15 lines
570 B
Plaintext
15 lines
570 B
Plaintext
|
|
rule Backdoor_Win32_Zegost_BE{
|
|
meta:
|
|
description = "Backdoor:Win32/Zegost.BE,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {47 6c 6f 62 61 6c 5c 61 69 72 20 25 64 00 } //1 汇扯污慜物┠d
|
|
$a_01_1 = {4b 42 44 4c 6f 67 65 72 00 } //1
|
|
$a_01_2 = {2c 48 69 67 68 53 79 73 74 65 6d 20 25 73 00 } //1
|
|
$a_01_3 = {65 78 65 2e 64 6d 63 5c 00 } //1
|
|
$a_01_4 = {5b 45 58 45 43 55 54 45 5f 6b 65 79 5d 00 } //1 䕛䕘啃䕔歟祥]
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1) >=4
|
|
|
|
} |