq|emleovjb|f(geenioc|jzshnjd)|oufkzwpy)|c(j(ccmrlcw|txdxiap)|lqfoyiqv|qb(ihtrgy|owjcaq)|wtsissho)|d(gzmnsfbk|hrqsdbdd|pxauholm|vmjuelyt)|e(bzumivrs|clcunxqt|mzvvgaxd|rwzqexkl)|f(dkzqshlc|klqtolcx|lpxdmxwf|qbkhqvjb|teawcqph|u(ukzsmrm|zhimwuw)|xnjmuufm)|gl(kxmcqnl|tpfujkx)|h(isyrxosw|nrrvispp)|i(faywsqwt|gjcqphru|h(dmxpsht|ngdvznq)|rsfwpqov|xhktokfy)|j(apjkhjgm|eioptflu|ycchzeam)|k(bhfjkugg|epgojljz|lsrpmfwz|tecbbfcd)|l(fwknnsae|sqkxxcdn)|m(nvfztxkw|xlinrsbi)|n(cqipwoxf|hdjajobu|lknizuti|rajlflbs|wrunarxn|zpeuqudl)|o(cbwwbujl|g(fsjpnpq|zdqsmyb)|psqtiryy|rkjzzetp|v(tntisdr|yokyeoa))|prkfpvwgq|q(lvxbtedi|uiarcmzv|wjuegxqh)|r(bzidpwqe|dhclmucp|kgygiuqa|oyvtamqn|r(ewefjtj|tzzdnqq)|xpglvszy|yfzqwwqj)|s(cbzfnzjb|gsehctxx|jupvoufz|ncktoorc)|t(dkxbpmfi|guhxgmcs|xkzcsjfd)|u(qxdowupi|rzrnxavs)|v(c(hmbilga|kczwjmw)|hbmwpzur|nfelxpqv|sdybsmkb)|w(pdbrkjfz|qbjvpohm)|x(bunpivzp|dhnjwwxv|i(riatxsu|soeccem)|q(hprnzly|yppogvu)|ukspudjb|xgurupno|ywsouuhr)|y(lchagzsl|nqfpmquu)|zirzrofbz)/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800042; rev:0;) # sid 1800043 includes 111 (0 - 111) 10 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.org)"; content:"|0a|";content:"|03|org|00|";nocase;within: 13;pcre: "/(a(auarayugo|gqwxyrnrz|ifyuecaio|l(cflfkkcx|hdqermly))|b(auxplgjxp|rphzjgsvy|zcjakjlrw)|c(edwinlpju|gzstdvjvo|iuqkoittj|loyokykht|rlktqwtcg)|d(azvzrdvco|fnmnvmaor|ouamzdigf|pxguvmfzr|qcxzriyap|upqgxxvgc)|e(inaznafga|nmdsqmmtn|ozbpjuavh|uillfblzb|zzueuzssy)|f(aprflntms|dxtmsibkg|f(glhuufcl|jpuzmbgk)|j(nagfxyyd|tyeszlwt|voiyhmwv)|lehmqcayh)|g(feomzdkwj|iletyuffs|jxhwehosx|koletizbc|qbrawifat|yostnznbn)|h(vdmlfvloj|yrgepvzsp|zxancitjk)|i(aprpgsvsz|dxyyslyln)|j(fgcvbglub|irdqocobd|opfqajgxs|tbcpmafbo|y(ikqhhkhs|vmjuzamc))|kcgzznepby|l(c(acrfgplm|hcghpdki)|l(msbubdlo|pklfnfkq)|nindbrozr|rfbslewzb|ulpoqrtqm)|m(iwdfajlua|t(dztaiapu|fbqyygsa)|ztxwzgrwr)|n(f(qwfjjthe|wilivcyo)|qpcjzylew|zzxgfprfb)|o(e(oxgylsur|pokblako)|hqdrovfzf)|p(cvruhhxcq|e(apwpxmka|wqzaglwd)|tlbnukuex)|q(abmrvnvnl|cxrzjkibk|jzsjizrql|roqhapisu)|r(ikxptlxql|mzyhnwtmn|qxfbvifxf|xvyilttrl|ymsnlkiyx)|s(ctecuktoz|fzejfxgkd|numkrdchs|uytoaiowz|ykqsbjrva)|t(mwcxpmcfz|sjzgxuzez|uffguigcu|vilqlxvso|zypvofmcb)|u(eohrxmapc|zslyemkgp)|v(jyqkabkmo|mlqnkzzrj)|w(borsoqvqc|fchtofigh|kzwqadhnt|v(chktbkwl|nfwxpnbz))|x(qnpfcbbug|yrnkypzje)|y(azntcwbxd|ikvwlpmdp|kqsauqrfg|menitgfvl|tbmxzkdgk|utmabqjlu)|z(carilbcqr|fkoysimxg|sozqzljko))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800043; rev:0;) # sid 1800044 includes 112 (0 - 112) 11 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.org)"; content:"|0b|";content:"|03|org|00|";nocase;within: 14;pcre: "/(a(hyrykdwjru|ivqfzqrrdn|nzqeamakcm|pbrfihicqx|wgltdjkeac)|b(cqixfxlwrg|etrmdqibjl|gjldcsmyqz|qvgraffiax|rpdvkuxuxu)|crvetqnysip|d(beewcdrarj|dnjwtgxiuj|pcnfgrwfai)|e(dzsnhvseyz|gtwcsfqkyw|kqqxmkygwv|t(detktoxgd|rkgjsfwnc)|ucbqyvzmhu|wkedkodepr)|f(evjzffaebu|pdywczbiey|zbehcxgzlf)|g(bhfyazvvdj|hugpqichor|lxpkaqqpng|mtpfxsotrl|slmyuvffxl|wctopmqypx|ywefqzsihy)|h(axojjlxkow|ewsrdodlzg|kqjruehfhs|noluzdobva|rbdozmoyca|xixipyxumh)|i(balkvjwywk|hjevvqijgy|rbhbjtltdz|wjxhlwscwz)|j(aezjxivvyi|bfpoedwquy|dqrpbwstbj|iakadmxgbt|njwpwwcorp|wvujgnhbcq|xyjbipynqw)|k(cobcizolsb|fmxpgjsnvc|jddixiusgs|nykcmzgtvi|rkomjnjvdm)|l(bviyjpawyb|cqricmzgbv|fopgqmwzkr|kgthytparf|qzjyqgadrr|zzuzpkqdmf)|m(rqfkgjhotr|sihysybfca)|n(dzfkrxwrfx|giredqlifv|nlyehjnjxb|ucafmjngza|ynyxuvfqqh)|o(ntbzuscdkq|oruewrmlpn|uowibpyojx)|p(bhxxcmzwpa|djzexzylce|fugqitztjn|kvnhhuajbx|tfpsyzzunr|uzarmbvpam|ztjzmfjnbp)|q(cqzijihrbi|ldicmvkgjs|uqgdstsjng|wpesyonrmi)|rtwaityhogv|s(uaxalyvgsq|ykvfydjzhw)|t(g(dzedjwvjj|jioxdbiav)|iluusvmqjj|rkctkzzbyn|wruappdufi)|u(dqdymazjoa|gtahatfgsa|r(hqbtajdht|ogwzkqroi)|zyklfedapm)|v(lirftbioot|npywuesuuo|vweyjaovcl|zovitytmwe)|w(fvybafvpdt|hxjnuzkrrj|suturjmqyi|wymamntdua)|x(i(agdyqddky|mulgkfecb)|nscyafnmmg|xljbrfxfgp|z(jblauhljg|zhfghienu))|y(cwgwdvanuo|fmylwuxeey|ltuoxqxauo)|z(acmrunkdgy|qawkfefpqo))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800044; rev:0;) # sid 1800045 includes 119 (0 - 119) 5 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.org)"; content:"|05|";content:"|03|org|00|";nocase;within: 8;pcre: "/(a(gkva|hztf|rvdr)|b(brsl|czpr|ffka|pzwe|t(cwk|mhf)|vzsk|w(ewk|zrj))|c(c(ida|nnv|qlg)|dcsc|lirv|swem|xaej)|d(avus|dsfk|gfvk|lrfg|niin|qaep|tpvw)|e(fqdv|n(diu|eto|tlq)|ogqo)|f(ksar|lcsn|yfmn|zhko)|g(pnpr|vbjp|yatv|zcbr)|hlbih|i(cnoe|gdwg|ivcd|kvcb)|j(ktwo|uuwi|yeoz|zrnk)|k(apeo|berm|nkli|ogpc|puco|sluv|vcvw)|l(ceya|pjks|sdbo|yeab)|m(clnm|gnxc|idph|lbur|x(gqm|qbv))|n(cxas|d(bps|gbk)|gkut|hkko|tciq|v(ify|rbm))|o(jarz|kikx|ngdt)|p(cdce|lkbb)|q(gonj|uwft|winh)|r(bfan|gpss|oery|vmol|yuho)|s(a(fwd|ndi)|ffyl|jhjl|kndv|svxr|tyov)|t(duiv|ltdo|nzkz|tkaq|xfbo|yxbe)|u(afls|ghzu|liaq|qhvz)|v(eoqv|hska|qcgq|xysg|ynvj)|w(anvm|btxb|cruf|hmzd|ucup)|x(akik|lyks)|y(chbj|zohm)|z(cefs|skwb))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800045; rev:0;) # sid 