14 lines
653 B
Plaintext
14 lines
653 B
Plaintext
|
|
rule Backdoor_Win32_Bazarldr_AC_MTB{
|
|
meta:
|
|
description = "Backdoor:Win32/Bazarldr.AC!MTB,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_02_0 = {0f b6 34 17 89 d1 31 d2 01 f3 89 d8 f7 f5 0f b6 04 17 89 d3 89 f2 88 04 0f 88 14 1f 31 d2 0f b6 04 0f 01 f0 f7 f5 0f b6 04 17 8b 54 24 90 01 01 30 02 8b 04 24 90 00 } //01 00
|
|
$a_00_1 = {44 6c 6c 52 65 67 69 73 74 65 72 53 65 72 76 65 72 } //01 00 DllRegisterServer
|
|
$a_00_2 = {44 6c 6c 47 65 74 43 6c 61 73 73 4f 62 6a 65 63 74 } //01 00 DllGetClassObject
|
|
$a_00_3 = {44 6c 6c 43 61 6e 55 6e 6c 6f 61 64 4e 6f 77 } //00 00 DllCanUnloadNow
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |