alert udp $HOME_NET any -> $EXTERNAL_NET 123 (msg:"MALWARE-CNC Win.Trojan.Zeroaccess variant outbound connection"; flow:to_server; content:"GN"; depth:2; metadata:policy security-ips drop, service ntp; classtype:trojan-activity; sid:26932; rev:2; )

In the above, If IPS observed "GN" in their packet data , it will block and throw alert.

is this indicates that the source is affected by any malware trojan. I dont see any reference here.

While re-searach or learning observed that trojab zero.access as below.

Trojan.Zeroaccess is a Trojan horse that uses an advanced rootkit to hide itself. It can also create a hidden file system, downloads more malware, and opens a back door on the compromised computer.

The Trojan is called ZeroAccess due to a string found in the kernel driver code that is pointing to the original project folder called ZeroAccess. It is also known as max++ as it creates a new kernel device object called __max++>.

Please help to analyse this alert.