22 lines
561 B
Text
22 lines
561 B
Text
rule apt_hellsing_irene
|
|
{
|
|
meta:
|
|
version = "1.0"
|
|
filetype = "PE"
|
|
author = "Costin Raiu, Kaspersky Lab"
|
|
copyright = "Kaspersky Lab"
|
|
date = "2015-04-07"
|
|
description = "detection for Hellsing msger irene installer"
|
|
|
|
strings:
|
|
$mz="MZ"
|
|
$a1="\\Drivers\\usbmgr.tmp" wide
|
|
$a2="\\Drivers\\usbmgr.sys" wide
|
|
$a3="common_loadDriver CreateFile error! "
|
|
$a4="common_loadDriver StartService error && GetLastError():%d! "
|
|
$a5="irene" wide
|
|
$a6="aPLib v0.43 - the smaller the better"
|
|
|
|
condition:
|
|
($mz at 0) and (4 of ($a*)) and filesize < 500000
|
|
}
|