Miscellany

public text v1 · immutable

#2132171

·published 2012-03-26 08:08 UTC

 rule SpyEyeConfig
 {
 strings:
$a = { FF FF }
$b = { 50 9B }
$c = { 50 5F }
$d = { 50 D7 }
condition:
($a at 0) or ($b at 0) or ($c at 0) or ($d at 0)
}

----OTHER RULE-----

  rule spyeye
{
    meta:
        description = "Indicates spyeye trojan is infected"
    strings:
    
    $a = "SPYNET"
    $b = "SpyEye"
    
  condition:
    ($a and $b) 
}