13 lines
593 B
Plaintext
13 lines
593 B
Plaintext
|
|
rule Backdoor_Win32_VB_UH{
|
|
meta:
|
|
description = "Backdoor:Win32/VB.UH,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 03 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_02_0 = {d3 93 06 00 00 00 65 00 78 00 65 00 90 02 10 90 01 01 00 90 01 01 00 2e 00 65 00 78 00 65 00 00 00 00 00 0e 90 00 } //01 00
|
|
$a_02_1 = {2a 00 5c 00 41 00 47 00 3a 00 5c 00 41 00 59 00 4f 00 20 00 58 00 20 00 4c 00 6f 00 67 00 67 00 65 00 72 00 5c 00 41 00 59 00 4f 00 20 00 53 00 70 00 79 00 90 02 30 2e 00 76 00 62 00 70 00 90 00 } //01 00
|
|
$a_01_2 = {6f 6c 73 00 74 69 00 00 74 69 67 68 74 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |