14 lines
432 B
Plaintext
14 lines
432 B
Plaintext
|
|
rule Backdoor_Win32_Fledrots_A{
|
|
meta:
|
|
description = "Backdoor:Win32/Fledrots.A,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {68 70 f1 00 00 68 12 01 00 00 e8 90 01 04 50 e8 90 01 04 eb cd 90 00 } //01 00
|
|
$a_01_1 = {70 69 6e 67 2e 70 68 70 } //01 00 ping.php
|
|
$a_01_2 = {69 6d 67 6f 6e 00 } //01 00 浩潧n
|
|
$a_01_3 = {26 72 73 74 3d 31 } //00 00 &rst=1
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |