rule Hangover_ron_babylon { strings: $a = "Content-Disposition: form-data; name=\"uploaddir\"" $b1 = "MBVDFRESCT" $b2 = "EMSCBVDFRT" $b3 = "EMSFRTCBVD" $b4= "sendFile" $b5 = "BUGMAAL" $b6 = "sMAAL" $b7 = "SIMPLE" $b8 = "SPLIME" $b9 = "getkey.php" $b10 = "MBVDFRESCT" $b11 = "DSMBVCTFRE" $b12 = "MBESCVDFRT" $b13 = "TCBFRVDEMS" $b14 = "DEMOMAKE" $b15 = "DEMO" $b16 = "UPHTTP" $c1 = "F39D45E70395ABFB8D8D2BFFC8BBD152" $c2 = "90B452BFFF3F395ABDC878D8BEDBD152" $c3 = "FFF3F395A90B452BB8BEDC878DDBD152" $c4 = "5A9DCB8FFF3F02B8B45BE39D152" $c5 = "5A902B8B45BEDCB8FFF3F39D152" $c6 = "78DDB5A902BB8FFF3F398B45BEDCD152" $c7 = "905ABEB452BFFFBDC878D83F39DBD152" $c8 = "D2BFFC8BBD152F3B8D89D45E70395ABF" $c9 = "8765F3F395A90B452BB8BEDC878" $c10 = "90ABDC878D8BEDBB452BFFF3F395D152" $c11 = "F12BDC94490B452AA8AEDC878DCBD187" condition: $a and (1 of ($b*) or 1 of ($c*)) } rule Hangover_Fuddol { strings: $a = "\\Http downloader(fud)" $b = "Fileexists" condition: all of them } rule Hangover_UpdateEx { strings: $a1 = "UpdateEx" $a2 = "VBA6.DLL" $a3 = "MainEx" $a4 = "GetLogs" $a5 = "ProMan" $a6 = "RedMod" condition: all of them } rule Hangover_Tymtin_Degrab { strings: $a1 = "&dis=no&utp=op&mfol=" $a2 = "value1=1&value2=2" condition: all of them } rule Hangover_Smackdown_Downloader { strings: $a1 = "DownloadComplete" $a2 = "DownloadProgress" $a3 = "DownloadError" $a4 = "UserControl" $a5 = "MSVBVM60.DLL" $b1 = "syslide" $b2 = "frmMina" $b3 = "Soundsman" $b4 = "New_upl" $b5 = "MCircle" $b6 = "shells_DataArrival" condition: 3 of ($a*) and 1 of ($b*) } rule Hangover_Vacrhan_Downloader { strings: $a1 = "pranVacrhan" $a2 = "VBA6.DLL" $a3 = "Timer1" $a4 = "Timer2" $a5 = "IsNTAdmin" condition: all of them } rule Hangover_Smackdown_various { strings: $a1 = "pranVacrhan" $a2 = "NaramGaram" $a3 = "vampro" $a4 = "AngelPro" $b1 = "VBA6.DLL" $b2 = "advpack" $b3 = "IsNTAdmin" condition: 1 of ($a*) and all of ($b*) } rule Hangover_Foler { strings: $a1 = "\\MyHood" $a2 = "UsbP" $a3 = "ID_MON" condition: all of them } rule Hangover_Appinbot { strings: $a1 = "CreateToolhelp32Snapshot" $a2 = "Process32First" $a3 = "Process32Next" $a4 = "FIDR/" $a5 = "SUBSCRIBE %d" $a6 = "CLOSE %d" condition: all of them } rule Hangover_Linog { strings: $a1 = "uploadedfile" $a2 = "Error in opening a file.." $a3 = "The file could not be opened" $a4 = "%sContent-Disposition: form-data; name=\"%s\";filename=\"%s\"" condition: all of them } rule Hangover_Iconfall { strings: $a1 = "iconfall" $a2 = "78DDB5A902BB8FFF3F398B45BEDCD152" condition: all of them } rule Hangover_Deksila { strings: $a1 = "WinInetGet/0.1" $a2 = "dekstop2007.ico" $a3 = "mozila20" condition: all of them } rule Hangover_Auspo { strings: $a1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV2)" $a2 = "POWERS" $a3 = "AUSTIN" condition: all of them } rule Hangover_Slidewin { strings: $a1 = "[NumLock]" $a2 = "[ScrlLock]" $a3 = "[LtCtrl]" $a4 = "[RtCtrl]" $a5 = "[LtAlt]" $a6 = "[RtAlt]" $a7 = "[HomePage]" $a8 = "[MuteOn/Off]" $a9 = "[VolDn]" $a10 = "[VolUp]" $a11 = "[Play/Pause]" $a12 = "[MailBox]" $a14 = "[Calc]" $a15 = "[Unknown]" condition: all of them } rule Hangover_Gimwlog { strings: $a1 = "file closed---------------------" $a2 = "new file------------------" $a3 = "md C:\\ApplicationData\\Prefetch\\" condition: all of them } rule Hangover_Gimwup { strings: $a1 = "=======inside while===========" $a2 = "scan finished" $a3 = "logFile.txt" condition: all of them } rule Hangover2_Downloader { strings: $a = "WinInetGet/0.1" wide ascii $b = "Excep while up" wide ascii $c = "&file=" wide ascii $d = "&str=" wide ascii $e = "?cn=" wide ascii condition: all of them } rule Hangover2_stealer { strings: $a = "MyWebClient" wide ascii $b = "Location: {[0-9]+}" wide ascii $c = "[%s]:[C-%s]:[A-%s]:[W-%s]:[S-%d]" wide ascii condition: all of them } rule Hangover2_backdoor_shell { strings: $a = "Shell started at: " wide ascii $b = "Shell closed at: " wide ascii $c = "Shell is already closed!" wide ascii $d = "Shell is not Running!" wide ascii condition: all of them } rule Hangover2_Keylogger { strings: $a = "iconfall" wide ascii $b = "/c ipconfig /all > " wide ascii $c = "Global\\{CHKAJESKRB9-35NA7-94Y436G37KGT}" wide ascii condition: all of them }