qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/Rbot/Backdoor_Win32_Rbot.yar

186 lines
22 KiB
Plaintext
Raw Permalink Blame History

rule Backdoor_Win32_Rbot{
meta:
description = "Backdoor:Win32/Rbot,SIGNATURE_TYPE_PEHSTR_EXT,1e 00 14 00 ffffffb0 00 00 "
strings :
$a_00_0 = {4d 00 63 00 41 00 66 00 65 00 65 00 20 00 53 00 74 00 69 00 6e 00 67 00 65 00 72 00 } //-100 McAfee Stinger
$a_00_1 = {4d 00 63 00 41 00 66 00 65 00 65 00 20 00 49 00 6e 00 63 00 2e 00 20 00 53 00 74 00 69 00 6e 00 67 00 65 00 72 00 } //-100 McAfee Inc. Stinger
$a_00_2 = {4e 54 50 61 73 73 } //1 NTPass
$a_00_3 = {6e 74 73 63 61 6e 31 33 39 } //1 ntscan139
$a_00_4 = {6e 74 73 63 61 6e 34 34 35 } //1 ntscan445
$a_00_5 = {6c 73 61 73 73 5f 34 34 35 } //1 lsass_445
$a_00_6 = {6c 73 61 73 73 5f 31 33 35 } //1 lsass_135
$a_00_7 = {6c 73 61 73 73 5f 31 33 39 } //1 lsass_139
$a_00_8 = {64 63 6f 6d 31 33 35 } //1 dcom135
$a_00_9 = {64 63 6f 6d 31 30 32 35 } //1 dcom1025
$a_00_10 = {64 63 6f 6d 32 } //1 dcom2
$a_00_11 = {49 49 53 35 53 53 4c } //1 IIS5SSL
$a_00_12 = {42 65 61 67 6c 65 31 } //1 Beagle1
$a_00_13 = {42 65 61 67 6c 65 32 } //1 Beagle2
$a_00_14 = {4d 79 44 6f 6f 6d } //1 MyDoom
$a_00_15 = {4f 70 74 69 78 } //1 Optix
$a_00_16 = {4e 65 74 44 65 76 69 6c } //1 NetDevil
$a_00_17 = {44 61 6d 65 57 61 72 65 } //1 DameWare
$a_00_18 = {4b 75 61 6e 67 32 } //1 Kuang2
$a_00_19 = {63 6d 64 5b 30 30 33 5d 25 73 7c 25 69 7c } //1 cmd[003]%s|%i|
$a_00_20 = {70 6c 65 61 7a 5f 72 75 6e 25 73 } //1 pleaz_run%s
$a_00_21 = {70 6c 65 61 7a 5f 72 75 6e 5f 64 6f 6e 65 } //1 pleaz_run_done
$a_00_22 = {70 61 73 73 5f 70 6c 65 61 7a } //1 pass_pleaz
$a_00_23 = {70 61 73 73 5f 70 6c 65 61 7a 25 73 } //1 pass_pleaz%s
$a_00_24 = {74 66 74 70 20 2d 69 20 25 73 20 67 65 74 20 25 73 } //1 tftp -i %s get %s
$a_00_25 = {5b 25 73 5d 3a 20 45 78 70 6c 6f 69 74 69 6e 67 20 49 50 3a 20 25 73 2e } //1 [%s]: Exploiting IP: %s.
$a_00_26 = {5b 25 73 5d 3a 20 45 78 70 6c 6f 69 74 69 6e 67 20 49 50 3a 20 25 73 2c 20 50 61 73 73 77 6f 72 64 3a 20 28 25 73 29 } //2 [%s]: Exploiting IP: %s, Password: (%s)
$a_00_27 = {5b 25 73 5d 3a 20 45 78 70 6c 6f 69 74 69 6e 67 20 49 50 3a 20 28 25 73 3a 25 64 29 20 55 73 65 72 3a 20 28 25 73 2f 25 73 29 2e } //2 [%s]: Exploiting IP: (%s:%d) User: (%s/%s).
$a_00_28 = {5b 25 73 5d 3a 20 45 78 70 6c 6f 69 74 69 6e 67 20 49 50 3a 20 25 73 2c 20 53 68 61 72 65 3a 20 5c 25 73 2c 20 55 73 65 72 3a 20 28 25 73 2f 25 73 29 } //2 [%s]: Exploiting IP: %s, Share: \%s, User: (%s/%s)
$a_00_29 = {5c 25 73 5c 70 69 70 65 5c 65 70 6d 61 70 70 65 72 } //1 \%s\pipe\epmapper
$a_00_30 = {57 69 6e 58 50 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 20 20 20 5b 75 6e 69 76 65 72 73 61 6c 5d 20 6c 73 61 73 73 2e 65 78 65 } //1 WinXP Professional [universal] lsass.exe
$a_00_31 = {57 69 6e 32 6b 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c 20 20 20 20 5b 75 6e 69 76 65 72 73 61 6c 5d 20 6e 65 74 72 61 70 2e 64 6c 6c } //1 Win2k Professional [universal] netrap.dll
$a_00_32 = {57 69 6e 32 6b 20 41 64 76 61 6e 63 65 64 20 53 65 72 76 65 72 20 5b 53 50 34 5d 20 20 20 20 20 20 20 6e 65 74 72 61 70 2e 64 6c 6c } //1 Win2k Advanced Server [SP4] netrap.dll
$a_00_33 = {65 63 68 6f 20 6f 70 65 6e 20 25 73 20 25 64 20 3e 20 6f 26 65 63 68 6f 20 75 73 65 72 20 31 20 31 20 3e 3e 20 6f 20 26 65 63 68 6f 20 67 65 74 } //2 echo open %s %d > o&echo user 1 1 >> o &echo get
$a_00_34 = {45 58 45 43 20 6d 61 73 74 65 72 2e 2e 78 70 5f 63 6d 64 73 68 65 6c 6c 20 27 74 66 74 70 20 2d 69 20 25 73 20 47 45 54 20 25 73 27 } //1 EXEC master..xp_cmdshell 'tftp -i %s GET %s'
$a_00_35 = {45 58 45 43 20 6d 61 73 74 65 72 2e 2e 78 70 5f 63 6d 64 73 68 65 6c 6c 20 27 25 73 27 } //1 EXEC master..xp_cmdshell '%s'
$a_00_36 = {5c 5c 25 73 5c 69 70 63 24 } //1 \\%s\ipc$
$a_00_37 = {41 64 6d 69 6e 24 5c 73 79 73 74 65 6d 33 32 } //1 Admin$\system32
$a_00_38 = {63 24 5c 77 69 6e 6e 74 5c 73 79 73 74 65 6d 33 32 } //1 c$\winnt\system32
$a_00_39 = {63 24 5c 77 69 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 } //1 c$\windows\system32
$a_00_40 = {25 73 20 43 44 20 4b 65 79 3a 20 28 25 73 29 2e } //1 %s CD Key: (%s).
$a_00_41 = {53 65 72 76 65 72 3a 20 6d 79 42 6f 74 } //2 Server: myBot
$a_00_42 = {2a 40 2a 2e 66 62 69 2e 67 6f 76 } //2 *@*.fbi.gov
$a_00_43 = {2a 40 2e 66 62 69 2e 67 6f 76 } //2 *@.fbi.gov
$a_00_44 = {24 72 6e 64 6e 69 63 6b } //1 $rndnick
$a_00_45 = {25 73 64 65 6c 2e 62 61 74 } //1 %sdel.bat
$a_00_46 = {25 25 63 6f 6d 73 70 65 63 25 25 20 2f 63 20 25 73 20 25 73 } //1 %%comspec%% /c %s %s
$a_00_47 = {70 61 79 70 61 6c 2e 63 6f 6d } //1 paypal.com
$a_00_48 = {53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e } //1 Software\Microsoft\Windows\CurrentVersion\Run
$a_00_49 = {53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e 53 65 72 76 69 63 65 73 } //1 Software\Microsoft\Windows\CurrentVersion\RunServices
$a_00_50 = {53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 4f 4c 45 } //1 Software\Microsoft\OLE
$a_00_51 = {53 59 53 54 45 4d 5c 43 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 5c 43 6f 6e 74 72 6f 6c 5c 4c 73 61 } //1 SYSTEM\CurrentControlSet\Control\Lsa
$a_00_52 = {64 64 6f 73 2e 73 79 6e } //1 ddos.syn
$a_00_53 = {64 64 6f 73 2e 61 63 6b } //1 ddos.ack
$a_00_54 = {64 64 6f 73 2e 72 61 6e 64 6f 6d } //1 ddos.random
$a_00_55 = {64 64 6f 73 2e 73 74 6f 70 } //1 ddos.stop
$a_00_56 = {63 6c 6f 6e 65 73 74 6f 70 } //1 clonestop
$a_00_57 = {69 63 6d 70 66 6c 6f 6f 64 } //1 icmpflood
$a_00_58 = {68 74 74 70 73 74 6f 70 } //1 httpstop
$a_00_59 = {44 44 6f 53 20 66 6c 6f 6f 64 } //1 DDoS flood
$a_00_60 = {73 79 6e 73 74 6f 70 } //1 synstop
$a_00_61 = {53 79 6e 20 66 6c 6f 6f 64 } //1 Syn flood
$a_00_62 = {75 64 70 73 74 6f 70 } //1 udpstop
$a_00_63 = {55 44 50 20 66 6c 6f 6f 64 } //1 UDP flood
$a_00_64 = {70 69 6e 67 73 74 6f 70 } //1 pingstop
$a_00_65 = {50 69 6e 67 20 66 6c 6f 6f 64 } //1 Ping flood
$a_00_66 = {74 66 74 70 73 74 6f 70 } //1 tftpstop
$a_00_67 = {73 63 61 6e 73 74 6f 70 } //1 scanstop
$a_00_68 = {73 63 61 6e 73 74 61 74 73 } //1 scanstats
$a_00_69 = {6e 65 74 69 6e 66 6f } //1 netinfo
$a_00_70 = {73 79 73 69 6e 66 6f } //1 sysinfo
$a_00_71 = {67 65 74 63 64 6b 65 79 73 } //1 getcdkeys
$a_00_72 = {67 65 74 63 6c 69 70 } //1 getclip
$a_00_73 = {6f 70 65 6e 63 6d 64 } //1 opencmd
$a_00_74 = {63 6d 64 73 74 6f 70 } //1 cmdstop
$a_00_75 = {45 78 70 6c 6f 69 74 20 53 74 61 74 69 73 74 69 63 73 3a } //1 Exploit Statistics:
$a_00_76 = {53 63 61 6e 20 6e 6f 74 20 61 63 74 69 76 65 2e } //1 Scan not active.
$a_01_77 = {53 65 72 76 65 72 20 73 74 61 72 74 65 64 20 6f 6e 20 50 6f 72 74 3a 20 25 64 2c 20 46 69 6c 65 3a 20 25 73 2c 20 52 65 71 75 65 73 74 3a 20 25 73 2e } //2 Server started on Port: %d, File: %s, Request: %s.
$a_00_78 = {53 65 72 76 65 72 20 6c 69 73 74 65 6e 69 6e 67 20 6f 6e 20 49 50 3a 20 25 73 3a 25 64 2c 20 44 69 72 65 63 74 6f 72 79 3a 20 25 73 5c 2e } //1 Server listening on IP: %s:%d, Directory: %s\.
$a_00_79 = {44 6f 6e 65 20 77 69 74 68 20 66 6c 6f 6f 64 20 28 25 69 4b 42 2f 73 65 63 29 2e } //2 Done with flood (%iKB/sec).
$a_00_80 = {44 6f 77 6e 6c 6f 61 64 65 64 20 25 2e 31 66 4b 42 20 74 6f 20 25 73 20 40 20 25 2e 31 66 4b 42 2f 73 65 63 2e 20 55 70 64 61 74 69 6e 67 2e } //2 Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.
$a_00_81 = {42 6f 74 20 73 74 61 72 74 65 64 2e } //1 Bot started.
$a_00_82 = {53 74 61 74 75 73 3a 20 52 65 61 64 79 2e 20 42 6f 74 20 55 70 74 69 6d 65 3a 20 25 73 2e } //1 Status: Ready. Bot Uptime: %s.
$a_00_83 = {42 6f 74 20 49 44 3a 20 25 73 2e } //1 Bot ID: %s.
$a_00_84 = {5b 4d 41 49 4e 5d 3a 20 4e 65 74 77 6f 72 6b 20 49 6e 66 6f 2e } //1 [MAIN]: Network Info.
$a_00_85 = {5b 4d 41 49 4e 5d 3a 20 53 79 73 74 65 6d 20 49 6e 66 6f 2e } //1 [MAIN]: System Info.
$a_00_86 = {52 65 6d 6f 76 69 6e 67 20 42 6f 74 2e } //1 Removing Bot.
$a_00_87 = {5b 4d 41 49 4e 5d 3a 20 47 65 74 20 43 6c 69 70 62 6f 61 72 64 2e } //1 [MAIN]: Get Clipboard.
$a_00_88 = {5b 4b 45 59 4c 4f 47 5d 3a 20 25 73 } //1 [KEYLOG]: %s
$a_00_89 = {5b 46 49 4e 44 46 49 4c 45 5d 3a 20 53 65 61 72 63 68 69 6e 67 20 66 6f 72 20 66 69 6c 65 3a 20 25 73 2e } //1 [FINDFILE]: Searching for file: %s.
$a_00_90 = {54 68 65 20 57 69 6e 64 6f 77 73 20 6c 6f 67 6f 6e 20 28 50 69 64 3a 20 3c 25 64 3e 29 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 69 73 3a 20 44 6f 6d 61 69 6e 3a 20 5c 25 53 2c 20 55 73 65 72 3a 20 28 25 53 2f } //3 The Windows logon (Pid: <%d>) information is: Domain: \%S, User: (%S/
$a_00_91 = {5b 49 43 4d 50 5d 3a 20 44 6f 6e 65 20 77 69 74 68 20 25 73 20 66 6c 6f 6f 64 20 74 6f 20 49 50 3a 20 25 73 2e 20 53 65 6e 74 3a 20 25 64 20 70 61 63 6b 65 74 28 73 29 20 40 20 25 64 4b 42 2f 73 65 63 20 28 25 64 4d 42 29 2e } //1 [ICMP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).
$a_00_92 = {5b 4e 45 54 5d 3a 20 25 73 20 3c 53 65 72 76 65 72 3a 20 25 53 3e 20 3c 4d 65 73 73 61 67 65 3a 20 25 53 3e } //1 [NET]: %s <Server: %S> <Message: %S>
$a_00_93 = {5b 50 49 4e 47 5d 3a 20 45 72 72 6f 72 20 73 65 6e 64 69 6e 67 20 70 69 6e 67 73 20 74 6f 20 25 73 2e } //1 [PING]: Error sending pings to %s.
$a_00_94 = {5b 50 49 4e 47 5d 3a 20 46 69 6e 69 73 68 65 64 20 73 65 6e 64 69 6e 67 20 70 69 6e 67 73 20 74 6f 20 25 73 2e } //1 [PING]: Finished sending pings to %s.
$a_00_95 = {5b 50 53 4e 49 46 46 5d 3a 20 53 75 73 70 69 63 69 6f 75 73 20 25 73 20 70 61 63 6b 65 74 20 66 72 6f 6d 3a 20 25 73 3a 25 64 20 2d 20 25 73 2e } //1 [PSNIFF]: Suspicious %s packet from: %s:%d - %s.
$a_00_96 = {5b 53 45 43 55 52 45 5d 3a 20 46 61 69 6c 65 64 20 74 6f 20 73 74 61 72 74 20 73 65 63 75 72 65 20 74 68 72 65 61 64 2c 20 65 72 72 6f 72 3a 20 3c 25 64 3e 2e } //1 [SECURE]: Failed to start secure thread, error: <%d>.
$a_00_97 = {5b 53 4f 43 4b 53 34 5d 3a 20 53 65 72 76 65 72 20 73 74 61 72 74 65 64 20 6f 6e 3a 20 25 73 3a 25 64 2e } //1 [SOCKS4]: Server started on: %s:%d.
$a_00_98 = {5b 45 4d 41 49 4c 5d 3a 20 4d 65 73 73 61 67 65 20 73 65 6e 74 20 74 6f 20 25 73 2e } //1 [EMAIL]: Message sent to %s.
$a_00_99 = {5b 53 45 43 55 52 45 5d 3a 20 44 43 4f 4d 20 65 6e 61 62 6c 65 64 2e } //1 [SECURE]: DCOM enabled.
$a_00_100 = {5b 52 45 44 49 52 45 43 54 5d 3a 20 43 6c 69 65 6e 74 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 66 72 6f 6d 20 49 50 3a 20 25 73 3a 25 64 2c 20 53 65 72 76 65 72 20 74 68 72 65 61 64 3a 20 25 64 2e } //1 [REDIRECT]: Client connection from IP: %s:%d, Server thread: %d.
$a_00_101 = {5b 56 49 53 49 54 5d 3a 20 55 52 4c 20 76 69 73 69 74 65 64 2e } //1 [VISIT]: URL visited.
$a_00_102 = {5b 53 59 4e 5d 3a 20 44 6f 6e 65 20 77 69 74 68 20 66 6c 6f 6f 64 20 28 25 69 4b 42 2f 73 65 63 29 2e } //1 [SYN]: Done with flood (%iKB/sec).
$a_00_103 = {5b 53 59 53 49 4e 46 4f 5d 3a 20 5b 43 50 55 5d 3a 20 25 49 36 34 75 4d 48 7a 2e 20 5b 52 41 4d 5d 3a 20 25 73 4b 42 20 74 6f 74 61 6c 2c 20 25 73 4b 42 20 66 72 65 65 2e 20 5b 44 69 73 6b 5d 3a 20 25 73 20 74 6f 74 61 6c 2c 20 25 73 20 66 72 65 65 2e 20 5b 4f 53 5d 3a 20 57 69 6e 64 6f 77 73 20 25 73 20 28 25 64 2e 25 64 2c 20 42 75 69 6c 64 20 25 64 29 2e 20 5b 53 79 73 64 69 72 5d 3a 20 25 73 2e 20 5b 48 6f 73 74 6e 61 6d 65 5d 3a 20 25 73 20 28 25 73 29 2e 20 5b 43 75 72 72 65 6e 74 20 55 73 65 72 5d 3a 20 25 73 2e 20 5b 44 61 74 65 5d 3a 20 25 73 2e 20 5b 54 69 6d 65 5d 3a 20 25 73 2e 20 5b 55 70 74 69 6d 65 5d 3a 20 25 73 2e } //1 [SYSINFO]: [CPU]: %I64uMHz. [RAM]: %sKB total, %sKB free. [Disk]: %s total, %s free. [OS]: Windows %s (%d.%d, Build %d). [Sysdir]: %s. [Hostname]: %s (%s). [Current User]: %s. [Date]: %s. [Time]: %s. [Uptime]: %s.
$a_00_104 = {5b 4e 45 54 49 4e 46 4f 5d 3a 20 5b 54 79 70 65 5d 3a 20 25 73 20 28 25 73 29 2e 20 5b 49 50 20 41 64 64 72 65 73 73 5d 3a 20 25 73 2e 20 5b 48 6f 73 74 6e 61 6d 65 5d 3a 20 25 73 2e } //1 [NETINFO]: [Type]: %s (%s). [IP Address]: %s. [Hostname]: %s.
$a_00_105 = {5b 54 48 52 45 41 44 53 5d 3a 20 4c 69 73 74 20 74 68 72 65 61 64 73 2e } //1 [THREADS]: List threads.
$a_00_106 = {5b 4c 4f 47 5d 3a 20 4c 69 73 74 69 6e 67 20 6c 6f 67 2e } //1 [LOG]: Listing log.
$a_00_107 = {5b 4c 4f 47 5d 3a 20 46 61 69 6c 65 64 20 74 6f 20 73 74 61 72 74 20 6c 69 73 74 69 6e 67 20 74 68 72 65 61 64 2c 20 65 72 72 6f 72 3a 20 3c 25 64 3e 2e } //1 [LOG]: Failed to start listing thread, error: <%d>.
$a_00_108 = {5b 50 52 4f 43 5d 3a 20 4c 69 73 74 69 6e 67 20 70 72 6f 63 65 73 73 65 73 3a } //1 [PROC]: Listing processes:
$a_00_109 = {5b 50 52 4f 43 53 5d 3a 20 50 72 6f 63 63 65 73 73 20 6c 69 73 74 2e } //1 [PROCS]: Proccess list.
$a_00_110 = {5b 43 44 4b 45 59 53 5d 3a 20 53 65 61 72 63 68 20 63 6f 6d 70 6c 65 74 65 64 2e } //1 [CDKEYS]: Search completed.
$a_00_111 = {5b 43 4d 44 5d 3a 20 52 65 6d 6f 74 65 20 73 68 65 6c 6c 20 61 6c 72 65 61 64 79 20 72 75 6e 6e 69 6e 67 2e } //1 [CMD]: Remote shell already running.
$a_00_112 = {5b 43 4d 44 5d 3a 20 52 65 6d 6f 74 65 20 73 68 65 6c 6c 20 72 65 61 64 79 2e } //1 [CMD]: Remote shell ready.
$a_00_113 = {5b 55 50 44 41 54 45 5d 3a 20 42 6f 74 20 49 44 20 6d 75 73 74 20 62 65 20 64 69 66 66 65 72 65 6e 74 20 74 68 61 6e 20 63 75 72 72 65 6e 74 20 72 75 6e 6e 69 6e 67 20 70 72 6f 63 65 73 73 2e } //1 [UPDATE]: Bot ID must be different than current running process.
$a_00_114 = {5b 46 49 4e 44 46 49 4c 45 5d 3a 20 53 65 61 72 63 68 69 6e 67 20 66 6f 72 20 66 69 6c 65 3a 20 25 73 20 69 6e 3a 20 25 73 2e } //1 [FINDFILE]: Searching for file: %s in: %s.
$a_00_115 = {46 6c 6f 6f 64 69 6e 67 3a 20 28 25 73 29 20 66 6f 72 20 25 73 20 73 65 63 6f 6e 64 73 2e } //1 Flooding: (%s) for %s seconds.
$a_00_116 = {46 61 69 6c 65 64 20 74 6f 20 73 74 61 72 74 20 66 6c 6f 6f 64 20 74 68 72 65 61 64 2c 20 65 72 72 6f 72 3a 20 3c 25 64 3e 2e } //1 Failed to start flood thread, error: <%d>.
$a_00_117 = {49 6e 76 61 6c 69 64 20 66 6c 6f 6f 64 20 74 69 6d 65 20 6d 75 73 74 20 62 65 20 67 72 65 61 74 65 72 20 74 68 61 6e 20 30 2e } //1 Invalid flood time must be greater than 0.
$a_00_118 = {5c 00 5c 00 5c 00 43 00 24 00 5c 00 31 00 32 00 33 00 34 00 35 00 36 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 } //1 \\\C$\123456111111111111
$a_00_119 = {eb 19 5e 31 c9 81 e9 89 ff ff ff 81 36 80 bf 32 94 81 ee fc ff ff ff e2 f2 eb 05 e8 e2 ff ff ff 03 53 06 1f 74 57 75 95 80 bf bb 92 7f 89 5a 1a } //2
$a_00_120 = {eb 10 5a 4a 33 c9 66 b9 76 01 80 34 0a 99 e2 fa eb 05 e8 eb ff ff ff 70 61 99 99 99 c3 21 95 69 } //2
$a_00_121 = {46 00 58 00 4e 00 42 00 46 00 58 00 46 00 58 00 4e 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00 46 00 58 00 ff ff ff ff } //1
$a_00_122 = {80 34 0a 99 e2 fa eb 05 e8 } //2
$a_00_123 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 5c 00 49 00 50 00 43 00 24 00 5c 00 45 45 } //2 127.0.0.1\IPC$\䕅
$a_00_124 = {5c 00 43 00 24 00 5c 00 31 00 32 00 33 00 34 00 35 00 36 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 2e 00 64 00 6f 00 63 } //1
$a_00_125 = {25 69 2e 25 69 2e 25 69 2e 25 69 } //1 %i.%i.%i.%i
$a_00_126 = {70 95 98 99 99 c3 fd 38 a9 99 99 99 12 d9 95 12 e9 85 34 } //3
$a_00_127 = {71 93 99 c9 99 c9 99 c9 12 fd bd 91 fd 16 99 c9 c1 72 68 } //3
$a_00_128 = {35 2e 30 00 35 2e 31 } //1
$a_00_129 = {50 43 20 4e 45 54 57 4f 52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 } //1 PC NETWORK PROGRAM 1.0
$a_00_130 = {6a 1a 99 59 f7 f9 56 80 c2 61 88 97 } //1
$a_00_131 = {75 1f 6a 01 5f 68 98 3a 00 00 } //1
$a_00_132 = {74 03 ff 4d fc 68 b8 0b 00 00 ff 15 } //2
$a_00_133 = {8d 45 f0 50 8d 45 ac 50 8d 85 a4 fd ff ff 50 57 6a 28 6a 01 57 8d 85 a8 } //3
$a_00_134 = {ff d6 33 d2 b9 e8 03 00 00 f7 f1 a3 } //1
$a_00_135 = {5b 25 2e 32 64 2d 25 2e 32 64 2d 25 34 64 20 25 2e 32 64 3a 25 2e 32 64 3a 25 2e 32 64 5d 20 25 73 } //1 [%.2d-%.2d-%4d %.2d:%.2d:%.2d] %s
$a_00_136 = {46 74 70 64 20 30 77 6e 73 20 6a 30 } //1 Ftpd 0wns j0
$a_00_137 = {32 32 31 20 47 6f 6f 64 62 79 65 20 68 61 70 70 79 20 72 30 30 74 69 6e 67 2e } //2 221 Goodbye happy r00ting.
$a_00_138 = {65 63 68 6f 20 6f 70 65 6e 20 25 73 20 25 64 20 3e 20 6f 26 65 63 68 6f 20 75 73 65 72 } //3 echo open %s %d > o&echo user
$a_00_139 = {28 6b 65 79 6c 6f 67 2e 70 } //1 (keylog.p
$a_01_140 = {5b 52 47 48 54 5d } //1 [RGHT]
$a_01_141 = {5b 4e 4d 4c 4b 5d } //1 [NMLK]
$a_01_142 = {21 6c 6f 67 69 6e } //1 !login
$a_00_143 = {6e 6f 77 20 61 6e 20 49 52 43 20 4f 70 65 72 61 74 6f 72 } //1 now an IRC Operator
$a_00_144 = {74 72 61 6e 73 66 65 72 20 63 6f 6d 70 6c 65 74 65 20 74 6f 20 49 50 3a 20 25 73 } //1 transfer complete to IP: %s
$a_00_145 = {61 74 74 65 6d 70 74 69 6e 67 20 74 6f 20 72 6f 6f 74 20 25 73 } //1 attempting to root %s
$a_00_146 = {6e 6f 77 20 65 78 65 63 75 74 69 6e 67 20 25 73 20 6f 6e 20 72 65 6d 6f 74 65 20 6d 61 63 68 69 6e 65 } //2 now executing %s on remote machine
$a_00_147 = {25 2a 73 20 25 5b 5e 2c 5d 2c 25 5b 5e 2c 5d 2c 25 5b 5e 2c 5d 2c 25 5b 5e 2c 5d 2c 25 5b 5e 2c 5d 2c 25 5b } //1 %*s %[^,],%[^,],%[^,],%[^,],%[^,],%[
$a_00_148 = {50 52 49 56 4d 53 47 20 25 73 20 3a 46 6f 75 6e 64 20 25 73 20 46 69 6c 65 73 20 61 6e 64 20 25 73 20 44 69 72 65 63 74 6f 72 69 65 73 } //2 PRIVMSG %s :Found %s Files and %s Directories
$a_00_149 = {50 52 49 56 4d 53 47 20 25 73 20 3a 25 2d 33 31 73 20 20 25 2d 32 31 73 } //1 PRIVMSG %s :%-31s %-21s
$a_00_150 = {25 73 20 25 73 20 48 54 54 50 2f 31 2e 31 } //1 %s %s HTTP/1.1
$a_00_151 = {70 6f 72 74 73 63 61 6e 2e 70 } //1 portscan.p
$a_00_152 = {69 66 20 65 78 69 73 74 20 22 25 25 31 22 20 67 6f 74 6f 20 72 65 70 65 61 74 } //2 if exist "%%1" goto repeat
$a_00_153 = {45 72 72 6f 72 20 73 65 6e 64 69 6e 67 20 70 61 63 6b 65 74 73 20 74 6f 20 49 50 3a 20 25 73 2e 20 50 61 63 6b 65 74 73 20 73 65 6e 74 3a 20 25 64 2e 20 52 65 74 75 72 6e 65 64 3a 20 3c 25 64 3e } //1 Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>
$a_00_154 = {5b 25 64 2d 25 64 2d 25 64 20 25 64 3a 25 64 3a 25 64 5d 20 25 73 } //1 [%d-%d-%d %d:%d:%d] %s
$a_00_155 = {25 73 20 28 43 68 61 6e 67 65 64 20 57 69 6e 64 6f 77 73 3a 20 25 73 29 } //1 %s (Changed Windows: %s)
$a_00_156 = {64 61 65 6d 6f 6e 2e 72 6c 6f 67 69 6e 2e 6f 6e } //1 daemon.rlogin.on
$a_00_157 = {72 6f 6f 74 2e 63 75 72 72 65 6e 74 69 70 } //1 root.currentip
$a_00_158 = {75 74 69 6c 2e 66 6c 75 73 68 64 6e 73 } //1 util.flushdns
$a_00_159 = {75 74 69 6c 2e 66 6c 75 73 68 61 72 70 } //1 util.flusharp
$a_00_160 = {2d 5b 4c 6f 67 69 6e 20 4c 69 73 74 5d 2d } //1 -[Login List]-
$a_00_161 = {63 6f 6d 2e 6f 63 6d 64 2e 6f 66 66 } //1 com.ocmd.off
$a_00_162 = {63 6f 6d 2e 6f 70 65 6e 63 6d 64 } //1 com.opencmd
$a_00_163 = {63 6f 6d 2e 64 72 69 76 65 69 6e 66 6f } //1 com.driveinfo
$a_00_164 = {63 6f 6d 2e 75 70 74 69 6d 65 } //1 com.uptime
$a_00_165 = {63 6f 6d 2e 68 61 72 76 65 73 74 } //1 com.harvest
$a_00_166 = {63 6f 6d 2e 70 72 6f 63 73 } //1 com.procs
$a_00_167 = {69 72 63 2e 72 6d 30 } //1 irc.rm0
$a_00_168 = {69 72 63 2e 72 65 6d 30 76 65 } //1 irc.rem0ve
$a_00_169 = {70 72 6f 78 79 2e 73 6f 63 6b 73 34 2e 6f 66 66 } //1 proxy.socks4.off
$a_00_170 = {70 72 6f 78 79 2e 73 6f 63 6b 73 34 2e 6f 6e } //1 proxy.socks4.on
$a_02_171 = {64 6d 69 6e 00 [0-04] 61 64 6d 69 6e 69 73 } //2
$a_00_172 = {6d 49 52 43 20 76 36 2e 31 36 } //1 mIRC v6.16
$a_00_173 = {55 73 65 72 3a 20 25 73 20 6c 6f 67 67 65 64 20 69 6e 2e } //2 User: %s logged in.
$a_00_174 = {73 74 61 72 74 20 41 56 2f 46 57 20 6b 69 6c 6c 65 72 20 74 68 72 65 61 64 } //2 start AV/FW killer thread
$a_00_175 = {53 65 72 76 73 74 72 69 63 74 20 61 63 63 65 73 73 20 74 6f 20 74 68 65 20 49 50 43 24 } //2 Servstrict access to the IPC$
condition:
