17 lines
998 B
Plaintext
17 lines
998 B
Plaintext
|
|
rule Backdoor_Win32_Bearote_B{
|
|
meta:
|
|
description = "Backdoor:Win32/Bearote.B,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 07 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {b9 06 00 00 00 ba 01 00 00 00 b8 02 00 00 00 e8 90 01 02 ff ff 89 45 f4 83 7d f4 ff 74 10 84 db 75 0c 90 00 } //01 00
|
|
$a_01_1 = {74 19 3d 4c 27 00 00 74 12 3d 33 27 00 00 74 0b 3d 36 27 00 00 74 04 } //01 00
|
|
$a_03_2 = {2e 64 6c 6c 00 49 6e 73 74 61 6c 6c 90 02 08 53 65 72 76 69 63 65 4d 61 69 6e 00 55 6e 73 74 61 6c 6c 90 00 } //01 00
|
|
$a_01_3 = {5c 68 74 6d 6c 66 69 6c 65 5c 73 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 6e 64 00 } //01 00
|
|
$a_01_4 = {57 69 6e 58 70 4d 65 6d 6f 72 79 00 } //01 00 楗塮䵰浥牯y
|
|
$a_01_5 = {5c 44 65 6c 45 78 2e 62 61 74 } //01 00 \DelEx.bat
|
|
$a_03_6 = {53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 20 4e 54 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 53 76 63 68 6f 73 74 90 02 10 2e 75 6e 73 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |