18 lines
1.0 KiB
Plaintext
18 lines
1.0 KiB
Plaintext
|
|
rule Backdoor_Win32_Sharke_F{
|
|
meta:
|
|
description = "Backdoor:Win32/Sharke.F,SIGNATURE_TYPE_PEHSTR_EXT,10 00 10 00 08 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {73 00 68 00 61 00 72 00 4b 00 5c 00 53 00 65 00 72 00 76 00 65 00 72 00 } //10 sharK\Server
|
|
$a_00_1 = {43 00 3a 00 5c 00 75 00 70 00 64 00 61 00 74 00 65 00 5f 00 73 00 76 00 72 00 5f 00 64 00 69 00 2e 00 65 00 78 00 65 00 } //1 C:\update_svr_di.exe
|
|
$a_00_2 = {25 00 41 00 43 00 43 00 48 00 45 00 43 00 4b 00 25 00 } //1 %ACCHECK%
|
|
$a_00_3 = {50 00 41 00 4e 00 49 00 43 00 5f 00 4b 00 49 00 4c 00 4c 00 } //1 PANIC_KILL
|
|
$a_00_4 = {4f 00 4b 00 4f 00 4b 00 4f 00 4b 00 4f 00 4b 00 4f 00 4b 00 } //1 OKOKOKOKOK
|
|
$a_00_5 = {5c 00 72 00 65 00 67 00 73 00 73 00 76 00 72 00 33 00 32 00 2e 00 62 00 61 00 74 00 } //1 \regssvr32.bat
|
|
$a_00_6 = {72 00 6d 00 64 00 69 00 72 00 20 00 22 00 } //1 rmdir "
|
|
$a_01_7 = {69 00 4c 00 79 00 42 00 6b 00 } //1 iLyBk
|
|
condition:
|
|
((#a_00_0 & 1)*10+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_01_7 & 1)*1) >=16
|
|
|
|
} |