((#a_00_0 & 1)*-100+(#a_00_1 & 1)*-100+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_00_12 & 1)*1+(#a_00_13 & 1)*1+(#a_00_14 & 1)*1+(#a_00_15 & 1)*1+(#a_00_16 & 1)*1+(#a_00_17 & 1)*1+(#a_00_18 & 1)*1+(#a_00_19 & 1)*1+(#a_00_20 & 1)*1+(#a_00_21 & 1)*1+(#a_00_22 & 1)*1+(#a_00_23 & 1)*1+(#a_00_24 & 1)*1+(#a_00_25 & 1)*1+(#a_00_26 & 1)*2+(#a_00_27 & 1)*2+(#a_00_28 & 1)*2+(#a_00_29 & 1)*1+(#a_00_30 & 1)*1+(#a_00_31 & 1)*1+(#a_00_32 & 1)*1+(#a_00_33 & 1)*2+(#a_00_34 & 1)*1+(#a_00_35 & 1)*1+(#a_00_36 & 1)*1+(#a_00_37 & 1)*1+(#a_00_38 & 1)*1+(#a_00_39 & 1)*1+(#a_00_40 & 1)*1+(#a_00_41 & 1)*2+(#a_00_42 & 1)*2+(#a_00_43 & 1)*2+(#a_00_44 & 1)*1+(#a_00_45 & 1)*1+(#a_00_46 & 1)*1+(#a_00_47 & 1)*1+(#a_00_48 & 1)*1+(#a_00_49 & 1)*1+(#a_00_50 & 1)*1+(#a_00_51 & 1)*1+(#a_00_52 & 1)*1+(#a_00_53 & 1)*1+(#a_00_54 & 1)*1+(#a_00_55 & 1)*1+(#a_00_56 & 1)*1+(#a_00_57 & 1)*1+(#a_00_58 & 1)*1+(#a_00_59 & 1)*1+(#a_00_60 & 1)*1+(#a_00_61 & 1)*1+(#a_00_62 & 1)*1+(#a_00_63 & 1)*1+(#a_00_64 & 1)*1+(#a_00_65 & 1)*1+(#a_00_66 & 1)*1+(#a_00_67 & 1)*1+(#a_00_68 & 1)*1+(#a_00_69 & 1)*1+(#a_00_70 & 1)*1+(#a_00_71 & 1)*1+(#a_00_72 & 1)*1+(#a_00_73 & 1)*1+(#a_00_74 & 1)*1+(#a_00_75 & 1)*1+(#a_00_76 & 1)*1+(#a_01_77 & 1)*2+(#a_00_78 & 1)*1+(#a_00_79 & 1)*2+(#a_00_80 & 1)*2+(#a_00_81 & 1)*1+(#a_00_82 & 1)*1+(#a_00_83 & 1)*1+(#a_00_84 & 1)*1+(#a_00_85 & 1)*1+(#a_00_86 & 1)*1+(#a_00_87 & 1)*1+(#a_00_88 & 1)*1+(#a_00_89 & 1)*1+(#a_00_90 & 1)*3+(#a_00_91 & 1)*1+(#a_00_92 & 1)*1+(#a_00_93 & 1)*1+(#a_00_94 & 1)*1+(#a_00_95 & 1)*1+(#a_00_96 & 1)*1+(#a_00_97 & 1)*1+(#a_00_98 & 1)*1+(#a_00_99 & 1)*1+(#a_00_100 & 1)*1+(#a_00_101 & 1)*1+(#a_00_102 & 1)*1+(#a_00_103 & 1)*1+(#a_00_104 & 1)*1+(#a_00_105 & 1)*1+(#a_00_106 & 1)*1+(#a_00_107 & 1)*1+(#a_00_108 & 1)*1+(#a_00_109 & 1)*1+(#a_00_110 & 1)*1+(#a_00_111 & 1)*1+(#a_00_112 & 1)*1+(#a_00_113 & 1)*1+(#a_00_114 & 1)*1+(#a_00_115 & 1)*1+(#a_00_116 & 1)*1+(#a_00_117 & 1)*1+(#a_00_118 & 1)*1+(#a_00_119 & 1)*2+(#a_00_120 & 1)*2+(#a_00_121 & 1)*1+(#a_00_122 & 1)*2+(#a_00_123 & 1)*2+(#a_00_124 & 1)*1+(#a_00_125 & 1)*1+(#a_00_126 & 1)*3+(#a_00_127 & 1)*3+(#a_00_128 & 1)*1+(#a_00_129 & 1)*1+(#a_00_130 & 1)*1+(#a_00_131 & 1)*1+(#a_00_132 & 1)*2+(#a_00_133 & 1)*3+(#a_00_134 & 1)*1+(#a_00_135 & 1)*1+(#a_00_136 & 1)*1+(#a_00_137 & 1)*2+(#a_00_138 & 1)*3+(#a_00_139 & 1)*1+(#a_01_140 & 1)*1+(#a_01_141 & 1)*1+(#a_01_142 & 1)*1+(#a_00_143 & 1)*1+(#a_00_144 & 1)*1+(#a_00_145 & 1)*1+(#a_00_146 & 1)*2+(#a_00_147 & 1)*1+(#a_00_148 & 1)*2+(#a_00_149 & 1)*1+(#a_00_150 & 1)*1+(#a_00_151 & 1)*1+(#a_00_152 & 1)*2+(#a_00_153 & 1)*1+(#a_00_154 & 1)*1+(#a_00_155 & 1)*1+(#a_00_156 & 1)*1+(#a_00_157 & 1)*1+(#a_00_158 & 1)*1+(#a_00_159 & 1)*1+(#a_00_160 & 1)*1+(#a_00_161 & 1)*1+(#a_00_162 & 1)*1+(#a_00_163 & 1)*1+(#a_00_164 & 1)*1+(#a_00_165 & 1)*1+(#a_00_166 & 1)*1+(#a_00_167 & 1)*1+(#a_00_168 & 1)*1+(#a_00_169 & 1)*1+(#a_00_170 & 1)*1+(#a_02_171 & 1)*2+(#a_00_172 & 1)*1+(#a_00_173 & 1)*2+(#a_00_174 & 1)*2+(#a_00_175 & 1)*2) >=20
}
Reference in New Issue View Git Blame Copy Permalink