rule DevilBait_vbscript_1 {
	meta:
		author = "NCSC"
		description = "This rule identifies the first stage vbscript 
written to disk e.g. version.xml."
	strings:
		$must_1 = "On Error Resume Next:Set"
		$must_2 = "CreateObject(\"MSXML2.ServerXMLHTTP.6.0\"):"
		$must_3 = ".Send:Execute("
		$must_4 = "http"
		$get = "GET"
		$post = "POST"
	condition:
		filesize < 10KB and all of ($must*) and ($get or $post)
}