15 lines
1.5 KiB
Plaintext
15 lines
1.5 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Powdow_ARJ_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Powdow.ARJ!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,05 00 05 00 05 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {49 66 20 52 69 67 68 74 24 28 43 75 72 46 6f 6c 64 65 72 2c 20 31 29 20 3c 3e 20 22 5c 22 20 54 68 65 6e 20 43 75 72 46 6f 6c 64 65 72 20 3d 20 43 75 72 46 6f 6c 64 65 72 20 26 20 22 5c 22 } //01 00 If Right$(CurFolder, 1) <> "\" Then CurFolder = CurFolder & "\"
|
|
$a_03_1 = {73 74 72 54 65 6d 70 20 3d 20 43 68 72 28 56 61 6c 28 22 26 48 22 20 2b 20 4d 69 64 28 90 02 10 2c 20 69 2c 20 32 29 29 29 90 00 } //01 00
|
|
$a_01_2 = {53 65 74 20 70 72 6f 63 65 73 73 20 3d 20 47 65 74 4f 62 6a 65 63 74 28 43 68 72 57 28 31 31 39 29 20 26 20 43 68 72 57 28 31 30 35 29 20 26 20 43 68 72 57 28 31 31 30 29 20 26 20 43 68 72 57 28 31 30 39 29 20 26 20 43 68 72 57 28 31 30 33 29 20 26 20 43 68 72 57 28 31 30 39 29 20 26 20 43 68 72 57 28 31 31 36 29 20 26 20 43 68 72 57 28 31 31 35 29 20 5f } //01 00 Set process = GetObject(ChrW(119) & ChrW(105) & ChrW(110) & ChrW(109) & ChrW(103) & ChrW(109) & ChrW(116) & ChrW(115) _
|
|
$a_01_3 = {49 66 20 45 72 72 20 3d 20 34 31 39 38 20 54 68 65 6e 20 4d 73 67 42 6f 78 20 22 44 6f 63 75 6d 65 6e 74 20 77 61 73 20 6e 6f 74 20 63 6c 6f 73 65 64 22 } //01 00 If Err = 4198 Then MsgBox "Document was not closed"
|
|
$a_03_4 = {50 75 74 20 23 31 2c 20 2c 20 43 68 72 24 28 37 37 29 20 2b 20 90 02 12 43 6c 6f 73 65 20 23 31 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |