15 lines
963 B
Plaintext
15 lines
963 B
Plaintext
|
|
rule TrojanDownloader_O97M_Powload_GG_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Powload.GG!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,05 00 05 00 05 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_02_0 = {50 75 62 6c 69 63 20 53 75 62 20 57 6f 72 6b 62 6f 6f 6b 5f 4f 70 65 6e 28 29 90 02 02 53 68 65 6c 6c 20 90 02 4b 28 22 31 32 33 32 32 33 34 32 31 33 32 22 2c 20 22 90 00 } //01 00
|
|
$a_02_1 = {46 75 6e 63 74 69 6f 6e 20 90 02 4b 28 43 6f 64 65 4b 65 79 20 41 73 20 53 74 72 69 6e 67 2c 20 73 74 72 20 41 73 20 53 74 72 69 6e 67 29 90 00 } //01 00
|
|
$a_80_2 = {46 6f 72 20 69 20 3d 20 31 20 54 6f 20 4c 65 6e 28 73 74 72 29 20 53 74 65 70 20 32 } //For i = 1 To Len(str) Step 2 01 00
|
|
$a_02_3 = {73 53 74 72 20 3d 20 73 53 74 72 20 2b 20 43 68 72 28 43 4c 6e 67 28 22 26 48 22 20 26 20 4d 69 64 28 73 74 72 2c 20 69 2c 20 90 01 01 29 29 20 2d 20 90 01 02 29 90 00 } //01 00
|
|
$a_80_4 = {73 53 74 72 20 3d 20 22 22 } //sStr = "" 00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |