30 lines
2.5 KiB
Plaintext
30 lines
2.5 KiB
Plaintext
|
|
rule Backdoor_Win32_PcClient_CV{
|
|
meta:
|
|
description = "Backdoor:Win32/PcClient.CV,SIGNATURE_TYPE_PEHSTR,14 00 14 00 14 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 32 3b 20 53 56 31 3b 20 2e 4e 45 54 20 43 4c 52 20 31 2e 31 2e 34 33 32 32 29 } //1 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
|
|
$a_01_1 = {5b 25 30 34 64 2d 25 30 32 64 2d 25 30 32 64 20 25 30 32 64 3a 25 30 32 64 3a 25 30 32 64 5d } //1 [%04d-%02d-%02d %02d:%02d:%02d]
|
|
$a_01_2 = {75 70 64 61 74 65 65 76 65 6e 74 3d 25 73 3b } //1 updateevent=%s;
|
|
$a_01_3 = {53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 20 4e 54 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 53 76 63 48 6f 73 74 } //1 SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
|
|
$a_01_4 = {5c 73 76 63 68 6f 73 74 2e 65 78 65 20 2d 6b 20 00 } //1
|
|
$a_01_5 = {5c 67 64 69 70 6c 75 73 2e 64 6c 6c 00 } //1
|
|
$a_01_6 = {53 65 72 76 69 63 65 44 6c 6c 00 } //1
|
|
$a_01_7 = {25 30 38 78 2e 74 6d 70 00 } //1
|
|
$a_01_8 = {25 64 2e 74 6d 70 00 } //1
|
|
$a_01_9 = {69 00 6d 00 61 00 67 00 65 00 2f 00 67 00 69 00 66 00 } //1 image/gif
|
|
$a_01_10 = {69 00 6d 00 61 00 67 00 65 00 2f 00 6a 00 70 00 65 00 67 00 } //1 image/jpeg
|
|
$a_01_11 = {53 59 53 54 45 4d 5c 43 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 5c 53 65 72 76 69 63 65 73 } //1 SYSTEM\CurrentControlSet\Services
|
|
$a_01_12 = {44 65 66 61 75 6c 74 20 49 4d 45 } //1 Default IME
|
|
$a_01_13 = {53 65 44 65 62 75 67 50 72 69 76 69 6c 65 67 65 } //1 SeDebugPrivilege
|
|
$a_01_14 = {53 4f 46 54 57 41 52 45 5c 43 6c 61 73 73 65 73 5c 48 54 54 50 5c 73 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 6e 64 } //1 SOFTWARE\Classes\HTTP\shell\open\command
|
|
$a_01_15 = {5c 5c 2e 5c 70 69 70 65 5c } //1 \\.\pipe\
|
|
$a_01_16 = {43 6f 6e 74 72 6f 6c 53 65 74 30 30 33 } //1 ControlSet003
|
|
$a_01_17 = {43 6f 6e 74 72 6f 6c 53 65 74 30 30 32 } //1 ControlSet002
|
|
$a_01_18 = {43 6f 6e 74 72 6f 6c 53 65 74 30 30 31 } //1 ControlSet001
|
|
$a_01_19 = {25 53 79 73 74 65 6d 52 6f 6f 74 25 5c 53 79 73 74 65 6d 33 32 5c } //1 %SystemRoot%\System32\
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_01_12 & 1)*1+(#a_01_13 & 1)*1+(#a_01_14 & 1)*1+(#a_01_15 & 1)*1+(#a_01_16 & 1)*1+(#a_01_17 & 1)*1+(#a_01_18 & 1)*1+(#a_01_19 & 1)*1) >=20
|
|
|
|
} |