rule Backdoor_Win32_InstantAccess{
	meta:
		description = "Backdoor:Win32/InstantAccess,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 01 00 "
		
	strings :
		$a_00_0 = {50 6f 72 74 20 68 61 73 20 62 65 65 6e 20 6f 70 65 6e 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e } //01 00  Port has been opened successfully.
		$a_00_1 = {3c 68 74 6d 6c 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 } //01 00  <html><iframe src="
		$a_02_2 = {65 67 61 63 63 65 73 73 90 02 03 2e 44 4c 4c 90 00 } //01 00 
		$a_00_3 = {49 6e 73 74 61 6e 74 41 63 63 65 73 73 00 4f 70 65 6e 41 63 63 65 73 73 00 65 63 6e 68 65 00 65 73 77 68 65 00 65 75 68 77 65 00 69 65 64 69 73 63 6f } //00 00  湉瑳湡䅴捣獥s灏湥捁散獳攀湣敨攀睳敨攀桵敷椀摥獩潣
	condition:
		any of ($a_*)
 
}
rule Backdoor_Win32_InstantAccess_2{
	meta:
		description = "Backdoor:Win32/InstantAccess,SIGNATURE_TYPE_PEHSTR_EXT,0b 00 0b 00 03 00 00 0a 00 "
		
	strings :
		$a_03_0 = {59 85 c0 59 0f 85 90 01 02 00 00 8d 85 90 01 02 ff ff 68 90 01 04 50 ff 15 90 01 02 40 00 59 85 c0 59 0f 85 90 01 02 00 00 90 01 01 8d 85 90 01 02 ff ff 56 50 e8 90 01 02 00 00 83 c4 0c 8d 85 90 01 02 ff ff 90 01 01 50 ff 15 90 01 02 40 00 8d 85 90 01 02 ff ff 68 90 01 04 50 ff 15 90 01 02 40 00 90 00 } //01 00 
		$a_02_1 = {5c 45 78 65 44 69 61 6c 65 72 2e 65 78 65 90 02 10 65 78 65 64 69 61 6c 65 72 90 02 10 69 6e 73 74 61 6e 74 20 61 63 63 65 73 73 2e 65 78 65 90 00 } //01 00 
		$a_02_2 = {5c 49 6e 73 74 61 6e 74 20 41 63 63 65 73 73 5c 43 65 6e 74 65 72 5c 90 02 10 43 44 69 61 6c 65 72 45 58 45 44 6c 67 3a 3a 43 72 65 61 74 65 53 68 6f 72 74 43 75 74 28 29 90 00 } //00 00 
	condition:
		any of ($a_*)
 
}
rule Backdoor_Win32_InstantAccess_3{
	meta:
		description = "Backdoor:Win32/InstantAccess,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 06 00 00 01 00 "
		
	strings :
		$a_00_0 = {3c 64 65 73 63 72 69 70 74 69 6f 6e 3e 69 6e 73 74 61 6e 74 2d 61 63 65 73 73 3c 2f 64 65 73 63 72 69 70 74 69 6f 6e 3e } //01 00  <description>instant-acess</description>
		$a_00_1 = {3c 72 65 71 75 65 73 74 65 64 45 78 65 63 75 74 69 6f 6e 4c 65 76 65 6c 20 6c 65 76 65 6c 3d 22 72 65 71 75 69 72 65 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 22 } //01 00  <requestedExecutionLevel level="requireAdministrator"
		$a_00_2 = {53 68 65 6c 6c 45 78 65 63 75 74 65 41 } //01 00  ShellExecuteA
		$a_02_3 = {65 67 61 63 63 65 73 73 90 02 03 2e 44 4c 4c 90 00 } //01 00 
		$a_02_4 = {49 6e 73 74 61 6e 74 41 63 63 65 73 73 90 02 05 4f 70 65 6e 41 63 63 65 73 73 90 02 05 52 65 67 69 73 74 65 72 45 58 45 90 02 05 65 63 6e 68 65 90 02 05 65 73 77 68 65 90 02 05 65 75 68 77 65 90 02 05 69 65 64 69 73 63 6f 90 02 05 73 64 73 90 00 } //05 00 
		$a_02_5 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 90 02 06 49 00 6e 00 73 00 74 00 61 00 6e 00 74 00 20 00 41 00 63 00 63 00 65 00 73 00 73 00 2e 00 65 00 78 00 65 00 90 02 10 50 00 72 00 69 00 76 00 61 00 74 00 65 00 42 00 75 00 69 00 6c 00 64 00 90 02 09 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 90 02 06 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 90 02 06 49 00 6e 00 73 00 74 00 61 00 6e 00 74 00 20 00 41 00 63 00 63 00 65 00 73 00 73 00 90 00 } //00 00 
	condition:
		any of ($a_*)
 
}