1800046 includes 134 (0 - 134) 6 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.org)"; content:"|06|";content:"|03|org|00|";nocase;within: 9;pcre: "/(a(ikdgy|uufar)|b(crmaf|edjch|fruay|l(jxps|wfeu)|yyofp)|c(hxwoe|jmiqx|kmyxc|nsubb|ozmpe|rfahx|uhecp|wffqm)|d(jaqnp|qovyv|veksn|wquks|yhaji)|e(aldor|ibzfk|ktvdz|leamf|uvbtn|xkwtq)|f(gassu|iwxvx|khnoc|zviet)|g(e(feak|hutw)|isdnp|uuazl|vsynh)|h(dkjdc|k(mizv|xqfs)|qhrbj|vxrjd)|i(alzpv|czjii)|j(bhkow|elyup|gstrr|mijab|rzjfi|soscb|ykzkb)|k(abwlu|ckwpd|didhn|ioivj|ohjdc|phfru|sezal)|l(evdit|k(kkyv|prlw)|ruhrk)|m(avfhy|mucsu|nfvha|prcsk|rjjsa|zustn)|n(lmknu|occgv|vyoiw)|o(dhnvc|oqorl|szpum|xzwsd|yfxnj|zopqj)|p(jgnxa|rdmjc|uoypy)|q(khqya|ofvmh|pawss)|r(acjzx|bcjkg|clpcz|eqyuj|vhcoa|zgmri)|s(apbya|kfbge)|t(uwyjn|wqmhi|xqynk|yhxxp|zrfrg)|u(dyhlg|iilro|tpqpy|uglkv)|v(hmurg|ijyqu|uogfm)|w(dgabi|evtrx|fupyx|icuel|ogimu|zufbp)|x(e(iger|lnyn|wiwl)|hiocj|iusku|msmie|npjdw)|y(ieeig|knief|l(huoa|mveg)|nczkf|suxhh|wdfbq|ylgyq)|z(g(iqtq|ooyq|tysu)|htasm|kuvdy|o(jeum|kdnf|nvom)|u(ttvy|yviu)|wirtk))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800046; rev:0;) # sid 1800047 includes 101 (0 - 101) 7 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.org)"; content:"|07|";content:"|03|org|00|";nocase;within: 10;pcre: "/(a(b(nmvpa|rhbln)|wdfazr)|b(hlupub|xkoywd|znufny)|c(bwhqnt|fducml|kttlxl|paspyf|qrxuil|slprnm|urzktd|zipgxg)|d(njkvza|osejey|wmxvpn)|e(slyuba|xxnnas)|f(khsxgv|nyjibj|w(nvlja|syrar))|g(bystci|hqdijc|lemkau|pkfqno|s(iiief|lrrdn)|wgosif)|h(ekrmlg|rmbjab|ypodfu)|i(lxaoen|sxadvt|texqhz|wtopuo)|j(bqylnj|dxwmmv|giytcv|uwleca)|k(qeitee|tcxiwz)|l(avvtyw|bqcxvl|eamcwl|jeyoqc|kscwmd|lbifif|tfrxqm|xidnjd)|m(pndzra|qeqdad|rfhrji|zkxera)|n(cljrxz|frwfqp|imngju|kpaqup)|ozavyhc|p(efyiob|htkpcx|mhrtxu|uhgwpk|yevutb)|q(cqtkmm|hoinnw|vnhbpk)|r(ijpyth|r(dxfjj|pdakk)|xqlcdh|ytpdfq)|s(kkxnzr|mfvxkm|xsmcgr|zckwxv)|thdeppe|u(e(ggzco|ynorg)|s(ghnwl|mkwbv)|wygkzj|zniito)|v(ggkljj|kbtrsp|osefdv)|w(jckgem|nmyshy|uwssqh|z(bxihb|hthzr))|xmlvdnv|y(nuobsj|rrutgq)|z(bdsyvs|cyucto|fyfunk|grgiwg|hzewpi|jchlyi))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800047; rev:0;) # sid 1800048 includes 196 (0 - 196) 8 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.org)"; content:"|08|";content:"|03|org|00|";nocase;within: 11;pcre: "/(a(cxnegug|fkzdxuo|iafmzva|jxjkfrj|kdmccfs|tryzgny|vbhkhom|yjygtrd)|b(e(jgihox|zipvpj)|gmdcure|jdnzmqs|kmxkfdj|nwjfbwb|ofxlzjw|rw(qstrm|zscfs)|sexdxjr|v(rvogcz|tjbltk)|xrupdad|yudndsh)|c(biqsyhl|fxgmgjx|kzthglr|zhyreyn)|d(douvboz|hznofsg|qvtjajj|vmyaskb|zgxrssz)|e(jdnhsiv|l(dbiaqa|xpmemf)|pcxalbe|shplxob|x(clnfcv|ganjex))|f(dyhrogr|e(ahuytd|borned)|fqethld|m(ctawpm|mcetgu)|obddunn|vmawful|znhhcpo)|g(k(kfojcc|rxsdgh)|nnzjybn|pvtcczo|ryxzwjv|xowbvco)|h(dudipes|n(rlgamv|zfjduq)|rddmdfd)|i(fvknhxx|hvyydlx|jgxkiwg|nkpkjng|sgzewde)|j(d(cyrajj|uyjssm)|e(erpszg|gphgtv)|lbhpumk|pewmsae|q(byinde|gbvlec)|r(arnfsa|rlhlpd)|w(mljqpe|tzclvu)|xdyunfi)|k(bkgdwqo|fgifmqp|hzlbvsj|kczuibw|pxblyge)|l(apfhaip|gdfxrjl|hyxnywc|ngrvapo|rmmciju|speupro|t(ctylng|jlvuhh)|wdrbfzp)|m(cqsebxv|droinxk|ekrnegq|ggssvur|ltmrgzr|mvapxzg|nllujfn|oqijeuu|redzrnm|trlxdiz|zordemi)|n(aibinjb|cbvyulo|hiquwoe|nhccewb|ohspyuc|rxfabbe|vzfsmbd|xwgxuhc)|o(a(btmbqo|osoomm)|boaioob|erxjqni|flglxmm|jzwxutn|l(mkazop|nikuwd)|mkjznou|p(hnhozx|vdnyjp))|p(affnukz|csuhbgb|igmhukf|pgaiqbb|q(llrolt|usxwlx)|tyvhhmc|vacxvec|wnflyff)|q(bzfigxm|giqzqku|ibwdeut|njhgeqo|ozxumsp|tswkdyv|wqkvsda|xmqdmbq|yampepf)|r(chwwlcb|ltimrcp|nqzhbvt|scwmsyi|wpbyvqz|xynyceq)|s(davlnnh|gzfudoj|iuadyqg|jnfabzo|slhlmqz|vwhhuya)|t(erelimq|kbtykjz|nkxqqtb)|u(aqvzuts|wtayowm|x(ousgjz|yrhnsy))|v(eaddsyy|g(ryyypd|wcjqka)|ikesnbz|jjbbfae|kklzvdp|mhsmqsi|nbdzcqj|oagmvir|vogepcx)|w(bkwcfjq|dpucqvx|foejvts|gcdvtvl|ifxeanv|khpstck|ltcukzp|msftfdn|qhhhjbi)|x(anlblmx|dufwxjn|ftpwood|mokrbue|nvfivzg|tbtqpli|x(pwmptr|xseref))|y(janhgty|sidbmhi|yyqaqlm)|z(bevmvzw|gcmjtro|hwchtai|jnccjub|q(dxzzes|pzelsm)|rohbfsu|udeixyz|w(ezoxmp|rjwamz)))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800048; rev:0;) # sid 1800049 includes 120 (0 - 120) 9 character domains in the ".org" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.org)"; content:"|09|";content:"|03|org|00|";nocase;within: 12;pcre: "/(a(fslgeikq|jeyelrbl|ntbgzkfc|qlpxsjbi)|b(bafomtuu|hikjyunn|jxckahlh|lhrzjcyp|nrgezylk|olqoruve|srsngvxx)|c(abcraxks|bevvveqe|jmonaopy|pyoklbzy|ralzvset)|d(ehaogphg|fnhlqqcx|jxwaouwk|qvemmjsz)|e(ferktphs|gbqadtrv|nogzlzxd|orgnbugv|qjbgwxah|t(eldpxce|pbnjhlf))|f(eamskduc|tljkwkds|ybhugyvb)|g(fdpccelp|gwnarcef|imajjmbk|lvxzywyv|pqlezebv|skknoxac|xiuqigev)|h(cmimbacs|p(hvsciit|xiloyfj))|i(ajnypelw|ruqcswwq|vfhicbys|yrnhhjiz)|j(aqxypjhv|emmtihtx|kfvujstz|ugncvhre)|k(cyuyqstl|jiwzfkkk|kgkbpzlm|lngcaxuq|oflrayvm|pcuzgrvc|ylolwnmj)|lhckzqsav|m(avihsapw|c(jayjvcr|ysvdydq|zmfuucs)|eknebefh|hagnskau|lbyarvpy|pqrbpzzt|vdblavup)|n(lcjxekmp|ruitnwcb)|p(egqgierv|muudafit|oqbxybyl|vmoswihh)|q(fifhgvzw|tuugidrs|wzicmkwz)|r(a(sheyojv|ubskriq)|bzylysnj|dfswbanm|jlptxlxq|pkzbsley|tddftlxg|udmrpsin|wxmjsptq|yvdsgvff)|s(htfsfbrm|ikjseldv|mtkszdwg|pnayasxg|romdqapm|zbxskmfy)|t(dgsgjwvt|jdyvinkh|r(emlxfrl|mewcvoq)|tthajxow|ymmlhtxv)|unjjlzgun|v(asygtcuz|dewaxvqc|eddlqjch|imaaccjr|qxhbptch|tvznrman)|w(bobojduz|ibxhuusz|jpfsmacv|yotcipxz)|x(gkjhfess|ixgahsme|kidsxiec|nxyjdysq|tvjheujt|vlhjdwgx)|y(gtgjsswc|oorxztrf|qtbedbhz|tdvsfuib|yiglvvpw)|z(dnqmsqfs|lpfgipqu))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800049; rev:0;) # sid 1800050 includes 100 (0 - 100) 10 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.ws)"; content:"|0a|";content:"|02|ws|00|";nocase;within: 13;pcre: "/(a(b(ktvhxbmi|vkeehxte)|lbjcqgaiu|sjrnzkvnr|xgcjvyiyo)|b(x(dnwjiswa|oudifvqf)|ydmhnmdan)|c(bxjbtzzil|ihocqbndf|j(mivbqgmd|nsikblgs)|qorgyxhic|t(nqcgacbz|onxrokuf))|d(jjllqkpuj|lcytpajjr|pcrgbmfgy|xofrnjyvy)|e(fglcyvggh|gzfxjjjtf|kxltmqrky)|f(ctdiqcgwb|ovkywaxoy|wdynyldqa)|g(blsgwebyy|cohhfaodt|datgocmhd|efddvsdrw|gfvjmqscc|uqrocqdmt|yhpdkxuhs)|h(avvytjyew|bqcpqjskv|cfnkzxzus)|j(ligobnmds|mlkvjzokl|numcnlvyh|ocgofoycp|ubsjfzlos|xklwfylki)|kqhfjxcaxb|l(sesjtcyie|wedvgbhff|xevnowwpz)|mvaoffeoif|n(befdslmjk|kieqoufoh|u(fzrletsj|pwbkhkgj)|vzjmlxnrp)|o(gjrlaoiqy|lyyesgmgv|murycnumd|uyxmpiqhc)|p(fumtonmbj|nblolbzbj)|q(b(bbnwkpmy|thaorwbw)|ffmlssift|gifbgcehd|kkmvlbeju|lrftmmkeb|pfltprtdi)|r(ebfockcth|mqfcajefq|qdftonkoo|wasjcfsnz)|s(hgejdfjwa|lytoyqoqc|pgznazzmz|roaftqrym|sltognlcg)|t(cbtnaebej|jsopgmeek|mhnlhbrzh)|u(bknrmhsoi|hfeiwpsct|mgrzaybbf|usemlujqw|wlvejqqts)|vrtqvqrumu|w(bdekpojmj|mfhqozqhq|o(oqbpfdlj|teqrbxnh))|x(ewlbghlpx|fnqftkujj|qozuwlzxu|szgmcabwi)|y(fnzrfkcxl|khjvlxjuo|tqvefzgxa|zzerluzfm)|z(bslidcvit|c(avyqnqpl|fvtlsjvr)|fmocyjbic|vujsrwucg|wvumtgoal))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800050; rev:0;) # sid 1800051 includes 123 (0 - 123) 11 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.ws)"; content:"|0b|";content:"|02|ws|00|";nocase;within: 14;pcre: "/(a(e(ljwatpmat|rialtldgd)|inronbzggr|rijiquhmai|sphrrzucpw)|b(b(rgdejsvlz|sktpcnfes)|dvesixbrqu|pedygmscec|yqabhgxpzp)|c(jpgwvkyost|lezfkluheh|mvqqvpegel|unoypematm)|d(absaqtsifs|hrzqajsvxh|kmwdevkchr|udwolwxopr)|eyhqabiiril|f(blwlgrnjjv|cdachwflzy|dzjwbhgxii|jbeehamlkn|lanytmkyok|ymeelayvtt|zulioabkgi)|g(aruncqpqtz|dcwqcqdqse|hgvdafiwgz|jffowmmkyv|kobijwqopl|ltjpklykaq|oevzlroqql|xiuudqgksa)|h(bssielgwan|gweoimbalz|hyfmewxqwa|iqbzyfxugg|wxsmvxtyfz|ywyhvnicdy)|i(akmgdmrrwk|egokwqlexa|i(jvwxpgbvl|nqkqbkzur)|jwqmkdexqd|nuoywdrbig|vzugnycsyj)|j(binwggpawj|i(efexjqtuo|zujppawme)|rurvavzpqp|zsgcxxzjzx)|k(aidednpdjr|flwlilqacz|iodorozrdi|nfsfzpqlnm|qdxqoozork)|lxrjqrhshsb|m(i(dvttnwkam|ecvcvpwtw)|qfckmenudy|sjsyhsjgfu)|n(alutjyfwpu|erzxzsabdl|izqrgyragb|kqloscbgig|ohhdnluqje|wtsonnmvja)|o(f(itamlaefv|qzymikmvd)|ipppcuoivl|lcgrgnztxu|p(hvslekqkr|pknctrddk)|ukvulmdvrf)|p(cbhkevecqk|qrmtwarzgo|raumhoxlft)|q(fymhtdcilp|hadbvoewux|jcxgnndotw|k(icwpssyqq|tevuzhocb)|v(hilplhfqq|yvzewbqkq))|r(bzjkswmaov|mglvergkca|omcfvnmryd)|s(lsqaegkmfz|ywenkkgnlo)|t(ftuqinyyrc|hyqwwprmtt|ifqdfwxmfv|ylkrbxwkfs)|u(ddcubbkqum|mjdpnpbbhh|roanhravmx|tbiotqvxno|xdbwifkpgm|ynobabzpaf)|v(alqeokzwat|mbmamagdrf|phrfbewywp)|w(fodxabpmbs|idmxfbwldl|jscodzhqdk|ulhfvenqbh|zefdogdhap)|x(hzjonpceuz|ivjndcvujg|kmatawaeyd|lkuacxbcvv|r(gifthjcst|mujflezfj))|y(rbnhkdlxzt|x(petpqwrmi|vpevtjyld)|znngzisqty)|z(biewrmmzep|h(jiigeghhh|yzvapzcjp)|mshkisthaw|nswtrgjvmd))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800051; rev:0;) # sid 1800052 includes 92 (0 - 92) 5 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.ws)"; content:"|05|";content:"|02|ws|00|";nocase;within: 8;pcre: "/(asqpm|b(cqko|xgil|ygyi)|c(ckiu|mfbp)|e(nsny|pvpk|uqge|xsqm|yyey)|f(holb|qfra|vjtj|zuim)|g(dnsz|lujx|mmqq)|h(bmnu|jwwd|mlks|qmig)|i(rzfh|t(ckr|fuc))|j(bivl|dood|ehqb|ifqp|jyos|xyrp)|k(ikjj|k(lcn|wht)|wwct)|l(fhkc|gcef|tdqw)|m(apwk|mxht|wgtd|yvyp)|n(scep|vixb)|p(aglo|gxao|ndkr)|q(cshh|lczv|s(ehd|wex))|r(fyed|lhct|qxbr|rtbh|s(bor|jgf)|zlam)|s(agng|iifd|rajq|sujv|tpee)|tv(dla|tsv)|u(amvk|dzuo|o(gbe|qvv)|sdjf)|v(khzj|nnvv|vxht)|w(ggil|nowb|znxl)|x(btym|cnoe|edue|gmoj|juxf|rvmv|sprp|wfxr|ztpl)|y(aclq|pmap|vwag)|z(avmb|lyjz|mruw|qhgb))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800052; rev:0;) # sid 1800053 includes 121 (0 - 121) 6 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.ws)"; content:"|06|";content:"|02|ws|00|";nocase;within: 9;pcre: "/(a(havzz|xqaip)|b(gyjvr|jlkhd|knhsf|lezcc|umlke|wmkrv|y(khzr|yvat))|c(aorih|vmamk)|d(gmodf|pmiil|scugf|ywmwe)|e(byxxt|desvp|llvnv|rycpe|sebdu|unwkg|vrovq|xvgvv)|f(gkxiz|tpsrv|vtgcq|wafdl|zhpkt)|g(gtuoy|kchfg|owmyn|zntqd)|h(mrxec|qnhrh|xelpe)|i(ezswo|jmyjw|obmwd|qfjdt)|j(gqgbl|umdcd)|k(daurf|f(nssy|ylcp)|mtrnv)|l(j(umoy|ykxh)|obbsr|trfbd|v(izng|wump))|m(avpaa|cduar|dxoyy|g(hjnz|lxjh)|rvtte|toaxs|xhhgn)|n(qpgjq|tsfib|vlcot)|o(bytnn|c(koow|sngf)|eknyt|kyshm)|p(gciiv|immke|jylqv)|q(dvjcy|ivtol|oreqq|tedmd|unxrz)|r(hajsi|irlhb|j(sffr|vall)|oxvqz|smzxv)|s(apiqa|kkxqs|o(hqme|ybeq)|xzlrx|yijgk)|t(buoif|edjpv|uhysx|zooed)|u(ilzic|kxmvi|lfnee|qnlhr|talpx|xtrsv)|v(gotiw|iojld|pazff|qczjx|xamxl)|w(abvqn|djdmg|eazmg|oauil)|x(ckrqm|hyhms|kqrmv|pstks|zogtx)|y(rdcwi|xksjp)|z(acmgz|juhmu|opdwi|rvkvs|tlguc|w(hllx|mckv)))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800053; rev:0;) # sid 1800054 includes 113 (0 - 113) 7 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.ws)"; content:"|07|";content:"|02|ws|00|";nocase;within: 10;pcre: "/(a(bsizef|gowquk)|b(alkvut|mwewsi|xfpbqw)|c(cdmgzf|irrzmb|swwqiy)|d(g(fezta|rcfoc)|mvftgl|o(fayzi|mxrau)|pcwvak|vmpzwp|wpwxaq|y(dmrmi|pbhpx))|e(betaeo|ehpoym)|f(cbueah|d(chmgz|drxux)|mbfotn|rxwgpm|wreacu)|g(ewassn|gxvzwp|hcylxq|ivahva|kfjdzd|q(lbydk|uyspb)|swkhnk|yvskjw)|h(ianhrp|oynwfh|pebchb|quhguv|ucyuub)|i(kdcsup|ndpmmi|wqlrxk)|j(fweubt|gknidn|qtwgha|ugasdg|z(tdvyt|vsgzz|yeqxe))|k(aodhbm|ngoyei|qnwlqc)|l(aavtvp|eukhhw|fdsvxv|ksuvvj|lvbscv|ryqydo|uprzhe|vfmopm)|m(ghzbrm|ixliwh|virshx)|n(bnbhgj|wwlszv)|o(cjaccv|dcwsqr|uzpfcr)|p(ecqlpx|lycxep|pvedbv)|q(gqlegd|qimfkn|rplvbq|skpkic|tgwrex)|r(njeqxq|qldxpu|vnvann)|s(dkagdc|hppkis)|tsgtbvs|u(eltnbl|ibdqsw|kfuduz|orujqm|pqeljp|q(ihcac|xvxaj))|v(gryosc|lnozhk|ngpufi|sgtxoi)|w(dbdysh|qpcgig|stwawu)|x(acazmx|ezevhf|gvtzwl|jwvins|lhtaly|rczhfv|yhcfvo)|y(eftond|jvnxwo|sebebh|vrmznz)|z(fhvmnb|kgqzaj|lgawvn|wyduga|xrjkxy))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800054; rev:0;) # sid 1800055 includes 203 (0 - 203) 8 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.ws)"; content:"|08|";content:"|02|ws|00|";nocase;within: 11;pcre: "/(a(bgxadya|ebiwyiq|glfaxfw|klidfpe|l(cjficn|izpvlr)|nxsmjpu|paldiyo|tacalvo|zgibadq)|b(fqrmqbx|htmtflg|oqhyuax|qpqjlgm|rnigsmf|xyhinmh)|c(awawuyi|brcylpk|jgtivev|qpggyvb|tonlzcs|zhcguic)|d(asgkbxg|ddttuhb|fikuzwg|gqwkehm|irbyvdd|pvqoaef|rineksv|x(jsxqmh|olwykl|ubjjce))|e(flgeeay|ogpjnqs|rpbtabj|swrimgr|totkqio|vjyoqob)|f(bzmowcs|colzipi|djrkoao|hssgzqo|kvhaijv|p(jnxrlf|lipafn)|uupawbc|xzuuqei)|g(d(rkhfni|wnauev)|mrokgnd|tvdkfdr|wswmifc|zznlmqb)|h(bfeogen|cp(flzmx|vzhkj)|g(eghfac|yobbsw)|haevbxr|upnfiuk|vhpmybb|wlnydyn)|i(brdykqf|hmujcfa|juglzxn|svmziky|uolhwia|v(adsjpq|qbhqym)|xpxwhtu|yfgmqaa)|j(bvksxuo|cdaqcvt|dbcwtgm|ilslkqa|mqtcujr|remmowa|uefqovw|yjxtuyh)|k(aplikfu|blczqjp|vmjsceq|wnnmpfu|z(qfmvht|wzlubo))|l(euqwylx|fwcsuov|kzdwqes|pqhbjxh|rvgboat|samtfbq|wybwpjr)|m(b(jerulb|xzufyc)|ddvrltt|epnhjbg|txxzzxw|xbspyeh|ywakxfa|zhzufjj)|n(bkwhmii|fnbjraf|iroiwro|otdfjkf|polnmpu|q(ksaycz|wqqrzt)|whiqjmb|x(cdfvoa|dcxseb))|o(afqvrtv|crxectd|edydjnb|yfrzvkj)|p(eaqloyo|fieqvml|k(gknwbj|mkvipu)|lepbobz|qqmkuaa|uqellke|xfngolf)|q(bxfnaxi|huszdmw|imzdrke|kbkrejv|ldhsago|nbtavef|p(neqvcq|ymjmhg))|r(amgjeat|c(hvvorw|kibfug)|qneyond|vqwxtih)|s(brdiglh|duragfe|ftywhme|g(aepqrv|dddluw)|nuxeyjd|pxyhruw|qcfrsro|xiyjena|yiishkm|z(huhils|lcbxnb))|t(mscfuqp|onfoqsz|rlexdgc|udeabpw|ywsqrku)|u(btelxgq|hrsndwe|qrlsyms|rixfusg|xlvkpqt|yuhhzmn)|v(g(bogeog|yoqgax)|jxkpzjy|kxamvsj|m(ihyrme|tryplu)|ruapxob|zvazdci)|w(hwjvoiu|k(ionoga|qcihwx)|odewbue|sgysloe|t(cafowy|d(drnfw|gzrjm))|ukubviu)|x(irmhgmy|maeirgs|otgndzx|rtxdmzw|ulixeux|waauvkh|xttkwnl|zclkbzu)|y(f(ebqhvj|lisitb)|i(hkzyyp|jgzwfi)|lyfvifl|mldvrgx|ppihhwj|rvuhpuc|vytooia|xaauxux|yaydupm|zjdtpnm)|z(bdbeaaq|favkfjx|mnhqjcb|ofophmu|rotsttd|wbogzmc|xfqvzxi|yvremmn))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800055; rev:0;) # sid 1800056 includes 111 (0 - 111) 9 character domains in the ".ws" top level domain alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"Conficker DNS lookup chars (.ws)"; content:"|09|";content:"|02|ws|00|";nocase;within: 12;pcre: "/(a(gfwrxilb|jepenkux|kqyndyik|nnqmrrqt)|b(aohkpumf|btmxxkwo|gyrpjwag|hauflmfn|olqdcaoq|rfpclcnb|vzqxbydh)|c(agygakbt|dxkduhbg|hibrizzu)|d(birgrikf|crkaxvrs|flnsspay|qtczxafp|xtzrhiaj)|e(huaolajj|jyqmbhoi|ponubcxi|rhtmnyxw)|f(cxftayfp|wkvyrbkp)|gguibdxrq|h(lmbhpaic|oljyclxx|rqgpccyw)|i(ed(dpvgqo|havtkg)|frljsxtu|lsfprllg|okbebrvv|shtldtsc|wmbxoktx|xtjsbkhl)|j(b(orwznyh|vozzqqb)|cmzqpokh|k(eqnrtab|qofitdi)|ljsdzjcx|miwwtvcf|tgmsvvvi|uyzzvean)|k(baqzjtzq|eqsjwbcc|rsbiqkxu)|latovxref|m(bohntaue|ctwlunma|gxngnwgy|uztrkxmb|xyfinzpx)|n(etjblirr|fptpczbf|pgemnrft|xenwxmte)|o(ffhbdylm|ivaqvfad|tuogchca|vlunzuwh)|p(ceszjhtt|mqcjvvbj|nlcxpqwj|uyzhtxdn|vwgrbgev|wvvilbyu)|q(ckagzlly|oawwhift|y(kelyjzh|svcgwah))|r(iqyxgvya|lpgxilhi|pedvmagz|zxnhyltz)|s(gpdthlld|hdsqjxrz|ribppeju|shvtflrc)|ta(rfewesi|taqltca)|u(avwqqpcg|dxiloqop|fktrvyfq|geqpaiap|jnftbydr|lqlqwzgn|nrnhkoxq|qfgkxdvw|utymelew|vgrnfxxy|wprrfybx)|v(cpazlzrx|dsrhqmzq|jpbsaooi|mszfpaum|rbmviovc)|w(mfhmgelw|q(felrxhr|kgkbdtn))|xd(rubtomb|yneoeeu)|y(acomltkt|hodektvq|nplrvfkz|snmfhhcf|zlbxeaza)|z(muqkyeiz|rounfrwy))/i"; classtype:trojan-activity; reference:url,www.f-secure.com; sid:1800056; rev:0;)