/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/

rule Backdoor_WebShell_asp : ASPXSpy
{
    meta:
    description= "Detect ASPXSpy"
    author = "xylitol@temari.fr"
    date = "2019-02-26"
    // May only the challenge guide you
    strings:
    $string1 = "CmdShell" wide ascii
    $string2 = "ADSViewer" wide ascii
    $string3 = "ASPXSpy.Bin" wide ascii
    $string4 = "PortScan" wide ascii
    $plugin = "Test.AspxSpyPlugins" wide ascii
 
    condition:
    3 of ($string*) or $plugin
}