17 lines
827 B
Plaintext
17 lines
827 B
Plaintext
|
|
rule Backdoor_Win32_Poison_BG{
|
|
meta:
|
|
description = "Backdoor:Win32/Poison.BG,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 07 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {69 6f 71 3d 25 73 26 69 6f 71 3d 25 73 26 69 6f 71 3d 25 73 26 69 6f 71 3d 25 73 00 } //01 00 潩㵱猥椦煯┽♳潩㵱猥椦煯┽s
|
|
$a_01_1 = {73 65 61 72 63 68 3f 00 26 45 72 26 00 } //01 00
|
|
$a_01_2 = {68 74 74 70 3a 2f 2f 25 73 3a 25 64 2f 25 73 00 50 4f 53 54 00 } //01 00
|
|
$a_01_3 = {63 6d 64 20 73 68 65 6c 6c 20 63 6c 6f 73 65 64 00 } //01 00
|
|
$a_01_4 = {6d 67 65 74 20 6f 76 65 72 26 66 61 69 6c 75 72 65 0d 0a } //01 00
|
|
$a_01_5 = {43 72 65 61 74 65 20 70 69 70 65 20 66 61 69 6c 21 00 } //01 00
|
|
$a_01_6 = {4f 70 65 6e 20 48 4f 53 54 5f 55 52 4c 20 65 72 72 6f 72 00 } //00 00 灏湥䠠协彔剕⁌牥潲r
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |