16 lines
946 B
Plaintext
16 lines
946 B
Plaintext
|
|
rule TrojanSpy_Win32_Goldun_BZ{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Goldun.BZ,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 06 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 49 6e 74 65 72 6e 65 74 20 41 63 63 6f 75 6e 74 20 4d 61 6e 61 67 65 72 5c 41 63 63 6f 75 6e 74 73 00 49 64 65 6e 74 69 74 69 65 73 00 50 4f 50 33 20 50 61 73 73 77 6f 72 64 32 00 } //1
|
|
$a_01_1 = {38 39 30 37 33 30 30 00 0d 0a } //1
|
|
$a_01_2 = {0d 0a 2d 3d 3d 3b 20 41 63 63 6f 75 6e 74 0d 0a } //1
|
|
$a_01_3 = {20 3b 20 50 72 6f 74 65 63 74 65 64 20 53 74 6f 72 61 67 65 3a 0d 0a } //1
|
|
$a_01_4 = {25 73 20 3b 20 6d 61 69 6c 73 65 72 76 3a 20 25 73 20 3b 20 70 61 73 73 77 6f 72 64 3a 20 25 73 0d 0a } //1
|
|
$a_01_5 = {20 3b 20 54 68 65 42 61 74 20 70 61 73 73 77 6f 72 64 73 0d 0a 00 47 45 54 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1) >=4
|
|
|
|
} |