12 lines
619 B
Plaintext
12 lines
619 B
Plaintext
|
|
rule TrojanDownloader_O97M_Powdow_LOR_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Powdow.LOR!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,02 00 02 00 02 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {44 65 62 75 67 2e 41 73 73 65 72 74 20 28 56 42 41 2e 53 68 65 6c 6c 28 6c 6f 6c 29 29 } //01 00 Debug.Assert (VBA.Shell(lol))
|
|
$a_03_1 = {44 65 62 75 67 2e 50 72 69 6e 74 20 4d 73 67 42 6f 78 28 22 45 52 52 4f 52 21 52 65 2d 49 6e 73 74 61 6c 6c 20 4f 66 66 69 63 65 22 2c 20 76 62 4f 4b 43 61 6e 63 65 6c 29 3b 20 72 65 74 75 72 6e 73 3b 20 31 90 0c 02 00 6f 62 6a 2e 6c 6f 6c 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |