rule PittyTiger {
  meta: 
    author = " (@chort0)"
    description = "Detect PittyTiger Trojan via common strings"
    strings: 
      $ptUserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.; SV1)" // missing minor digit
      $ptFC001 = "FC001" fullword 
      $ptPittyTiger = "PittyTiger" fullword 
      $trjHTMLerr = "trj:HTML Err." nocase fullword 
      $trjworkFunc = "trj:workFunc start." nocase fullword 
      $trjcmdtout = "trj:cmd time out." nocase fullword 
      $trjThrtout = "trj:Thread time out." nocase fullword
      $trjCrPTdone = "trj:Create PT done." nocase fullword
      $trjCrPTerr = "trj:Create PT error: mutex already exists." nocase fullword 
      $oddPippeFailed = "Create Pippe Failed!" fullword // extra 'p'
      $oddXferingFile = "Transfering File" fullword // missing 'r' 
      $oddParasError = "put Paras Error:" fullword // abbreviated 'parameters'? 
      $oddCmdTOutkilled = "Cmd Time Out..Cmd has been killed." fullword 
condition: 
  (any of ($pt*)) and (any of ($trj*)) and (any of ($odd*)) 
  }