14 lines
1.6 KiB
Plaintext
14 lines
1.6 KiB
Plaintext
|
|
rule Spammer_Win32_Retpaced_A{
|
|
meta:
|
|
description = "Spammer:Win32/Retpaced.A,SIGNATURE_TYPE_PEHSTR_EXT,0c 00 0c 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {4d 00 6f 00 7a 00 69 00 6c 00 6c 00 61 00 2f 00 35 00 2e 00 30 00 20 00 28 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 4e 00 54 00 20 00 36 00 2e 00 31 00 3b 00 20 00 57 00 4f 00 57 00 36 00 34 00 3b 00 20 00 72 00 76 00 3a 00 32 00 38 00 2e 00 30 00 29 00 20 00 47 00 65 00 63 00 6b 00 6f 00 2f 00 32 00 30 00 31 00 30 00 30 00 31 00 30 00 31 00 20 00 46 00 69 00 72 00 65 00 66 00 6f 00 78 00 2f 00 32 00 38 00 2e 00 30 00 } //2 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
|
|
$a_01_1 = {69 00 6d 00 61 00 67 00 65 00 2f 00 70 00 6e 00 67 00 2c 00 69 00 6d 00 61 00 67 00 65 00 2f 00 2a 00 3b 00 71 00 3d 00 30 00 2e 00 38 00 2c 00 2a 00 2f 00 2a 00 3b 00 71 00 3d 00 30 00 2e 00 35 00 } //2 image/png,image/*;q=0.8,*/*;q=0.5
|
|
$a_01_2 = {6b 00 6f 00 2d 00 6b 00 72 00 2c 00 6b 00 6f 00 3b 00 71 00 3d 00 30 00 2e 00 38 00 2c 00 65 00 6e 00 2d 00 75 00 73 00 3b 00 71 00 3d 00 30 00 2e 00 35 00 2c 00 65 00 6e 00 3b 00 71 00 3d 00 30 00 2e 00 33 00 } //2 ko-kr,ko;q=0.8,en-us;q=0.5,en;q=0.3
|
|
$a_01_3 = {68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 70 00 6f 00 70 00 61 00 6c 00 6c 00 2e 00 63 00 6f 00 6d 00 2f 00 6c 00 69 00 6e 00 2f 00 62 00 62 00 73 00 2e 00 68 00 74 00 6d 00 3f 00 63 00 6f 00 64 00 65 00 3d 00 74 00 61 00 6c 00 6b 00 69 00 6e 00 67 00 26 00 6d 00 6f 00 64 00 65 00 3d 00 31 00 } //6 http://popall.com/lin/bbs.htm?code=talking&mode=1
|
|
condition:
|
|
((#a_01_0 & 1)*2+(#a_01_1 & 1)*2+(#a_01_2 & 1)*2+(#a_01_3 & 1)*6) >=12
|
|
|
|
} |