15 lines
901 B
Plaintext
15 lines
901 B
Plaintext
|
|
rule TrojanSpy_Win32_Agent_GP{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Agent.GP,SIGNATURE_TYPE_PEHSTR_EXT,04 00 03 00 05 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {5c 73 79 73 74 68 65 63 61 74 6d 73 67 2e 67 69 66 00 00 00 47 49 46 00 45 58 45 00 49 4e 46 00 25 73 0a 00 77 00 00 00 5c 73 79 73 6d 73 67 70 72 6f 63 65 73 73 } //01 00
|
|
$a_01_1 = {46 69 72 73 74 4e 61 6d 65 00 00 00 78 69 6e 67 00 00 00 00 68 74 74 70 3a 2f 2f 77 77 77 2e 34 35 35 34 36 35 78 2e 63 6f 6d 2f 74 65 73 74 2f 49 50 2e 61 73 70 } //01 00
|
|
$a_01_2 = {26 50 61 73 73 77 6f 72 64 3d 00 00 3f 4e 75 6d 62 65 72 3d 00 00 00 00 51 } //01 00
|
|
$a_01_3 = {54 65 6e 63 65 6e 74 5f 51 51 42 61 72 00 00 00 73 79 73 6d 73 67 74 61 72 74 00 00 53 4f 46 54 } //01 00
|
|
$a_01_4 = {51 51 2e 65 78 65 00 00 5c 74 68 65 6d 73 67 6d 6f 76 65 2e 65 78 65 00 5c 61 75 74 6f 72 75 6e 2e 69 6e } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |