13 lines
518 B
Plaintext
13 lines
518 B
Plaintext
|
|
rule TrojanDropper_Win32_IRCbot_B{
|
|
meta:
|
|
description = "TrojanDropper:Win32/IRCbot.B,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 03 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {01 3e 8b 06 c6 00 e9 83 c4 0c ff 06 8b 06 2b d8 8d 4c 3b fc 89 08 83 c8 ff 2b c7 01 06 } //01 00
|
|
$a_00_1 = {73 6b 6f 70 66 6b 77 6f 70 74 65 72 74 65 72 70 6f 74 65 72 69 6f } //01 00 skopfkwopterterpoterio
|
|
$a_03_2 = {8b 44 24 0c 56 8d 0c 06 e8 90 01 01 ff ff ff 30 01 83 c4 04 46 3b f7 7c e9 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |