rule citadel13xy : banker { meta: author = "Jean-Philippe Teissier / @Jipe_" description = "Citadel 1.5.x.y trojan banker" date = "2013-01-12" version = "1.0" filetype = "memory" strings: $a = "Coded by BRIAN KREBS for personnal use only. I love my job & wife." $b = "http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x%02x.php" $c = "%BOTID%" $d = "%BOTNET%" $e = "cit_video.module" $f = "bc_remove" $g = "bc_add" $ggurl = "http://www.google.com/webhp" condition: 3 of them }