15 lines
563 B
Plaintext
15 lines
563 B
Plaintext
|
|
rule TrojanSpy_Win32_Symcomder_D{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Symcomder.D,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {64 44 65 6c 61 79 00 4b 65 79 62 6f 61 72 64 53 70 65 65 64 00 } //01 00
|
|
$a_01_1 = {7b 43 6c 69 6b 7d 0d 0a 00 7b 42 61 63 6b 7d } //01 00
|
|
$a_01_2 = {7b 43 4c 49 50 42 4f 41 52 44 20 45 4e 44 7d } //01 00 {CLIPBOARD END}
|
|
$a_03_3 = {75 6e 5d 20 3e 3e 20 25 54 45 4d 50 25 5c 90 02 0a 2e 72 65 67 0d 0a 00 90 00 } //00 00
|
|
$a_00_4 = {5d 04 } //00 00 ѝ
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |