13 lines
768 B
Plaintext
13 lines
768 B
Plaintext
|
|
rule Trojan_O97M_Donoff_SE_MSR{
|
|
meta:
|
|
description = "Trojan:O97M/Donoff.SE!MSR,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 03 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {43 61 6c 6c 42 79 4e 61 6d 65 20 43 6c 61 73 73 [0-02] 2e [0-10] 2c 20 22 [0-10] 22 20 26 20 22 [0-10] 22 2c 20 56 62 4d 65 74 68 6f 64 2c 20 22 [0-10] 2e 65 22 20 26 20 22 22 20 2b 20 22 78 65 22 2c 20 32 } //1
|
|
$a_00_1 = {45 78 65 63 75 74 65 45 78 63 65 6c 34 4d 61 63 72 6f 20 22 4d 45 53 53 41 47 45 28 46 61 6c 73 65 2c } //1 ExecuteExcel4Macro "MESSAGE(False,
|
|
$a_00_2 = {46 43 46 42 33 44 32 41 2d 41 30 46 41 2d 31 30 36 38 2d 41 37 33 38 2d 30 38 30 30 32 42 33 33 37 31 42 35 } //1 FCFB3D2A-A0FA-1068-A738-08002B3371B5
|
|
condition:
|
|
((#a_03_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1) >=3
|
|
|
|
} |