17 lines
1.2 KiB
Plaintext
17 lines
1.2 KiB
Plaintext
|
|
rule Backdoor_Win32_Refpron_I{
|
|
meta:
|
|
description = "Backdoor:Win32/Refpron.I,SIGNATURE_TYPE_PEHSTR_EXT,05 00 04 00 07 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {66 05 bf 58 90 09 0b 00 90 02 06 66 69 90 01 01 6d ce 90 00 } //02 00
|
|
$a_03_1 = {68 00 10 00 00 90 02 04 6a 00 6a 06 a1 90 01 02 43 00 50 e8 90 09 04 00 00 90 90 03 00 90 00 } //01 00
|
|
$a_01_2 = {63 00 00 00 02 00 00 00 5c 00 00 00 02 00 00 00 50 00 00 00 02 00 00 00 68 00 00 00 02 00 00 00 79 00 00 00 02 00 00 00 73 00 00 00 02 00 00 00 61 00 00 00 02 00 00 00 6c 00 00 00 02 00 00 00 4d 00 00 00 02 00 00 00 6d 00 00 00 02 00 00 00 6f 00 00 00 02 00 00 00 72 00 } //01 00
|
|
$a_02_3 = {00 53 65 74 20 90 0e 04 00 46 69 6c 65 20 90 0e 04 00 54 69 6d 65 20 90 0e 04 00 53 75 63 63 65 73 73 66 75 6c 6c 79 21 21 21 00 90 00 } //01 00
|
|
$a_01_4 = {61 64 6c 69 6e 6b 3d 00 ff ff ff ff 06 00 00 00 63 6c 69 63 6b 3d 00 00 ff ff ff ff 07 00 00 00 69 73 48 69 74 73 3d 00 } //01 00
|
|
$a_01_5 = {00 6e 72 6e 64 66 6f 72 63 74 72 32 3d 00 } //01 00 渀湲晤牯瑣㉲=
|
|
$a_01_6 = {26 62 6f 72 64 65 72 5f 63 6f 6c 6f 72 3d 46 46 46 46 46 46 26 6e 65 77 77 69 6e 3d 26 7a 73 3d 26 77 69 64 74 68 3d } //00 00 &border_color=FFFFFF&newwin=&zs=&width=
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |