14 lines
475 B
Plaintext
14 lines
475 B
Plaintext
|
|
rule Backdoor_Win32_Begman_C{
|
|
meta:
|
|
description = "Backdoor:Win32/Begman.C,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {10 74 61 73 6b 6b 69 6c 6c 20 2f 66 20 2f 69 6d 20 } //01 00
|
|
$a_03_1 = {56 42 4f 58 90 02 0f 51 45 4d 55 90 02 0a 55 8b ec 6a 00 6a 00 53 56 90 00 } //01 00
|
|
$a_01_2 = {65 78 70 61 6e 64 20 2d 72 20 } //01 00 expand -r
|
|
$a_01_3 = {77 75 73 61 2e 65 78 65 } //00 00 wusa.exe
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |