On 12/12/2012 15:19, Tom Kinghorn wrote:
_____________________________________
Thanks for the response.
The hostname.domainname part is randomized, so it would need to be a
wildcard.
1 constant is that the domain part (in this case pisem) always seems
to be 5 letters.
the .tld also changes between .ru & .su
Hi List.
I managed to get it solved (with one .tld).......well it appears to work.
the sig is:
*/687474703a2f2f{-7}2f2e2f{-5}2e7275/*
which decodes to
*/http://{WILDCARD_ANY_STRING(LENGTH<=7)}/./{WILDCARD_ANY_STRING(LENGTH<=5)}.ru/*
Thanks
Tom
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
