15 lines
855 B
Plaintext
15 lines
855 B
Plaintext
|
|
rule TrojanDownloader_O97M_Qakbot_DOLV_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Qakbot.DOLV!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,05 00 05 00 05 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {41 70 70 6c 69 63 61 74 69 6f 6e 2e 52 75 6e 20 53 68 65 65 74 73 28 22 46 69 6b 6f 70 22 29 2e 52 61 6e 67 65 28 22 48 33 22 29 } //01 00
|
|
$a_01_1 = {47 69 43 22 20 26 20 22 65 6c 22 20 26 20 22 6f 64 22 20 26 20 22 2e 77 22 20 26 20 22 61 47 69 63 } //01 00
|
|
$a_01_2 = {4a 52 79 66 20 3d 20 22 45 22 20 26 20 22 58 22 20 26 20 22 45 22 20 26 20 22 43 } //01 00
|
|
$a_01_3 = {42 79 74 72 75 79 20 3d 20 22 52 22 20 26 20 22 45 22 20 26 20 22 47 22 20 26 20 22 49 22 20 26 20 22 53 54 45 52 } //01 00
|
|
$a_01_4 = {26 20 22 73 22 20 26 20 22 69 22 20 26 20 22 6c 22 20 26 20 22 65 22 20 26 20 22 6e 22 20 26 20 22 74 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |