48 lines
1.1 KiB
Text
48 lines
1.1 KiB
Text
|
private rule RegSubDatCode : RegSubDat Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "RegSubDat code features"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-07-14"
|
||
|
|
||
|
strings:
|
||
|
// decryption loop
|
||
|
$ = { 80 34 3? 99 40 (3D FB 65 00 00 | 3B C6) 7? F? }
|
||
|
// push then pop values
|
||
|
$ = { 68 FF FF 7F 00 5? }
|
||
|
$ = { 68 FF 7F 00 00 5? }
|
||
|
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|
||
|
|
||
|
private rule RegSubDatStrings : RegSubDat Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "RegSubDat Identifying Strings"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-07-14"
|
||
|
|
||
|
strings:
|
||
|
$avg1 = "Button"
|
||
|
$avg2 = "Allow"
|
||
|
$avg3 = "Identity Protection"
|
||
|
$avg4 = "Allow for all"
|
||
|
$avg5 = "AVG Firewall Asks For Confirmation"
|
||
|
$mutex = "0x1A7B4C9F"
|
||
|
|
||
|
condition:
|
||
|
all of ($avg*) or $mutex
|
||
|
}
|
||
|
|
||
|
rule RegSubDat : Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "RegSubDat"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-07-14"
|
||
|
|
||
|
condition:
|
||
|
RegSubDatCode or RegSubDatStrings
|
||
|
}
|