23 lines
1.2 KiB
Plaintext
23 lines
1.2 KiB
Plaintext
|
|
rule Backdoor_Win32_IRCbot_DL{
|
|
meta:
|
|
description = "Backdoor:Win32/IRCbot.DL,SIGNATURE_TYPE_PEHSTR,06 00 06 00 0d 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {00 53 74 61 74 75 73 7c 55 70 64 61 74 65 20 46 61 69 6c 65 64 } //1
|
|
$a_01_1 = {00 53 74 55 44 50 7c } //1
|
|
$a_01_2 = {00 53 74 53 59 4e } //1 匀却乙
|
|
$a_01_3 = {00 49 44 4c 45 7c } //1 䤀䱄籅
|
|
$a_01_4 = {00 57 65 62 44 4c } //1 圀扥䱄
|
|
$a_01_5 = {00 53 53 59 4e } //1
|
|
$a_01_6 = {00 4c 4f 4c 4f 4c 4f 4c 4f 4c 4f 4c 4f 4c 4f 4c 4f 4c 4f 4c 4f 4c 4f 4c 4f 4c } //1 䰀䱏䱏䱏䱏䱏䱏䱏䱏䱏䱏䱏䱏
|
|
$a_01_7 = {00 45 6e 46 69 72 65 7c } //1 䔀䙮物籥
|
|
$a_01_8 = {00 55 53 42 7c 49 6e 66 65 63 74 65 64 20 44 72 69 76 65 } //1
|
|
$a_01_9 = {00 53 41 44 44 4e 45 57 7c 53 68 61 72 69 6e 67 2e 2e 2e 7c } //1 匀䑁乄坅卼慨楲杮⸮簮
|
|
$a_01_10 = {00 64 64 6f 73 65 72 00 } //1 搀潤敳r
|
|
$a_01_11 = {00 53 54 4f 50 53 48 41 52 45 44 7c } //1 匀佔卐䅈䕒籄
|
|
$a_01_12 = {00 55 44 50 53 74 61 72 74 7c } //1 唀偄瑓牡籴
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_01_12 & 1)*1) >=6
|
|
|
|
} |