18 lines
1.1 KiB
Plaintext
18 lines
1.1 KiB
Plaintext
|
|
rule Backdoor_Win32_DarkView_A{
|
|
meta:
|
|
description = "Backdoor:Win32/DarkView.A,SIGNATURE_TYPE_PEHSTR_EXT,6b 00 6b 00 08 00 00 "
|
|
|
|
strings :
|
|
$a_02_0 = {53 83 ec 20 89 e0 89 c2 83 c2 20 c7 00 00 00 00 00 83 c0 04 39 d0 75 f3 8b 54 24 28 8d 0c 24 e8 ?? ?? 00 00 c7 44 24 04 00 00 00 00 ff 34 24 e8 ?? ?? 00 00 89 c3 43 89 5c 24 08 ff 74 24 2c 68 00 00 00 00 68 ff 0f 1f 00 e8 ?? ?? 00 00 89 44 24 0c 83 7c 24 0c 00 0f 84 ?? ?? 00 00 68 04 00 00 00 68 00 10 00 00 ff 74 24 10 68 00 00 00 00 ff 74 24 1c } //100
|
|
$a_00_1 = {78 63 6f 6e 66 69 67 2e 73 72 76 00 } //2
|
|
$a_00_2 = {25 70 72 6f 67 72 61 6d 66 69 6c 65 73 25 00 } //1
|
|
$a_00_3 = {25 64 65 73 6b 74 6f 70 25 00 } //1 搥獥瑫灯%
|
|
$a_00_4 = {25 6f 77 6e 64 61 74 61 25 00 } //1 漥湷慤慴%
|
|
$a_00_5 = {25 73 79 73 74 65 6d 72 6f 6f 74 25 00 } //1
|
|
$a_00_6 = {25 73 79 73 74 65 6d 33 32 25 00 } //1
|
|
$a_00_7 = {5c 53 68 65 6c 6c 5c 4f 70 65 6e 5c 43 6f 6d 6d 61 6e 64 00 } //1 卜敨汬作数屮潃浭湡d
|
|
condition:
|
|
((#a_02_0 & 1)*100+(#a_00_1 & 1)*2+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1) >=107
|
|
|
|
} |