rule LostDoor { meta: author = " Kevin Breen " date = "2014/04" ref = "http://malwareconfig.com/stats/LostDoor" maltype = "Remote Access Trojan" filetype = "exe" strings: $a0 = {0D 0A 2A 45 44 49 54 5F 53 45 52 56 45 52 2A 0D 0A} $a1 = "*mlt* = %" $a2 = "*ip* = %" $a3 = "*victimo* = %" $a4 = "*name* = %" $b5 = "[START]" $b6 = "[DATA]" $b7 = "We Control Your Digital World" wide ascii $b8 = "RC4Initialize" wide ascii $b9 = "RC4Decrypt" wide ascii condition: all of ($a*) or all of ($b*) }