2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
rule TrojanSpy_Win32_Cospet_A{
|
|
|
|
meta:
|
2024-07-06 23:13:08 -07:00
|
|
|
description = "TrojanSpy:Win32/Cospet.A,SIGNATURE_TYPE_PEHSTR,04 00 04 00 04 00 00 "
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
strings :
|
2024-07-06 23:13:08 -07:00
|
|
|
$a_01_0 = {53 65 74 20 4d 79 53 68 65 6c 6c 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 73 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 } //1 Set MyShell = CreateObject("Wscript.Shell")
|
|
|
|
$a_01_1 = {5c 41 75 74 6f 72 75 6e 2e 76 62 73 } //1 \Autorun.vbs
|
|
|
|
$a_01_2 = {68 74 74 70 3a 2f 2f 63 68 65 63 6b 69 70 2e 64 79 6e 64 6e 73 2e 6f 72 67 } //1 http://checkip.dyndns.org
|
|
|
|
$a_01_3 = {22 23 53 74 65 61 6d 5f 4c 6f 67 69 6e 5f 52 65 6d 65 6d 62 65 72 50 61 73 73 77 6f 72 64 22 } //1 "#Steam_Login_RememberPassword"
|
2024-02-05 06:12:47 -08:00
|
|
|
condition:
|
2024-07-06 23:13:08 -07:00
|
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1) >=4
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
}
|