17 lines
1.3 KiB
Plaintext
17 lines
1.3 KiB
Plaintext
|
|
rule TrojanSpy_Win32_Shiotob_A{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Shiotob.A,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 07 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {8b c0 80 fc 30 7c ?? 80 fc 39 7f ?? 80 ec 30 eb ?? 80 fc 41 7c ?? 80 fc 46 7f ?? 80 ec 41 80 c4 0a } //2
|
|
$a_03_1 = {6a 00 6a 02 ff 15 ?? ?? ?? ?? 8b d8 83 fb ff 74 ?? c7 85 ?? ?? ?? ?? 28 01 00 00 8d 85 } //2
|
|
$a_00_2 = {26 6f 73 76 65 72 3d 00 26 69 70 63 6e 66 3d 00 26 73 63 6b 70 6f 72 74 3d 00 26 63 6d 6f 62 6a 3d } //2
|
|
$a_00_3 = {53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 20 4e 54 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 49 6d 61 67 65 20 46 69 6c 65 20 45 78 65 63 75 74 69 6f 6e 20 4f 70 74 69 6f 6e 73 5c 75 73 65 72 69 6e 69 74 2e 65 78 65 00 00 44 65 62 75 67 67 65 72 } //2
|
|
$a_00_4 = {53 59 53 54 45 4d 5c 43 6f 6e 74 72 6f 6c 53 65 74 30 30 31 5c 43 6f 6e 74 72 6f 6c 5c 53 65 73 73 69 6f 6e 20 4d 61 6e 61 67 65 72 5c 41 70 70 43 65 72 74 44 6c 6c 73 } //1 SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls
|
|
$a_00_5 = {2d 75 70 64 61 74 65 } //1 -update
|
|
$a_00_6 = {2d 61 75 74 6f 72 75 6e } //1 -autorun
|
|
condition:
|
|
((#a_03_0 & 1)*2+(#a_03_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*2+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1) >=5
|
|
|
|
} |