23 lines
1.3 KiB
Plaintext
23 lines
1.3 KiB
Plaintext
|
|
rule Backdoor_Win32_PcClient_DU{
|
|
meta:
|
|
description = "Backdoor:Win32/PcClient.DU,SIGNATURE_TYPE_PEHSTR_EXT,0a 00 0a 00 0d 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {44 00 00 00 c7 45 90 01 01 01 00 00 00 66 8b 4d 90 01 01 66 89 4d dc 81 7d 90 01 01 49 1f 00 00 75 7f 90 00 } //02 00
|
|
$a_01_1 = {c7 00 57 69 6e 53 c7 40 04 74 61 30 00 61 eb 00 } //02 00
|
|
$a_01_2 = {47 45 54 20 c7 40 04 2f 20 48 54 c7 40 08 54 50 2f 31 c7 40 0c 2e 31 0d 0a } //02 00
|
|
$a_03_3 = {6d 79 73 65 c7 90 01 05 72 76 65 72 c7 90 01 05 70 6f 72 74 90 00 } //02 00
|
|
$a_03_4 = {72 76 65 72 c7 90 01 05 61 64 64 72 90 00 } //02 00
|
|
$a_02_5 = {3d 25 64 3b 90 01 04 69 64 3d 25 73 90 00 } //02 00
|
|
$a_02_6 = {47 6c 6f 62 61 6c 5c 25 73 2d 90 01 03 2d 65 76 65 6e 90 00 } //02 00
|
|
$a_02_7 = {47 6c 6f 62 61 6c 5c 25 73 2d 90 01 03 2d 6d 65 74 75 90 00 } //01 00
|
|
$a_01_8 = {25 30 32 64 25 30 34 64 25 30 32 64 2f 25 30 32 64 25 30 32 64 25 30 32 64 2f 25 64 2e 6a 73 70 } //01 00 %02d%04d%02d/%02d%02d%02d/%d.jsp
|
|
$a_01_9 = {73 65 72 76 65 72 70 6f 72 74 } //01 00 serverport
|
|
$a_01_10 = {6d 79 74 68 72 65 61 64 69 64 } //01 00 mythreadid
|
|
$a_01_11 = {6d 79 73 65 72 76 65 72 61 64 64 72 } //01 00 myserveraddr
|
|
$a_03_12 = {25 30 38 78 2e 74 6d 70 90 02 15 25 73 5c 2a 2e 2a 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |