rule TrojanSpy_Win32_Bafi_R{
	meta:
		description = "TrojanSpy:Win32/Bafi.R,SIGNATURE_TYPE_PEHSTR_EXT,0e 00 0e 00 07 00 00 05 00 "
		
	strings :
		$a_00_0 = {5c 00 4d 00 6f 00 7a 00 69 00 6c 00 6c 00 61 00 5c 00 46 00 69 00 72 00 65 00 66 00 6f 00 78 00 5c 00 65 00 78 00 74 00 65 00 6e 00 73 00 69 00 6f 00 6e 00 73 00 } //05 00 
		$a_03_1 = {4a 61 76 61 90 02 01 53 74 72 69 6e 67 48 65 6c 70 65 72 90 00 } //03 00 
		$a_00_2 = {7b 00 33 00 33 00 30 00 34 00 34 00 31 00 31 00 38 00 2d 00 36 00 35 00 39 00 37 00 2d 00 34 00 44 00 32 00 46 00 2d 00 41 00 42 00 45 00 41 00 2d 00 37 00 39 00 37 00 34 00 42 00 42 00 31 00 38 00 35 00 33 00 37 00 39 00 7d 00 } //03 00 
		$a_00_3 = {7b 00 31 00 38 00 34 00 41 00 41 00 35 00 45 00 36 00 2d 00 37 00 34 00 31 00 44 00 2d 00 34 00 36 00 34 00 61 00 2d 00 38 00 32 00 30 00 45 00 2d 00 39 00 34 00 42 00 33 00 41 00 42 00 43 00 32 00 46 00 33 00 42 00 34 00 7d 00 } //03 00 
		$a_00_4 = {7b 00 45 00 36 00 33 00 34 00 31 00 31 00 37 00 42 00 2d 00 33 00 33 00 41 00 38 00 2d 00 34 00 43 00 37 00 30 00 2d 00 38 00 32 00 31 00 30 00 2d 00 31 00 39 00 38 00 30 00 31 00 30 00 46 00 30 00 33 00 38 00 33 00 34 00 7d 00 } //01 00 
		$a_00_5 = {2e 00 63 00 6c 00 62 00 } //01 00 
		$a_01_6 = {55 00 41 00 73 00 } //00 00 
	condition:
		any of ($a_*)
 
}