16 lines
938 B
Plaintext
16 lines
938 B
Plaintext
|
|
rule TrojanSpy_Win32_Lurk_E{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Lurk.E,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 06 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {8b f8 59 3b fb 74 ?? 56 6a 40 68 00 30 00 00 ff 75 ?? 53 ff 75 ?? ff 15 ?? ?? ?? ?? 8b f0 3b f3 } //1
|
|
$a_03_1 = {74 1e 53 ff 75 ?? ff 75 ?? 56 ff 75 ?? ff 15 ?? ?? ?? ?? 85 c0 74 ?? ff 75 08 03 fe ff d7 8b d8 } //1
|
|
$a_03_2 = {8b 4c 24 0c 85 c9 74 ?? 0f b6 44 24 08 69 c0 01 01 01 01 8b d1 53 57 8b 7c 24 0c c1 e9 02 f3 ab 8b ca 83 e1 03 f3 aa 5f } //1
|
|
$a_02_3 = {44 6c 6c 47 65 74 43 6c 61 73 73 4f 62 6a 65 63 74 [0-08] 70 6e 67 66 69 6c 74 } //1
|
|
$a_03_4 = {70 6e 67 66 c7 45 ?? 69 6c 74 00 c7 45 ?? 44 6c 6c 47 c7 45 ?? 65 74 43 6c } //2
|
|
$a_03_5 = {3b de 74 23 8d 45 fc 50 6a 40 ff 75 10 57 ff 15 ?? ?? ?? ?? 85 c0 74 0f ff 75 08 03 df ff d3 } //1
|
|
condition:
|
|
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_02_3 & 1)*1+(#a_03_4 & 1)*2+(#a_03_5 & 1)*1) >=4
|
|
|
|
} |