12 lines
974 B
Plaintext
12 lines
974 B
Plaintext
|
|
rule TrojanDownloader_O97M_Lerkdoto_A{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Lerkdoto.A,SIGNATURE_TYPE_MACROHSTR_EXT,02 00 02 00 02 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {72 65 74 20 3d 20 44 65 73 6b 74 6f 70 54 6f 6f 6c 28 30 2c 20 55 52 4c 2c 20 73 74 72 53 61 76 65 50 61 74 68 2c 20 30 2c 20 30 29 } //01 00 ret = DesktopTool(0, URL, strSavePath, 0, 0)
|
|
$a_01_1 = {44 69 6d 20 77 73 68 20 41 73 20 4f 62 6a 65 63 74 0d 0a 20 20 20 20 20 20 20 20 53 65 74 20 77 73 68 20 3d 20 56 42 41 2e 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 0d 0a 20 20 20 20 20 20 20 20 44 69 6d 20 77 61 69 74 4f 6e 52 65 74 75 72 6e 20 41 73 20 42 6f 6f 6c 65 61 6e 3a 20 77 61 69 74 4f 6e 52 65 74 75 72 6e 20 3d 20 54 72 75 65 0d 0a 20 20 20 20 20 20 20 20 44 69 6d 20 77 69 6e 64 6f 77 53 74 79 6c 65 20 41 73 20 49 6e 74 65 67 65 72 3a 20 77 69 6e 64 6f 77 53 74 79 6c 65 20 3d 20 31 0d 0a } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |