DefenderYara/Backdoor/BAT/IRCbot/Backdoor_BAT_IRCbot_I.yar

rule Backdoor_BAT_IRCbot_I{
	meta:
		description = "Backdoor:BAT/IRCbot.I,SIGNATURE_TYPE_PEHSTR_EXT,08 00 08 00 08 00 00 01 00 "
		
	strings :
		$a_01_0 = {42 6f 74 6b 69 6c 6c 65 72 } //01 00  Botkiller
		$a_01_1 = {21 00 61 00 72 00 6d 00 65 00 } //01 00  !arme
		$a_01_2 = {21 00 68 00 74 00 74 00 70 00 } //01 00  !http
		$a_01_3 = {21 00 74 00 63 00 70 00 } //01 00  !tcp
		$a_01_4 = {21 00 73 00 6c 00 6f 00 77 00 } //01 00  !slow
		$a_01_5 = {21 00 75 00 64 00 70 00 } //01 00  !udp
		$a_01_6 = {21 00 72 00 75 00 73 00 6b 00 69 00 6c 00 6c 00 } //01 00  !ruskill
		$a_01_7 = {21 00 75 00 73 00 62 00 } //00 00  !usb
		$a_00_8 = {78 0b 01 00 } //09 00 
	condition:
		any of ($a_*)
 
}
rule Backdoor_BAT_IRCbot_I_2{
	meta:
		description = "Backdoor:BAT/IRCbot.I,SIGNATURE_TYPE_PEHSTR_EXT,09 00 09 00 0b 00 00 01 00 "
		
	strings :
		$a_01_0 = {21 00 61 00 6e 00 74 00 69 00 76 00 69 00 72 00 75 00 73 00 } //01 00  !antivirus
		$a_01_1 = {21 00 62 00 6f 00 74 00 6b 00 69 00 6c 00 6c 00 } //01 00  !botkill
		$a_01_2 = {21 00 66 00 6c 00 6f 00 6f 00 64 00 2e 00 61 00 72 00 6d 00 65 00 } //01 00  !flood.arme
		$a_01_3 = {21 00 66 00 6c 00 6f 00 6f 00 64 00 2e 00 68 00 74 00 74 00 70 00 } //01 00  !flood.http
		$a_01_4 = {21 00 66 00 6c 00 6f 00 6f 00 64 00 2e 00 74 00 63 00 70 00 } //01 00  !flood.tcp
		$a_01_5 = {21 00 66 00 6c 00 6f 00 6f 00 64 00 2e 00 73 00 6c 00 6f 00 77 00 6c 00 6f 00 72 00 69 00 73 00 } //01 00  !flood.slowloris
		$a_01_6 = {21 00 66 00 6c 00 6f 00 6f 00 64 00 2e 00 75 00 64 00 70 00 } //01 00  !flood.udp
		$a_01_7 = {21 00 72 00 75 00 73 00 6b 00 69 00 6c 00 6c 00 } //01 00  !ruskill
		$a_01_8 = {21 00 73 00 70 00 72 00 65 00 61 00 64 00 } //01 00  !spread
		$a_01_9 = {21 00 64 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 } //01 00  !download
		$a_01_10 = {21 00 76 00 69 00 73 00 69 00 74 00 } //00 00  !visit
		$a_00_11 = {5d 04 00 00 23 } //15 03 
	condition:
		any of ($a_*)
 
}