14 lines
858 B
Plaintext
14 lines
858 B
Plaintext
|
|
rule Backdoor_Win32_Prosti_F{
|
|
meta:
|
|
description = "Backdoor:Win32/Prosti.F,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {43 3a 5c 57 69 6e 64 6f 77 73 5c 53 63 72 65 65 6e 42 6c 61 7a 65 55 70 67 72 61 64 65 72 2e 62 61 74 } //01 00 C:\Windows\ScreenBlazeUpgrader.bat
|
|
$a_02_1 = {68 74 74 70 3a 2f 2f 77 77 77 2e 73 63 72 65 65 6e 62 6c 61 7a 65 2e 63 6f 6d 2f 90 02 08 2e 70 68 70 3f 69 64 3d 90 00 } //01 00
|
|
$a_01_2 = {54 68 69 73 20 77 61 79 20 6d 61 64 45 78 63 65 70 74 20 63 61 6e 27 74 20 69 6e 73 74 61 6c 6c 20 74 68 65 20 74 68 72 65 61 64 20 68 6f 6f 6b 73 } //01 00 This way madExcept can't install the thread hooks
|
|
$a_02_3 = {8b e5 5d c3 ff ff ff ff 90 01 01 00 00 00 68 74 74 70 3a 2f 2f 77 77 77 2e 73 63 72 65 65 6e 62 6c 61 7a 65 2e 63 6f 6d 2f 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |