##########################################
#
# Malware Snort Rules
#
# Copyright 2005-2007 Cory Bys and Brendan O'Connor
# All Rights Reserved
# Particle.Bored@kgb.to
#
# This rule set is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This rule set is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# If you are using a version prior to 18 September 2005,
# throw it away! This one is far more efficient.
#
# Thanks to Matt Jonkman for the optimization tips
#
# Last update 19 June 2007
#
##########################################
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - 1 Click Spy Clean"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(1clickspyclean.com|clicksuite.net)\r\n/"; classtype:trojan-activity; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - 1 Spyware Killer"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(1spywarekiller.com|surfertools.com)\r\n/"; classtype:trojan-activity; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - 123Mania"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(123mania.com|dcfgsd.com|kidsmk.com|prsdvb.com|rgwuio.com|semcmm.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/123Mania.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - 180Solutions"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(180solutions.com|captioncity.com|metricsdirect.com|n-case.com|n-case.net)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/nCase.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - 24/7 Real Media"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(247realmedia.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - 33 West"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(33west.com|bhozapper.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - 404Search"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(404search.com|browservillage.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/404Search.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - 7FaSSt"; flow:established; content:"Host\:"; pcre:"/(Host\:)\s[a-zA-Z0-9.-]+(\fstrack.7search.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/7FaSSt.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AceStats"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(acestats.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ActiveSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(activesearch.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ActualNames/BrowseProxy"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(actualnames.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/ActualNames.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ACXInstall"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(ispdialer.com|nocreditcard.net)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/ACXInstall.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Ad-Up"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(ad-up.com|clickz.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Ad Eliminator"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(123spywar.com|1stspywar.com|ad-eliminator.com|adekit.com|adeliminator.net|adware-business.com|adware-gator.com|adwareindanger.com|adwareisgone.com|antiadwareco.com|antiadwarefoundation.com|antispawarechat.com|antispawarefree.com|antispywareco.com|antispywarecoer.com|antispywaredirectx.com|antispywarefreex.com|antispywarefreex.com|killadwareco.com|myspyerase.biz|realspyerase.biz|spydestroying.com|spyelimination.com|spywareindanger.com|spywarmegasite.com)\r\n/"; classtype:trojan-activity; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Ad River"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adriver.ru)\r\n/"; classtype:trojan-activity;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AdAtom"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adatom.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AdBest"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adbest.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AdBreak"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adbreak.com|sylip.com|larint.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/AdBreak.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AdDriller"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(addriller.com|cdmworldsoftware.com)\r\n/"; classtype:trojan-activity; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Adlogix"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adlogix.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AdRoar"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adroar.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/AdRoar.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Adtomi"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adtomi.com|zestyfind.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AdultLicense"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adultlicense.net)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AdultLinks"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(mainentrypoint.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/AdultLinks.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AdVision"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(advertisingvision.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.advision.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AdwareHunter"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adwarehunter.com|browser-page.com)\r\n/"; classtype:trojan-activity; reference:url,msmvps.com/donna/archive/2004/06/06/7651.aspx;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Alarm-Works"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(alarm-works.com)\r\n/"; classtype:trojan-activity; reference:url,isc.sans.org/diary.php?date=2004-09-16;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AntiSpy"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(bankcashadvance.com|besisk.com|bestcashloans.com|billingcomplete.com|billingticket.com|broadcastinginstitute.com|broadcastingwork.com|buysmarter.com|cashguides.com|computeranywhere.com|computercleaner.com|computershield.com|computersupercharger.com|contentreview.com|crashprotector.com|creditsecretsguide.com|discountbob.com|diskprotector.com|download-central.com|downloadcontrol.com|drivecleaner.com|drivefixer.com|driveprotector.com|dslvelocity.com|\
easydivorceguide.com|easywillguide.com|ebayguides.com|epinioncash.com|eztaxfiler.com|filefixer.com|fileprotector.com|getfreecar.com|holly-whores.com|hotliveamateurs.com|hotliveasians.com|hotlivegirls.com|hotlivenetwork.com|hummerhump.com|imagefixer.com|innovativeventures.net|internetantispy.com|internetblocker.com|internetspy.com|intrudertrace.com|kazaaplatinum.com|kazaaupgrade.com|kpremium.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexb.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AntiSpy"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(mensanswers.com|morpheusmp3s.com|mp3bundle.com|mp3downloadclub.com|mp3guidebook.com|multimediafixer.com|netsupercharger.com|networkprotector.com|opensols.com|\
pcsupercharger.com|popupavenger.com|popupguard.com|pornnap.com|privacyprotector.com|quikpicks.com|refunds-online.com|remotescout.com|removeyourself.org|saynototaxes.com|spamblockerpro.com|spamprotector.com|speeddrive.com|stockpops.com|stopguard.com|surfpatrol.com|systemdoctor.com|velocityads.com|virusguard.com|windowsrecovery.com|workhomecenter.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexb.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AP Net Marketing"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(amateurpages.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AproposMedia"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adintelligence.net|contextplus.net|peopleonpage.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/AproposMedia.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AutoSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(tunders.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/AutoSearch.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AutoStartup"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(avatarresources.com|avres.net|guardster.com|musicfeast.com|wenksdisdkjeilsow.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/AutoStartup.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - AutoTrack"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(fuzeqna.com|toprebates.com)\r\n/"; classtype:trojan-activity; reference:url,www.itshappening.com/showthread.php?t=68129;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Avenue A"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(aa-rf.com|aquantive.com|atdmt.com|atlasdmt.com|avenuea.com|bidclix.com|bidclix.net|drivepm.com|i-frontier.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Aornum.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Bargain Buddy"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adp.ikena.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/BargainBuddy.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - BDE"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(brilliantdigital.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/BDE.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Belcaro Group"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(selectbonus.com|shopathomeselect.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexs.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - belgiandip"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(belgiandip.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Bilal"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(no-adware.net|noadware.net|noadware.us|scanspyware.net|spyware-cop.com|spywarekilla.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexn.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Bluestreak"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(bluestreak.com)\r\n/"; classtype:trojan-activity; reference:url,/privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Bonzi Buddy"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(bonzi.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - BookedSpace"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(bookedspace.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/BookedSpace.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - BrowserAid"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(abcsearch.com|browseraid.com|browserpal.com|cashtoolbar.com|featured-results.com|letssearch.com|pstopper.com|quicklaunch.com|searchandclick.com|searchmadesafe.com|startium.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/BrowserAid.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - BruggeNet"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(bruggenet.net|fassia.net|illtemperedguppys.net|smokeandapancake.org|undergroundlair.net)\r\n/"; classtype:trojan-activity; reference:url,www.derkeiler.com/Newsgroups/microsoft.public.security/2004-02/0614.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - BUDS Inc."; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(budsinc.com|hahahumor.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Bulla"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(1110100011o1window.info|bulla.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Bulla.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - BulletProofSoft"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(activex.us|adnuker.com|ads4me.net|audioshareware.com|audiotools.ws|backupdvd.info|bulletproofsoft.com|bulletproofsoft.info|bulletproofsoft.ws|care2.com|clicknzip.com|couponsandoffers.com|downloadsnet.com|downloadupload.com|esftp.com|file4me.com|filehog.com|fireballftp.com|ftpking.com|ftpmonster.com|ftpright.net|getridspyware.com|h4host.com|imagineer-web.com|job4middleeast.com|jobbid.ws|jobbid4me.com|mawaqit.com|mediatools.ws|monsterzip.com)\r\n/"; classtype:trojan-activity; reference:url,www.bluetack.co.uk/forums/index.php?showtopic=3276;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - BulletProofSoft"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(navexcel.com|noadware.com|onestopsoft.com|pigeons-news.com|pigeons.net|popupshield.net|popupsnuker.com|rizalsoftware.com|robust.ws|robustftp.com|royalftp.com|sharewaredepo.com|sharewarepile.com|softdepo.com|softwareclub.ws|softwaredepo.com|softwarepile.com|soundindepth.com|spaminnihilator.com|spamnullifier.com|spider.ws|spywarezapper.com|subloads.com|supportmail.info|tbel.net|tdwebhost.com|topdownloads.net|traceremover.com|tracezapper.com|trackscrubber.com|trackzapper.com|webservicehost.com|windowscleanser.com|windowsclenser.com|zillaftp.com|zillasoft.ws)\r\n/"; classtype:trojan-activity; reference:url,www.bluetack.co.uk/forums/index.php?showtopic=3276;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Cargao"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(10s.com.br)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Casale Media"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(casalemedia.com|hsx.com|internetsoft.com|netspyprotector.com|nospyx.com|spywareboard.com|spywarestormer.com|theplanet.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CDT"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(flingstone.com|mt-download.com|searchbarcash.com|searchmeup.cc|searchmiracle.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.cdt.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Centrport"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(centrport.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ClearSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(clear-search.com|clrsch.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/ClearSearch.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Clickability"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(clickability.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ClickDLoader"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(c4tdownload.com|clickbank.(com|net)|ucbill.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.clickdloader.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ClickSpring"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(clickspring.net|kephyr.com|purityscan.com|puritysweep.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexc.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ClickTheButton"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(clickthebutton.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/ClickTheButton.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ClientMan"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(123search.com|1stblaze.com|baidu.com|epilot.com|firstbookmark.com|nostrumindia.com|odysseusmarketing.com|popupsponsor.com|popuptraffic.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/ClientMan.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CnsMin"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(3721.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/CnsMin.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Comet Cursor"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(cometcursor.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/CometCursor.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CommonName"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(commonname.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/CommonName.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Consumer Credit USA"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(consumercreditusa.com| freecameranow.com|giftcardsdirect.com|grocerycouponsdirect.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexc.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CoolWebSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(0-29.com|0-2u.com|0-days.net|000info.com|008i.com|008k.com|00hq.com|010402.com|0190-dialer.com|05p.com|0calories.net|0websearch.com|1-domains-registrations.com|1-se.com|100mature.net|100pantyhose.com|123-search.net|123zae.biz|171203.com|18age-domination.com|2000guys.com|2020search.com|20x2p.com|21century-mp3.nu|284b.com|39-93.com|4-counter.com|555y.com|600pics.com|61-31.com|664p.com|69bymail.com|6o9.com|700k.com|75tz.com|7buscar.com|7days.ws|7search.com|8ad.com|99fh.com|99livecam.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/CWS/cwsbyalphanumeric.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CoolWebSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(a-137.com|about-blank.biz|aboutclicker.com|absolutelyfreemovies.com|achaeans.com|achileos.com|achtungachtung.com|acoolwebsearch.com|activexupdate.com|ad-ua.com|ad25.com|ad45.com|ad77.com|ad86.com|adamssupportgroup.org|adasearch.com|addictivetoporn.com|adtraffic.net|adult-friends-finder.net|adult-profit.com|adult-xxx-tgp.com|adultcash.com|adultchat-rooms.biz|adultden.com|adultfriendfinder.com|adulthyperlinks.com|adultprovide.com|afind.biz|afind.com|afind.info|aifind.info|aisauto.com|aktobut.com|alfa-search.com|alhimik.com|all-find.net|all-websearch.com|allaboutsearching.com|allcrazyporn.com|allhyperlinks.com|allinternal.com|allnakedboys.org|allneedsearch.com|allyes.com|amandabbw.com|amateurexposed.com|americanboy.net|amicodiieri.it|amigeek.com|anime-babes.info|approvedlinks.com|art-various.com|autosearch.cc|awesometeenmovies.com|axa.de|axistek.com|\
b00gle.com|babesxxx.net|bdsm-dialer.com|bdsm-inc.com|beast4me.com|begin2search.com|best-result.info|best-search.cc|best-search.cc|best-search.info|best-sites.org|bestgenericprices.com|besthomeporn.com|bestpornnews.com|bestsearch.cc|bestsekch.cc|big-biblioteka.com|big-penis-pics.com|bigbr.cc|billingnow.com|bonne-pute.com|bookhugs.com|bossofthesauce.com|boys-group.com|boys-inc.com|bradleyhits.biz|bruteens.com|buldog-search.com|buldog-stats.com|buscamundo.com|bustymommy.com|buycheapviagra.com|buysearch.cc|buysmarteronline.com|\
cash4toolbar.com|cashinfo.biz|cashsearch.biz|cax.cab|cc20foreva.com|charming-teens.com|chinaexpressjidla.com|circlesfarms.com|clean-hosted-galleries.com|click2media.net|clickaire.com|clickenzer.com|clickheretofind.com|clickzs.com|clickzs.com|conyc.com|cool-pantyhose.com|coolamateursite.com|coolfreehost.com|coolfreepages.com|coolhardcoresite.com|coolloud.org|coolmature.net|coolnameserv.com|coolpaysite.com|coolsearcher.info|coolteenporno.com|coolwebsearch.cc|coolwebsearch.com|coolwebsearch.org|couldnotfind.com|count.cc|countere.com|cpm-04.com|crazyfinder.com|crdrcr.com|creamedpussy.net|crossdots.com|cutegirlsporn.com|cxem.org|cyberheatinc.com|cyprusturk.net|\
d8t.biz|da.ru|dailyteenspic.com|damcash.com|damhost.com|darkest.com|darkrapesex.com|datanotary.com|datasearch.info|deardrocher.com|dedmazai.com|default-homepage-network.com|defaultsearching.com|devilsfuck.com|dialer2004.com|dialeraccess.com|dialerplatform.com|directorydrugs.com|directrape.com|directsearch.net|directwebsearch.net|dirtyhosting.com|dirtysouthhohouse.com|dmporn.com|do-jaja.com|dog-cum.com|dorkodrom.com|dreamxsex.com|dreamxsite.com|drusearch.com|drvvv.com|\
e-finder.cc|e-jobru.com|e-sexcash.com|easy-gals.net|easy-search.biz|easy-search.net|ebookcreatorpro.biz|eentinc.com|ehtp.cc|ehttp.cc|enjoysearch.info|eplugin.cab|eplugin_us.cab|esearch.cc|eselmann.com|ewizard.cc|ez-finder.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/CWS/cwsbyalphanumeric.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CoolWebSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(fanatik.net|fast-look.com|fastvisitcounter.com|fetishcrime.biz|fille-africaine.com|find-it-easy.org|find-itnow.com|find-online.net|find4u.net|findthewebsiteyouneed.com|findtop.net|findwhat.com|findwhat.com|findwhatevernow.com|finenylon.com|firstbookmark.com|free-milf-porno.com|free-pissing.org|free-porn-art.com|free32.com|freeadult-webcams.biz|freednshost.info|freeezinebucks.com|freehomepages.com|freehostedgalleries.com|freeload.cc|freepage.ws|freephotosonly.com|freepornbest.com|freeteen-sluts.com|fromru.com|fuckedboys.net|fucking-machine.net|fuckingfree.net|full-search.net|full-tgp.net|fullmovies.net|\
gallerytaboo.com|gals-post.com|galsteam.com|galsteen.com|gammacash.com|gammae.com|gammae.com|gay-desire.com|gayboynetwork.com|gaycampus.net|gaymalepornpics.com|gays-club.com|gays-inc.com|gaysincest.com|geobytes.com|get-access.com|get-bondage-bdsm.com|get-certified.net|get-data.net|get-faster.com|get-gay.com|get-search.cc|getgovtmoney.com|getthis4free.com|gigafinder.com|girl-pissing.net|girlrapes.com|girlsland.biz|global-counter.com|global-finder.com|go-acct.com|go-advertising.com|go-all.com|go2-search.com|go4sexxx.com|gocybersearch.com|goldenpalace.com|goodxxx.net|gotosex4all.com|greg-search.com|\
h-c-t.com|haldex.com|handicaphelp.cz|happy-new-year.biz|hardcoreover.com|hbison.com|hentai-inc.com|here4search.com|heretofind.com|hidden-files.com|hightcalldialer.com|home-search.cc|homepage.ru|host2010.com|hostssp.com|hot-daily-pics.com|hot-search.com|hot-search.com|hot-searches.com|hot-supermodel.com|hotbigtit.com|hotbookmark.com|hotfreebies.com|hotnetteens.com|hotpopup.com|hotsearchbox.com|hotsexxgirl.com|hqstorm.com|hugesearch.net|hungrypussi.com|\
i--search.com|iblockpopups.com|icanfindit.net|icansearch.net|ie-search.com|iefeadsl.com|ifriends.net|illegalarea.com|illegaldomain.com|ilxt.info|ilxt.info|image-chaude.com|imagesrvr.com|incest-movies.org|inet-traffic.com|inettraffic.com|inferns-soft.com|inhost2.info|instalg.ws|installcash.com|internetantispy.com|interneteraser.com|internetquicksearch.com|internetquicksearch.net|inthevip.com|iquicksearch.com|iquicksearch.net|ircforever.net|isearchtech.com|isprime.com|iteens.info|iwantsearch.com|iweb-commerce.com|iwebland.com|\
jethomepage.com|jetseeker.com|jpeghunter.com|\
karasxxx.com|karpina.com|karupspc.com|kazaamp3s.com|kitasearch.com|kpremium.com|\
land-xxx.com|lender-search.com|leonixxx.com|lesbee.com|lesbian-inc.com|lesbo-desire.com|lickitquick.com|likesurfing.com|line-plus.com|linkey.ru|linkey.ru|linklist.cc|little-lady.net|littlegardener.com|locator.cc|lolmature.com|lookfindgo.com|lookfor.cc|looking-for.cc|lookingfor.cc|looksa.com|lovely-mature.com|lovemynet.com|luckysearch.net|\
ma3ca.com|mad4porn.com|mail333.com|mailwiper.com|makali.net|marablic.com|marketbanker.com|masturbate-pics.com|mature-inc.com|mature-sex-live.com|mature-tech.com|maturejournal.com|matures-club.com|maxcash.com|maximumcash.com|maximumhost.com|maxmirnyi.com|maxxxhosters.com|mb50.com|mcpromotions.com|media-search.net|megarape.com|messagebroadcaster.net|methodsilva.com|mig29here.com|mikesapartment.com|mikrovin.com|milfondick.com|model-gallery.net|mogilka.com|moiweb.com|mokar.com|monster-rape.com|moreporn.biz|mostsexygirls.com|movierevenue.com|mp3u.com|mpegstation.com|mpzone.net|msie.cc|msie.cc|msie.tv|msr.ms|msupdater.com|msupdater.net|msupdater.org|my-search.cc|my-shemale.com|mymaydayinc.com|mypoiskovik.com|mysearchhome.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/CWS/cwsbyalphanumeric.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CoolWebSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(n-udd.com|name15.com|nastydollars.com|nativehardcore.com|ne-ebu.com|netcathost.com|netreplicator.com|netsearch.com|nextcunt.com|nikusha.biz|nkvd.us|ntsearch.com|nude-livegirls.biz|nude-sex.org|nude-teens-bodies.com|nude-videochat.biz|nudityforfree.com|nylonerotica.net|nylons-sex.net|\
odysseusmarketing.com|offendale.com|ohmygoodies.com|omega-search.com|onemoresearch.net|online-dialer.com|onlygoodsearch.com|onlysex.ws|opsex.com|outhost.info|\
p-uud.com|pansion.cz|pantycandy.net|pantyhose-inc.com|pantyhose-now.com|pantyhose-site.com|pantynow.com|partypoker.com|passiongalleries.com|perfect-search.info|petite-virgins.biz|petite-women.biz|pics-land.com|pictureheaven.com|pisem.net|pissing-inc.com|pissing-site.com|pizdato.biz|pl-club.com|pluginaccess.com|plumper.biz|popupguard.com|popuptoast.com|porn-mix.com|porno-center.com|porno-inc.com|pornocruto.nu|pornogalaxy.biz|pornrest.com|pornstars-pix.com|pornxxxsearch.com|postforwarding.biz|power-cleaner.com|prague-sex.biz|prague-sex.com|prohor.com|project-21.info|project-twenty-one.info|proupver.com|ptssa.net|pukkasearch.net|punkass.com|qmov.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/CWS/cwsbyalphanumeric.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CoolWebSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(rape-cool-video.com|rapechaos.com|rapeflare.com|real-pissing.com|reality-porn-site.info|realsearch.ws|redpersonals.com|redtr.com|reinigungfrau.com|removespyware.ru|rf104.com|richfind.com|rise-media.ru|riviera.cc|rootsearch.biz|rosexxxgarden.com|royalsearch.net|runsearch.com|ruspatch.info|russian-hardcore.net|russiankiss.com|ruworld.com|\
s4people.com|s4teens.com|saintsex.com|savantmedia.com|schutz.de|scourweb.net|scumware-remover.org|search-1.net|search-about.net|search-aide.com|search-all.net|search-and-find.net|search-and-go.com|search-and-more.com|search-assist.net|search-biz.cc|search-casino.com|search-center.com|search-control.com|search-direct.net|search-exe.com|search-ing.com|search-network.cc|search-smart.info|search-to-find.com|search-town.net|search-web.cc|searchall.info|searchassistant.net|searchbuckz.com|searchcactus.com|searchcentral.cc|searchduckie.net|searchenhancement.com|searchfeed.com|searchfind.com|searchfind.info|searchgalleries.com|searchhh.com|\
searchit.com|searchmeup.cc|searchmeup.com|searchmiracle.com|searchmyrequest.com|searchnetworks.net|searchpage.cc|searchportal.info|searchtraffic.com|searchv.com|searchx.cc|searchxl.com|searchxp.com|sebastacz.com|secret-keeper.com|seek-all.com|seek2.com|seekio.com|sesupport.com|sevensearch.com|sex.damhost.com|sex3dom.com|sexdeluxe.net|sexinwar.net|sexscn.com|sextoywonderland.com|sexxela.com|sexxx-4you.com|sexxxgate.com|seznam.cz|showebway.com|sidebarsearch.com|sidefind.com|simplyvids.com|slawsearch.com|slotch.com|slotchbar.com|smartbotpro.net|smartdns.org|smartestsearch.com|smartpops.com|smartupdater.com|smoking-erotica.com|smutbitches.com|\
snakevideos.com|softwareoutfit.com|solongas.com|spidersearch.com|spykillerpro.com|spyorgy.net|spywarehelp.net|squirtitinme.com|ssl4all.com|start-page.info|startium.com|startnow.com|stocking-adult-site.com|stripting.com|suck-sex.org|super-finder.info|super-gays.com|super-spider.com|sureseeker.com|surfast.info|sweatysmut.com|swift-look.com|swinger-sex.org|syspage.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/CWS/cwsbyalphanumeric.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CoolWebSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(t058.com|t34rulit.com|tastycams.com|teen-now.com|teenpyramid.com|teens-adult.com|teens-castle.com|teens-group.com|teens-have-sex.com|teens-hc.com|teensdom.com|teensunion.net|teocash.com|terra.es|thadsadultsuperstore.com|thadsamateurs.com|thadsasians.com|thadsboys.com|thadscandidcamera.com|thadscollegegirls.com|thadsfriends.com|thadshometowngirls.com|thadslatins.com|thadsprivatevideos.com|thadsxratedswingers.com|the-anime.com|the-bdsm.com|the-forex.com|the-hentai.com|the-panty.com|the-pissing.com|the-thumbs.com|the-tranny.com|the-upskirt.com|thebestgallery.net|\
thebestmatures.com|thehan.net|theincest.com|thematurehardcore.com|theparadise.x-y.net|theplayfulwife.com|therealsearch.com|thesexmail.com|thestas.com|thoughtconvergence.com|thumberland.com|thumbs-inc.com|thumbs-land.com|thumbsweb.com|tinybar.com|tonser.4-counter.com|toolbarcash.com|top-searchs.com|topfivesearch.com|topfreeteens.com|topless-sex.com|toprefsys.com|topsearcher.com|topx.cc|topx.cc|trafficjuicer.com|trahvideo.com|trixscripts.com|true-counter.com|trygames.com|trytoimprovesecurity.com|tunders.com|turbofind.com|tv6tut.info|\
u-239.com|ufo365.com|ukr-girls.com|ultrahoster.com|umaxforum.com|umaxlogin.com|umaxsearch.com|unique-porn.com|unitedvending.net|upskirt-inc.com|uralcash.com|us01.xmlsearch.findwhat.com|userlands.com|\
v-224.com|v61.com|v73.us|vestalgirls.com|vicehouse.com|virginz.info|voyeur-group.com|voyeur-inc.com|vse-moe.biz|\
w3matter.com|wallpaperofwomen.com|wandererx.com|wazzupnet.com|web-cams-chat.com|webanalsex.com|webcam-girlsnude.biz|webcoolsearch.com|webcounter.cc|webnymphets.com|websearch.com|wegcash.com|welivetogether.com|wickedgooddeals.com|windowenhancer.com|windowws.cc|windupdates.com|winsellpos.com|wminvest.biz|wofldsex.com|world-hyp.biz|world-search.biz|wwwfinder.net)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/CWS/cwsbyalphanumeric.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CoolWebSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(x-eroticbabe.com|x-panty.com|x-pissing.com|x-tranny.com|x-upskirt.com|xmatureporn.com|xpehbam.biz|xsby.org|xsex.ws|xxx-goto.net|xxx-pissing.com|xxx-revolution.com|xxx3x.com|xxxdirtylist.com|xxxenjoy.net|xxxgateway.com|xxxmovielinks.net|xxxmyporno.com|\
y3y.net|yellow2.com|yellow500.com|yobta.info|yopta.info|your-gay.com|your-search.cc|your-search.info|your-startpage.com|yourbookmarks.info|yourlesbian.com|yoursearch247.com|yourshemale.com|yoursitebar.com|\
zedo.com|zendmedia.com|zeropopup.com|zesearch.com|zetta-search.com|zlookup.biz|znext.com|ztomb.com|zendmedia.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/CWS/cwsbyalphanumeric.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Cossette Media"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adcentriconline.com|cossette.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CPM Media"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adscpm.com|adslimitless.com|adultexpressview.com|advolt.com|cpm-media.com|free-scratch-cards.com|freescratchandwin.com|fsc2k.com|hotcry.com|xbloom.com|xzoomy.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexa.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CrackedEarth"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(crackedearth.com|cyberzine.com|genieknows.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/CrackedEarth.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CrushSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(secret-crush.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.crushsearch.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CustomToolbar"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(customtoolbar.com|mojo.com|standardinternet.com|stopannoyingpopups.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/CustomToolbar.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CWSConyc"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(v73.us)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.cwsconyc.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - CyberHeat"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adremovergold.com|adultcams.com|adwareremovergold.com|bestmovies.com|cartoon69.com|cyberheatinc.com|datashreddergold.com|discountrealitysite.com|discountrealitysites.com|emailspamblock.com|euroteensxxx.com|euroteenxxx.com|evidencecleanergold.com|evidencefree.com|firsttimeswallow.com|firsttimeswallows.com|freehotpics.com|gayblinddates.com|gayblinddatesex.com|gayblinddatexxx.com|gaymaturexxx.com|girlsgetcrazy.com|herfirstanalsex.com|herfirstasstomouth.com|herfirstdp.com|hisfirstanalsex.com|hisfirstgangbang.com|hisfirstgaysex.com|how2enlargepenis.com|how2pickupgirls.com|how2pleaseher.com|iblockpopups.com|ifuckmachine.com|\
internetquicksearch.com|internetquicksearch.net|interracialjoy.com|iquicksearch.com|iquicksearch.net|iteens.com|justfacials.com|livenudevideos.com|modemspeedbooster.com|mysearchhome.com|payperviewsex.com|pcspeedbooster.com|pornstudssearch.com|primenetwork.net|searchbuckz.com|seekio.com|sg08.biz|sporterotica.com|spybloc.com|spyblocs.com|sureseeker.com|surfersuitesoftware.com|topbucks.com|topcash.com|topcashgold.com|twink4cash.com|twinkforcash.com|twinks4cash.com|twinksforcash.com|upayperview.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexd.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Cyberwire"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(cyberwire.biz|spy-patrol.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Cydoor"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(bns1.net|bns2.net|cms1.net|cms2.net|rgs1.net|rgs2.net|rgs3.net|rgs4.net)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.cydoor.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Cytron"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(cytron.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Cytron.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Cyveillance"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(cyveillance.com)\r\n/"; classtype:trojan-activity;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - DailyToolbar"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(authorizedsearchagents.com|dailytoolbar.com|nichetoolbars.com|topsearchdog.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/DailyToolbar.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - DailyWinner"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(dailywinner.net|prizeentry.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/DailyWinner.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - DealHelper"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(dealhelper.com|sponsor1.com|weather7.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - DeepMetrix"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(deepmetrix.com|ipmonitor.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - DialerOffline"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(stripplayer.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/DialerOffline.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - DidTheyReadIt"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(didtheyreadit.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - DigitalRiver"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(007arcadegames.com|addictivetechnologies.net|cheatextreme.com|colossalcheats.com|digitalriver.com|gamehouse.com|regnow.com|regsoft.net|topdownloads.com)\r\n/"; classtype:trojan-activity; reference:url,www.bluetack.co.uk/forums/index.php?showtopic=3276;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - DoubleClick"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(doubleclick.(com|net))\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - DownloadLab"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(alltheinternet.com|downloadalot.com|downloadlab.com|searchalot.com|talkingbuddy.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - DownloadPlus"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(tnc4u.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/DownloadPlus.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - DownloadWare"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(fordaleltd.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/DownloadWare.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Dynamic Logic"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(questionmarket.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - e2give"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(e2give.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - EasyBar"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(euroklik.nl)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - EasySearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(easy-search.biz)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.easysearch.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - eBoz"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(eboz.com|linkbuddies.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Enconfidence"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(enconfidence.com|mydailyhoroscope.net|trafficmp.com|vendaregroup.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Enconfidence.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - eoob"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adp6.co.uk|eoob.us)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - EScorcher"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(escorcher.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Esync Design"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(spybot-scan.com|spybot-scaner.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - eUniverse"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(ad-logics.com|crazymates.com|cupidjunction.com|dietingplans.com|ecommercetransactionsllc.com|eunigames.com|euniverse.com|euniverseads.com|expage.com|femaleadvantage.com|flowgo.com|gamecity.net|gamerival.com|gamersblast.com|gamingblast.com|hergameroom.com|increaseyourhealth.com|incredifind.com|intermix.com|keenvalue.com|mycoolscreen.com|myfunstart.com|partner2profit.com|perfectcollectibles.com|sirsearch.com|skilljam.com|thunderdwonloads.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Evidence Eliminator"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(eu-adcenter.net|evidence-eliminator.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - eXactSearchbar"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(exactadvertising.com|exactsearchbar.com|mail.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/eXactSearch.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Extreme-DM"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(extreme-dm.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Extreme Tracking"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(123webmaster.com|4free.net|acidcool.com|acidfonts.com|allfreesites.com|angelfire.com|ask.com|bravenet.com|clipart.com|creationengine.com|freakyfreddies.com|freechannel.net|freegraphicland.com|freemaster.it|free-n-fun.com|freesitex.com|freestuffcenter.com|freestuffcentral.com|freestuffer.com|globo.com|go.com|howamazing.com|howstuffworks.com|ichotelsgroup.com|josephsmiller.com|justfreestuff.com|lacetoleather.com|lincolnbeach.com|linktipper.nl|list.ru|lnqs.com|magicmotion.com|mijneigenfavorieten.nl|mijnhomepage.nl|ohio.net|pcfonts.com|proceno.net|prostokvashino.com|rambler.ru|rats2u.com|reachlocal.net|rian.ru|risorsegratis.it|sj1.ru|sj3.ru|sj5.ru|ssanimation.com|stars.com|superiorpics.com|totalfreestuff.com|totallyfreestuff.com|trb.com|tuttogratis.com|tv2.no|utro.ru|versiontracker.com|volition.com|wanadoo.fr|wdvl.com|webclipz.com|webmasterpaste.com|webmaster-risorse.com|webspice.com|webstats4u.com|zabasearch.com)\r\n/"; classtype:trojan-activity;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - EyeBlaster"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(eyeblaster.com|serving-sys.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - eZanga Toolbar"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(ezanga.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ezCyberSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(ezcybersearch.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/ezCyberSearch.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - EZSearching"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(clicktracking.info|ez-searching.com|findology.com)\r\n/"; classtype:trojan-activity; reference:url,www.securemost.com/articles/trou_3_remove_ezsearching.htm;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - eZula"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(ezula.com|ezulaadvertisingrevenuenetwork.com|servercentral.net)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - FastClick"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adserver.com|fastclick.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Fat Wallet Cash Back"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(anrdoezrs.net|bfast.com|cc-dt.com|cj.com|commission-junction.com|dpbolvw.net|jdoqocy.com|kqzyfj.com|lduhtrp.net|linksynergy.com|qksrv.net|tkqlhce.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - FavoriteMan"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(638725.net|callinghome.biz|nethighlights.net|prize4all.com|r-vision.org|yourspecialoffers.com|zeronpfear.net)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/FavoriteMan.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Findit-Quick Toolbar"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(findit-quick.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - First-Coffee"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(affistats.com|first-coffee.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - FlashTrack"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(flashpoint.bm)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/FlashTrack.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Fun Web Products"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(funwebproducts.com|popswatter.com|smileycentral.com|funwebproducts.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Gaster"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(gebr-wachs.de|lords-of-havoc.de)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Gator/GAIN"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(claria.com|gator.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Gator.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Genesis Investment Capital"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(activevideoplayer.com|adservs.com|adultnetsuprise.com|afrosluts.com|allteenvideo.com|amateuracademy.com|analsorority.com|annsxxx.com|asiansizzle.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexa.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Getup"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(getupdate.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.getup.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - GigaISP"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(gigaisp.net|imagesrvr.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - GreatSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(greatsearch.biz)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - HGM Network"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(hgmnetwork.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - HotBar"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(hotbar.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/HotBar.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Httper"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(url404.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Httper.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - HumanClick"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(humanclick.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - HuntFly"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(enhancemysearch.com|huntfly.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - IBIS"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adwave.com|crawler.com|huntbar.com|ibisglobal.com|ibisit.com|senkypl.com|spywareterminator.com|trafficsyndicate.com|weblizer.com|websearch.com|websearch.net|win-tools.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexw.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - IEAccess"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(electronic-group.com|sex-explorer.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/IEAccess.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - IEDriver"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adsrve.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/IEDriver.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - IEStart"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(istarthere.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - IETray"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(search-aide.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/IETray.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - IGetNet"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(firstphrase.com|igetnet.com|ignkeywords.com|keywordmediainc.com|plugusin4cash.com|qcksearch.com|rspsearch.com|searchresult.net|webservicehost.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/IGetNet.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ILookup"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(abroadsoftware.com|crazyprotocol.com|eaffiliateinc.com|globaltoolbar.com|globalwebsearch.com|i-lookup.com|iclicks.net|searchbus.com|superwebsearch.com|traffichog.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/ILookup.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - IMR Worldwide"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adrelevance.com|imrworldwide.com|nielsen-netratings.com|redsheriff.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - InetSpeak"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(eboom.com|musicmagnet.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/InetSpeak.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Insight Express"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(insightexpress.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Internet Optimizer"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(avenuemedia.com|internet-optimizer.com|internetoptimizer.com|movies-etc.com|yoogee.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/InternetOptimizer.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Interpolls"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(interpolls.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - IPInsight"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(clickalchemy.com|ipinsight.com|ipinsight.net)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/IPInsight.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ISTbar"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(blazefind.com|gammacash.com|isearchtech.com|my-internet.info|skoobidoo.com|slotch.com|toolbarcash.com|vpptechnologies.com|xxxtoolbar.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/ISTbar.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - iWon"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(artisticsmiley.com|artistssmiley.com|blastdirect.com|board-smiley.com|boardsmiley.com|boardsmileys.com|centersmiley.com|chat-smiley.com|chat-smileys.com|classicsmiley.com|comicsmileys.com|creativesmiley.com|cursormania.com|directsmiley.com|email-smileys.com|greatsmiley.com|happiest-faces.com|historyswatter.com|i1img.com|iluvsmileys.com|imgfarm.com|ismileys.com|iwon.com|mycomputersearch.com|myfastinternet.com|myformfiller.com|mymailnotifier.com|mymailsignature.com|mymailstamp.com|mymailstationary.com|mysafesurfer.com|mysearch.com|myspamswatter.com|mywalletpal.com|myway.com|mywaysearch.com|mywebsearch.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windext.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - iWon"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(netsmileys.com|pcsmileys.com|popswat.com|popswatter.com|popularscreensaver.com|popularscreensavers.com|realsmiley.com|smiley-4you.com|smileyartists.com|smileycentral.com|smileycentral.org|smileycentralsucks.com|smileyconnect.com|smileydirect.com|smileydirectory.com|smileyforyou.com|smileyglobal.com|smileyhit.com|smileykey.com|smileylink.com|smileys-4you.com|smileys-central.com|smileys-links.com|smileys-market.com|smileys-world|smileys4you.com|smileysallstars.com|smileysbusiness.com|smileyscafe.com|smileyscustomheaders.com|smileysdomain.com|smileyservers.com|smileysfinest.com|\
smileyshields.com|smileyshouse.com|smileysinamerica.com|smileysnet.com|smileysoutlet.com|smileyspeople.com|smileyspicks.com|smileysplaces.com|smileysscooters.com|smileyssite.com|smileyssounds.com|smileyssuck.com|smileystart.com|smileystock.com|smileystudios.com|smileystuff.com|smileysucks.com|smileysurvey.com|smileysweb.com|smileysworld.com|spin4dough.com|thesmileyshop.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windext.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - John Happy"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(johnhappy.com|spyact.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - JungleBee"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(junglebee.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Kelsey Kennedy"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(yourpoiskovik.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Klipmart"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(klipmart.com|kliptracker.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - KMGI"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(eliminatespam.com|kmgi.com|popupbuster.net)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexp.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - le WEB"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(pasqualina.com|sara-freder.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexs.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - LeadCrunch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(leadcrunch.com)\r\n/"; classtype:trojan-activity;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Linkbot"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(anna.homeftp.net)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - LinkReplacer"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(wcft.net)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/LinkReplacer.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Locator"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(locators.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.locator.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Lop"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(aavc.com|acjp.com|active-max.com|chaostic.com|crap2.com|cybergirlsex.com|ebch.com|ebdv.com|ebdw.com|ebjp.com|ebkn.com|ebky.com|eblv.com|ebmu.com|ebvr.com|ecmh.com|ecpm.com|ecwz.com|ecyb.com|edonkey.com|eduy.com|eeev.com|farse.com|find-quick.com|hadassahyouth.com|ibmx.com|icwb.com|icwo.com|icwp.com|iddh.com|idhh.com|ifiz.com|iguu.com|maxexp.com|maximumexperience.com|mp3heaven.org|mp3search.com|mp3sound.com|msgplus.net|msgpluszone.com|mysearchnow.com|ohyea.org|patchou.com|samz.com|saoe.com|sbjr.com|sbnl.com|sbnt.com|sbvr.com|scbm.com|sckr.com|scrk.com|sdry.com|searchweb2.com|searchwebnow.com|seld.com|sfux.com|\
sheat.com|sipo.com|smds.com|spawnet.com|srib.com|srox.com|srsf.com|ssaw.com|ssby.com|surj.com|tbvg.com|tdak.com|tdko.com|tdmy.com|tefs.com|tfil.com|thko.com|tjar.com|tjaw.com|tjdo.com|tjem.com|tjgo.com|torc.com|trinityacquisitions.com|wabq.com|wabu.com|wbkb.com|wfix.com|wflu.com|wrn.net|xcx.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/lop.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - LoudMarketing"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(loudmarketing.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Lyred"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(lyred.com|lyricsdomain.com|lyricsdownload.com|trojans-pictureheaven.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Maddis Worm"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(proxylist.biz|proxylist.com.ru|proxylist.com.ua|proxylist.ru)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MagicControl"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(nocreditcard.com|secure-firewall.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/MagicControl.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MamboMarket"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(jiveposters.com|mambomarket.com|megacgi.com|megaphp.com|officemambo.com|spendbling.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Mamma Media"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(mamma.com|targetnet.com|targetnet.com)\r\n/"; classtype:trojan-activity; reference:url,www.bluetack.co.uk/forums/index.php?act=Attach&type=post&id=25392;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MarketScore"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(marketscore.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/MarketScore.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MasterDialer"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(masterdialer.de|masminutos.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/MatrixDialer.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MaxOnline"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(maxonline.com)\r\n/"; classtype:trojan-activity;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Mediaplex"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(mediaplex.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MediaTickets"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(buddylinks.net|mediatickets.net|psdtools.com|wgutv.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/MediaTickets.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MediaUpdate"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(invictus-networks.com|media-update.com|stop-pops.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/MediaUpdate.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Megalithusa"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(megalithusa.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MegaSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(alexa.com|instafinder.com|megasearchbar.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/MegaSearch.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Meridian"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(tbicorporation.com|thumbsnatcher.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Meridian.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MindsetInteractive"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(1000funnyvideos.com|aadcom.com|addictiveplay.com|addictivetechnologies.com|at-funnyvideos.com|at-games.com|at-games.com|at-offers.com|at-screensavers.com|at-talk.com|broadspring.com|f1organizer.com|f1organizer.net|favorites1.com|favorites1.net|freebiesareus.com|freebiesrus.com|giantfreebies.net|mindseti.com|mindsetinteractive.com|myprizes.net|netpalgames.com|netpalnow.com|netpaloffers.net|onadsolutions.com|vistainteractivemedia.com|vistainteractivemedia.net|spywarelabs.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, adbonus.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adbonus.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, adcept.net"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adcept.net)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, adcipta.net"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adcipta.net)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, add-aware.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(add-aware.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, adtrak.net"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adtrak.net)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, advnt01.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(advnt01.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, aknet.net"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(aknet.net)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, buysmarter.com"; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(buysmarter.com)\r\n/"; classtype:trojan-activity;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, callbackgsm.biz"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(callbackgsm.biz)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, chicagowebs.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(chicagowebs.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, clickthrutraffic.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(clickthrutraffic.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, condorinvestigations.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(condorinvestigations.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, datapipe.net"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(datapipe.net)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, easyxxxmovie.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(easyxxxmovie.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, engagingphotos.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(engagingphotos.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, flyordie.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(flyordie.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, foxik.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(foxik.com)\r\n/"; classtype:trojan-activity; reference:url,www.mvps.org/winhelp2002/hosts.txt;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, free-spy-scan.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(free-spy-scan.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, freespyscan.org"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(freespyscan.org)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, fuze.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(fuze.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, godesktop.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(godesktop.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, iowrestling.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(iowrestling.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, jurgita.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(jurgita.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, letssingit.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(letssingit.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, lop12a5.org"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(lop12a5.org)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, lsjmp.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(lsjmp.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, luckyfinder.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(luckyfinder.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, porn385.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(porn385.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, rangeva.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(rangeva.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, rd00.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(rd00.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, rd05.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(rd05.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, rev0lt.net"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(rev0lt.net)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, revenue.net"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(revenue.net)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, sexymagnet.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(sexymagnet.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, smart-security.info"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(smart-security.info)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, smartcomparisons.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(smartcomparisons.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, speedylearning.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(speedylearning.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, spy-deleter.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(spy-deleter.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, spymag.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(spymag.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, spynuker-review.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(spynuker-review.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, spyremoversreview.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(spyremoversreview.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, spywarehub.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(spywarehub.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, virus-removal--portal.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(virus-removal--portal.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, vote2004today.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(vote2004today.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MISC, xeec.com"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(xeec.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Mitglieder"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(abc517.net|abc986.net|amillo.net)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.mitglieder.h.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ModernConsumer"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(modcon.net|modserv.net)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ModernEmpire"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(modernempire.com|spybegone.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Monster Worldwide"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(tickle.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MoreResults"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(findwhat.com|moreresults.net)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/MoreResults.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MyDoom"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(il-legno.it|masteratwork.com|mercyships.de|professionals-active.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MyGeek"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adondirect.com|adonnetwork.com|adontext.com|expandsearch.com|featurednetwork.com|featuredsitenetwork.com|featuredsitesnetwork.com|mygeek.com|mygeek.net|mygeekdirect.com|mygeekpro.com|mygeeksearch.com|search-o-matic2000.com|searchcentrix.com|searchmethods.com)\r\n/"; classtype:trojan-activity;reference:url,www.webhelper4u.com/watcher/windexs.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - MyPageFinder"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(mypagefinder.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/MyPageFinder.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - NationalNet"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(national-net.com|spythis.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - NeoToolbar"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adult-empire.com|gfhjkhgi.biz|happynewyear.biz|neo-toolbar.com|searchbar.info)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/NeoToolbar.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - NetFlip"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(etflip.com|expertsoncredit.com|metareward.com|metarewardmail.com|misterpoints.com|movieticketsource.com|starclubrewards.com|topfreegifts.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windext.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Network Essentials"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(media-search.net|medialoads.com|search-exe.com|searchenhancement.com|smartpops.com|windowenhancer.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/NetworkEssentials.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - NewDotNet"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(findsall.info|firstlook.com|new.net|new.tech|newdotnet.net|qsrch.com|spystormer.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Nextag"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(nextag.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - NHI Networks"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(spazbox.net)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - NicTech"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(a-d-w-a-r-e.com|ad-w-a-r-e.com|admedian.com|bettinghall.com|bundleware.com|cutteststudents.com|debteraser.org|deskbarads.com|desktopvillage.com|flashmyass.com|gnutellaaccelerator.com|greekorgeek.com|homeandloanservices.com|homeqs.com|homequityservices.com|hotteststudents.com|kickbackspam.com|kudd.com|look2me.com|look2me1.com|look2me2.com|look2me4.com|nictechnetworks.com|rubbergum.com|similarsingles.com|spotonnews.com|spyban.com|studylater.com|thindivide.com|thirdeyecon.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windext.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - NoAdware"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adwarehitman.com|dbxml.org)\r\n/"; classtype:trojan-activity; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - NowBox"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(nowbox.com|vflash.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/NowBox.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Nyam"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(nyam-nyam.biz)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - OMI"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(omi-update.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.omi.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - OnlineDialer"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(0190-dialer.com|4netmedia.com|dialerssolution.com|libereco.net|online-dialer.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/OnlineDialer.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Opstal"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(abc-archive.com|adaware-no.com|allcleaner.com|anti-spyware-info.com|cleanup-adware.com|computer-inspector.com|convertdvd.info|copycd.net|directsub.com|downloadaccelerator.info|downloadsnet.com|downloadsnet.info|dswnet.com|dvdconverter.net|dvdx-pro-no.com|enova.nl|eurosoftware.info|freesaver.net|freeware.cc|freeware2000.com|herder.net|keyrobot.com|kids-downloads.com|lockfolder.net|maxnetspeed.com|microsoft-ware.com|midicenter.com|msn-avatar.com|netpurity.info|pc-cleaner.info|personal-firewall.info|php-cgi.com|realclicks.com|removepopup.com|screen-mates.com|sendcard.info|smartuninstaller.com|softhunt.com|\
software-downloads.biz|spycleaner-gold.com|spycleaner.net|startfiles.com|startpage2000.com|subloads.com|subloads.net|subloads.org|top-review.com|tucows-mirror.com|turboconnect.org|turbomemory.com|tweakgenie.com|uploadnet.com|uravbank.com|van-opstal.com|virtualcoder.com|virtualcoder.net|wallpapers.org|windowsinspector.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/indexmainfrm.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - OptinRealBig"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(aa04.com|aimforums.com|aimgraphics.com|aimphuck.com|allchickswithdicks.com|amateurporn4free.com|analslammers.com|auctionsnap.com|auctionwhiz.com|avalanche-gifts.com|bashapop.com|betterbodys.com|bigfreeprizes.com|bluerocketonline.com|bodyimprover.com|c4c01.com|cash4creatives.com|cpaempire.com|cpaempire.com|cuterteen.com|dogeinstein.com|easycream.com|eatmypussyright.com|ebaygenius.com|free-present.com|funamateur.com|gamescum.com|getgasfree.com|greatcarrates.com|hugermelons.com|imbum.com|imbum.net|imbum.org|innatrocksprings.com|jayswebservice.com|joketrade.com|megaiconsite.com|moosq.com|mysteryoftarot.com|\
netfuncards.com|optinbig.com|optinrealbig.com|pillsofpleasure.com|re-direct-ss01.net|realbigcash.com|realbighosting.com|realcheapgifts.com|redhotwonders.com|saverealbigdeals.com|scott-richter.com|smallnsexy.com|ss01.net|sumopimp.com|tekmailer.com|tomuchdick.com|tracking101.com|viralgizmo.com|whackapop.com)\r\n/"; classtype:trojan-activity; reference:url, www.webhelper4u.com/watcher/indexmainfrm.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Overpeer"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(overpeer.(com|net))\r\n/"; classtype:trojan-activity; reference:url,p2pnet.net/story/3421;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - PAL"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(1spybot.com|1spyware-removal.com|adwarebgone.info|adwarespyware.net|cybergations.com|online-spybot-scan.com|online-spyware-scan.com|palsol.biz|palsol.com|palsol.net|paltek.net|petspatrol.com|shmyl.com|spy-bot.com|spy-spyware.com|spybot-scan.com|spybot-scanner.com|spybot-spyware-removal.com|spybot-virus-scan.com|spybotsd.com|spyware-remover-software.net|spyware-virus-remover.com|spyware-virus-scan.com|spyware1.com|spywarefinder.net|spywarekiller.us|spywarescout.com|spywarethis.com-xp.com|trojan-virus-scan.com|win-fix.com)\r\n/"; classtype:trojan-activity; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ParetoLogic"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(paretologic.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Pave Blue"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(paveblue.com|thecoolbar.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - PayPopup"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(paypopup.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - PC MightyMax"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(pcdocrx.net|pcmightymax.net)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Peel Networks"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(peel.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Peer 1"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(peer1.(com|net))\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Pennyweb"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(addynamix.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - PerfectNav"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(euniverse.com|perfectnav.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/PerfectNav.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - PerMedia"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(friend-greeting.com|friendgreetings.com|laugh-mail.com|permissionedmedia.com|us-downloads.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/PerMedia.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Pilosoft"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(pilosoft.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Planning Group"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(bridgetrack.com|planninggroup.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - PnPSvc"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(a-search.biz)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Pointroll"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(pointroll.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Possible MySearch Install"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(mgshareware.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/MySearch.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - PowerStrip"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(coolgreeksoftware.com|thepowerstrip.com|verschk.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/PowerStrip.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Praize"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(praize.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.praize.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Privacy Defender"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(pcsecurityshield.com|pcsecuritywall.com|pctoolworks2004.com|pctoolworks2005.com|threatlevel.com)\r\n/"; classtype:trojan-activity; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Privacy Software Report"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(privacysoftwarereport.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Privacy Tools 2004"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(kount.com|privacytools2004.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - PSN"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(ie.search.psn.cn)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.psn.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Pugi"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(findwhatevernow.com|masterbar.com|qidion.com|search-explorer.com|searchit.com|thought.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Pugi.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - QuickFlicks"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(m11.com|quickflicks.com|streamexchange.com|streamingcash.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/SVAPlayer.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - RapidBlaster"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(rapidblaster.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/RapidBlaster.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - RCPrograms"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(rcprograms.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.rcprograms.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Realsearcher"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(countere.com|realsearcher.com|s-redirect.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Referad"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adultbizboards.com|adultnetsurprise.com|adultwebmastergold.com|adultwebmasterinfo.com|adultwebmasterworld.com|boards.xbiz.com|cozycampus.com|crutop.nu|femalewebmasters.com|gofuckyourself.com|luxuru.com|master-x.com|oprano.com|pornojunkies.com|shutthefuckup.com|spamboards.com|xnations.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.referad.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - RelatedLinks"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(relatedltd.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/RelatedLinks.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - RichFind Possible Install"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(searchfind.info)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/RichFind.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - RichFind"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(mb-tv.com|richfind.com|searchinfo.com|traffic-stock.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/RichFind.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Riversoft"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(riversoftware.net)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.riversoft.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Roimoi"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(climaxbucks.com|dynamicdesktopmedia.com|invinc.com|media-motor.com|popuppers.com|rfwnad.com|ringfield.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Roimoi.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Round Up 4 Network"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(poindextersystems.com|ru4.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - RXToolbar"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(searchenginebar.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/RXToolbar.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Sanford Wallace"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(freevegasclubs.com|passthison.com|spydeleter.com)\r\n/"; classtype:trojan-activity; reference:url,netrn.net/spywareblog/archives/2004/10/11/evil-genius-or-just-a-genius/;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Satbo"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(1234.2bro.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.satbo.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SaveNow"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(trafficvendors.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/SaveNow.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Scanspy.net"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(scanspy.net)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SearchAndBrowse"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(oversee.net|searchandbrowse.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/SearchAndBrowse.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Searchex"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(searchex.com|valentines-ecard.com|winstream.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Searchex.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SearchSeekFind"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(onwebmedia.com|searchseekfind.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchseekfind.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SearchSpace"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(search-space.cc)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchspace.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SearchSprint"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(emailrouters.com|errorplace.com|hi-results.com|roings.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/SearchSprint.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SearchSquire"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(searchsquire.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchsquire.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SearchWWW"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(cjb.net|searchwww.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/SearchWWW.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SecondThought"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(2nd-thought.com|accessplugin.com|pluginaccess.com|pornnno.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Setup Factory"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(indigorose.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ShopNav"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(drsnsrch.com|grandstreetinteractive.com|shopnav.com|srng.net|webservicehost.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/ShopNav.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Sidesearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(sidesearch.lycos.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Sidesearch.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SideStep"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(sidestep.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SmartBrowser"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(smart-browser.com|tibsystems.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/SmartBrowser.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SmartestSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(smartestsearch.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/SmartestSearch.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SpotResults"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(spotresults.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SpyAssassin"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(spyassassin.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SpyBlast"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(advertising.com|spyblast.com|teknosurf.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/SpyBlast.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SpyCop"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(spycop.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SpyFerret"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(onlinepcfix.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SpyHunter"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(enigmasoftwaregroup.com|spywareremove.com|uninstallxupiter.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SpyKillerPro"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(spykillerpro.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Spyware Stormer"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(errorguard.com|spywarestormer.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SpywareCleaner"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(checkforspyware.com|spw2a.com|spw2f.com|spw3e.com|spw4.com|spw8.com)\r\n/"; classtype:trojan-activity; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SpywareRemovalUtilities"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(spywareremovalutilities.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SpyWiper"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(mailwiper.com)\r\n/"; classtype:trojan-activity; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SSPPYY"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(ssppyy.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Stanmore Media"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(systemsoap.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexs.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - StarDialer"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(mainpean.de|stardialer.de)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/StarDialer.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - StartPage"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(absoluagency.com|taretsearch.info)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.startpage.h.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - StripPlayer"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(strip-player.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/StripPlayer.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SubSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adscholar.com|dothesearch.com|hightrafficads.com|popunder.info)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/SubSearch.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Supaseek"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adstats.com|pzest.com|supaseek.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Supaseek.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - SuperSpider"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(cc20foreva.com|greg-search.com|greg-tut.com|kitasearch.com|mig29here.com|super-spider.com|swapx.cc|t34rulit.com|thestas.com|win-eto.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/SuperSpider.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Surfairy"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(divago.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Surfairy.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - The-Spyware-Review"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(the-spyware-review.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - TIBS Inc."; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(rpiffs.com|tibssystems.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Ting"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(78ting.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.ting.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - TinyBar"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(allcybersearch.com|clickyestoenter.net|errorpage404.com|gocybersearch.com|iseekresults.com|jethomepage.com|jetseeker.com|ourlinklist.com|searchaccurate.com|tinybar.com|topclicks.net|topsearcher.com|traffic4sure.com|trixscripts.com|wowsearch.com|ysearchus.com|znext.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/TinyBar.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ToolbarCC"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(toolbar.cc)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/ToolbarCC.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - TopConverting"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(crazywinnings.com|topconverting.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/TopConverting.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - TOPicks"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(topicks.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/TOPicks.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - TopMoxie"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(bonussavingscenter.com|dealsters.biz|dealsters.(com|net|org|us)|e-bates.com|ebates.(biz|com|info|net)|erebates.(com|org|us)|sysupdates.com|topmoxie.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windext.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Traffix"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(aavalue.com|atlasautomotivegroup.com|atlascreditgroup.com|atlasincomebuilder.com|clearflow.com|clickhelp.net|dataoffers.com|entertainmentrewards.com|groupconfirm.com|grouplotto.com|hotmatch.com|imatchup.com|jewelclaimcenter.com|pickoftheweb.com|prizeamerica.com|prizecade.com|quintel.com|supernamehosts.com|takeoneentertainment.com|thanksmuch.com|thebargainspot.com|traffixinc.com|txnet.us)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Transponder.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Transponder"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(abetterinternet.com|adblock.com|amazingmerchants.com|bc777.com|bestoffers.bz|blackstonedata.net|btgrab.com|callinghome.biz|celticfestival.org|cleangetaway.biz|clickalchemy.com|clicknvote.com|cliks.org|conscorr.com|conscorr.com|cosmicvillage.com|cosmicvillage.com|digitalrooster.com|direct-revenue.com|disk11.com|ec16.com|farmmext.com|flashtalk.com|foobar.com|freephone.cc|hostpool.com|hostpool.net|idivination.com|insightpartners.com|ipinsight.(com|net)|letssearch.com|linkz.com|\
localnrd.com|localnrd.com|magicalneeds.com|magickalneeds.com|msview.cc|multimpp.com|munky.com|mx-targeting.com|mypanicbutton.com|mypctuneup.com|\
n69.com|nameadministration.com|offeroptimizer.(biz|com)|optinemailservices.com|pantyland.com|phoenixgrp.com|powweb.com|quicklaunch.com|rowntree.net|rowntreephotography.com|searchrabbit.com|skinhead.com|smartcasual.com|sohodigital.net|spanking-epics.com|spankingepics.com|sssh.com|steelwool.com|stop-popup-ads-now.com|thinkingmedia.net|top10sites.com|tps108.org|trafficmp.com|truedata.org|twain-tech.com|vx2.cc|vx2.org|wasteland.com|webdream.com|wincognito.com|zserv.biz)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Transponder.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - TrekEight"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adaaware.com|adawae.com|adawair.com|adgoblin.com|adsware.com|advancedsoftwaresupport.com|advancedsoftwaresupport.com|aksoftware.com|blazinglogic.com|bluehavenmedia.com|bubblycastle.com|christinealt.com|clickeight.com|crazydrinks.com|cursorgizmo.com|dategizmo.com|dategizmo.net|datesgizmo.com|datinggizmo.com|datinggizmo.net|datingizmo.com|datingizmo.net|em5000.com|errornuker.com|evidencenuker.com|gamesource101.com|gigatechsoftware.com|greasycow.(com|net)|hackernuker.com|i5interactive.com|jl29jd25sm24mc29.com|leadgreed.com|lionsprideenterprises.com|mc29rys1.com|naughtynuker.com|netsource101.com|no-pops.com|no-pops.net|nopop.biz|nopop.net|nopops.org|nuker.com|pcorion.com|phonebilleliminator.com|phonebillnuker.com|popup-nuker.com|porn-gizmo.com|rankyou.com|recipe-network.com|ryadsdelivserv.com|sailhousepublishing.com|sexebits.com|softwareds.com|spamnuker.com|spicycomet.com|spycide.com|spyhear.com|spyhear.net|spynuker.com|spyraid.com|spywarenuker.com|srv2cpt.com|ta26lita.com|thomasdover.com|topeleven.net|trek8.com|trek8games.com|trekblue.com|trekdata.com|trekeight.com|twistedhumor.com|txetmodnar.com|warplist.com|wayweird.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexw.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - TripAdvisor"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(tripadvisor.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - TruEffect"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adlegend.com|trueffect.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Tubby"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(makemesearch.com|othersearch.com|search-control.com|thenewsearch.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Tubby.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - TVMedia"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(centralmedia.ws|totalvelocity.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/TVMedia.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - UControl"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(aluriasoftware.com)\r\n/"; classtype:trojan-activity; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - UCSearch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(armbender.com|zuvio.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/UCSearch.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Ultimate Search"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(spyjournal.com|ultimatesearch.com|ultsearch.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - UniCast"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(dmpi.net|unicast.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ValueClick"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(adware.com|clickagents.com|valueclick.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ValueHost"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(ilxq.net|valuehost.ru)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Vanish"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(vanishonline.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.vanish.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - VCatch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(minutegroup.com|vcatch.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Vendare Group"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(econfidence.com|econfidence.net)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexe.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Video Banner"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(videobanner.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - VirtuMonde"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(virtumonde.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Visicom Media"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(visic.com|visicommedia.com|vmn.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexv.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Weatherbug"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(aws.com|weatherbug.com|weatherbugmedia.com)\r\n/"; classtype:trojan-activity; reference:url,computercops.biz/postt90331.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Web Clients"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(airfare4free.com|allfreethings.com|allthefunthatsfittoprint.com|americanbeautysweepstakes.com|bargainbetsy.com|bonappetitusa.com|booksformykid.com|bounty-coupons.com|bounty-coupons.net|bounty-coupons.org|bountycoupons.org|brandnameoffers.com|buildmyassets.com|bullseye-media.net|buyerblowout.com|cabonuscard.com|chargecards.com|cleanpc4free.com|cleansweep4free.com|cleverweb.com|click-123.com|clickaffiliate.com|clickfire.com|coffeemaker4free.com|consumer-alert.net|consumerhorizon.com|digitalcamera4free.com|dineoutfreetoday.com|directscholar.com|dollargiftcard.com|ehealth-click.net|electronicsonus.com|elpath.com|entertainmentclick.com|everythingforthehomenews.com|ezrefinance.net|\
fabulousoffers.com|financenewscenter.com|financeonlinenews.com|financial-cents.net|financial-improvement.com|floridadegrees.com|free-americanflags.com|free-americanflags.net|free-bracelet.com|free2try.com|free2try.net|freediabeticmeter.com|freedinnercard.com|freeflicktix.com|freegreenxbox.com|freehornygoatweed.com|freeminidv.com|freemoviemayhem.com|freenightonthetown.com|freerazorzone.com|freestuff4me.com|freeticketcentral.com|freeticketcentral.net|freeticketcentral.org|freeticketscentral.com|freeticketscentral.net|freeticketscentral.org|freetiffanybracelet.com|freetoysforyou.com|freewrinklecream.com|funjokes.com|getafreemixer.com|getfreegas2go.com|gethomejobs.com|getthegamefree.com|giftcardsonus.com|goodiebag4u.com|goodtimes-usa.com|guardyourpc.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexa.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Web Clients"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(h2sweepstakes.com|higherlearningnetwork.com|homeofthefreeonline.com|homeofthefreeonline.net|hotdealdispatch.com|hugecashgiveaway.com|i-dealdirect.com|i-learning247.com|ilovefreefood.com|iraqismostwanted.net|iwantfreemakeup.com|jumpinjackdeals.com|killercareer.com|learningquest.org|leisure4all.com|lingerie4free.com|listshare.com|masters4success.com|moviesonus.com|movieticketscentral.com|movieticketscentral.net|movieticketscentral.org|mustangsweeps.com|myfreeportal.com|ohmypod.com|onlinescholarsnews.com|opportunity247.com|popupnation.com|redtagoffers.com|refinance-now.org|remodel4free.com|restaurantsonus.com|saveatthepump.com|savingsgazette.com|savingsnexus.com|sharehealthinfo.com|shoppingcritics.com|simplyfreegiftcards.com|starhomebusiness.com|\
thefreegrill.com|thekaplanadvantage.com|thelearningclick.com|theoemplace.com|tophotoffers.com|tophotoffers.net|totalprofiting.com|trial-offers.com|truckgiveaways.com|twisterstuntcar.com|ultimatedebtelimination.com|useyourcents.com|valuedispatch.com|valueobserver.com|voicenetplus.com|web-clients.com|web-clients.net|webclients.com|webclients.net|webhomenews.com|websponsors.com|wellness-101.com|welnessweeklyreport.com|winafreeplasmatv.com|winbigcentral.com|winbigcentral.net|winticketcentral.com|winticketcentral.net|winticketcentral.org|workathomeenews.com|worklessnow.com)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexa.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - webHancer"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(webhancer.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/webHancer.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Wengs"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(3721.com|we.cn.gs)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.wengs.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Whazit"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(cerials.net|trinsic.org|whazit.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Whazit.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - WhenU"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(clock-sync.com|findmyweather.com|getclocksync.com|getweathercast.com|stetmail.com|syncyourclock.com|whenu.com|whenubuild.com|whenubuy.com|whenuchat.com|whenuclock.com|whenucook.com|whenudecorate.com|whenuincorporate.com|whenuinvest.(com|net)|whenulearn.com|whenumail.com|whenurelax.com|whenuretire.com|whenusearch.com|whenushop.(com|org)|whenusleuth.com|whenusurf.(com|net)|whenutravel.(com|net)|whenuweathercast.com|whenyou.com|\
whenyoubuild.com|whenyoubuy.com|whenyoucook.com|whenyoudecorate.com|whenyouinvest.com|whenyousearch.com|whenyoushop.com|whenyoushop.org|whenyousurf.com|whenyoutravel.net|whereuinvest.net)\r\n/"; classtype:trojan-activity; reference:url,www.webhelper4u.com/watcher/windexw.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - WhistleSoftware"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(whistlesoftware.com|wsel.net)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - WildMedia"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(ads234.com|hpwis.com|midaddle.com|netspry.com|overpro.com|playminigolf.com|playstation3extreme.com|statblaster.com|wildarcade.com|yellow-sticky.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/WildMedia.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Wink"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(fassia.net|oll11iz0oil-ol.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Wink.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Winshow"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(00hq.com|8ad.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Winshow.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Winupie"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(dugoto.com|tradeexit.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Winupie.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - World Market Watch"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(visitorville.com|wmw.com)\r\n/"; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - WurldMedia"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(xnef.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/WurldMedia.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Xupiter"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(browserwise.com|cashclicks.com|dealhelper.com|fastfind.org|freewebupgrades.com|i-lookup.com|nudelink.com|orbitexplorer.com|ranchpussy.com|searchspotter.com|searchwho.com|sexhungry.com|sponsor1.com|sqwire.com|timesynchronize.com|triple-input.com|weather7.com|xjupiter.com|xupiter.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Xupiter.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Yahoo Search Marketing"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(overture.com)\r\n/"; classtype:trojan-activity; reference:url,privacy.yahoo.com/privacy/us/adservers/print.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - ZioCom"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(lzio.com)\r\n/"; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.ziocom.b.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Zipclix"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(popupblockade.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Zipclix.html;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE - Zyncos"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(cnctag.com|pornfoto.com)\r\n/"; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Zyncos.html;)
#