14 lines
900 B
Plaintext
14 lines
900 B
Plaintext
|
|
rule Backdoor_Win32_VB_CCP{
|
|
meta:
|
|
description = "Backdoor:Win32/VB.CCP,SIGNATURE_TYPE_PEHSTR,04 00 04 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {57 00 61 00 72 00 6e 00 6e 00 69 00 6e 00 67 00 20 00 54 00 68 00 65 00 20 00 46 00 69 00 6c 00 65 00 20 00 49 00 6e 00 66 00 65 00 63 00 74 00 65 00 64 00 20 00 61 00 6e 00 64 00 20 00 69 00 73 00 20 00 64 00 61 00 6e 00 67 00 65 00 72 00 6f 00 75 00 73 00 20 00 66 00 6f 00 72 00 20 00 72 00 75 00 6e 00 } //1 Warnning The File Infected and is dangerous for run
|
|
$a_01_1 = {44 00 61 00 74 00 61 00 20 00 46 00 72 00 6f 00 6d 00 20 00 56 00 69 00 63 00 74 00 69 00 6d 00 } //1 Data From Victim
|
|
$a_01_2 = {5b 00 56 00 69 00 72 00 75 00 73 00 20 00 54 00 65 00 78 00 74 00 5d 00 } //1 [Virus Text]
|
|
$a_01_3 = {57 00 39 00 38 00 53 00 63 00 6b 00 } //1 W98Sck
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1) >=4
|
|
|
|
} |