15 lines
1.7 KiB
Plaintext
15 lines
1.7 KiB
Plaintext
|
|
rule VirTool_WinNT_Rootkitdrv_NU{
|
|
meta:
|
|
description = "VirTool:WinNT/Rootkitdrv.NU,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 05 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {5c 73 79 73 74 65 6d 72 6f 6f 74 5c 73 79 73 74 65 6d 33 32 5c 25 73 00 4b 65 53 65 72 76 69 63 65 44 65 73 63 72 69 70 74 6f 72 54 61 62 6c 65 90 01 04 49 45 58 50 4c 4f 52 45 2e 45 58 45 90 01 04 49 4e 45 54 43 50 4c 2e 43 50 4c 00 53 79 73 74 65 6d 90 01 02 75 73 65 72 69 6e 69 74 2e 65 78 65 90 01 04 65 78 70 6c 6f 72 65 72 2e 65 78 65 90 01 04 31 32 37 2e 30 2e 30 2e 32 90 01 03 77 77 77 2e 35 35 36 36 64 68 2e 63 6e 90 00 } //01 00
|
|
$a_01_1 = {5c 00 44 00 6f 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5c 00 4b 00 61 00 70 00 70 00 61 00 41 00 76 00 62 00 } //01 00
|
|
$a_03_2 = {5c 00 72 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 5c 00 6d 00 61 00 63 00 68 00 69 00 6e 00 65 00 5c 00 73 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 6d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 77 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 63 00 75 00 72 00 72 00 65 00 6e 00 74 00 76 00 65 00 72 00 73 00 69 00 6f 00 6e 00 5c 00 72 00 75 00 6e 00 6f 00 6e 00 63 00 65 00 90 01 02 7a 00 68 00 61 00 6f 00 64 00 61 00 6f 00 31 00 32 00 33 00 2e 00 63 00 6f 00 6d 00 90 00 } //01 00
|
|
$a_01_3 = {74 00 77 00 77 00 77 00 2e 00 35 00 35 00 36 00 36 00 64 00 68 00 2e 00 63 00 6e 00 3f 00 74 00 67 00 3d 00 25 00 64 00 } //01 00
|
|
$a_01_4 = {5c 00 53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 49 00 6e 00 74 00 65 00 72 00 6e 00 65 00 74 00 20 00 45 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 5c 00 4d 00 61 00 69 00 6e 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |