DefenderYara/Worm/Win32/Womble/Worm_Win32_Womble_D.yar


rule Worm_Win32_Womble_D{
	meta:
		description = "Worm:Win32/Womble.D,SIGNATURE_TYPE_PEHSTR,0f 00 0e 00 13 00 00 "
		
	strings :
		$a_01_0 = {66 61 73 74 6d 61 69 6c 2e } //1 fastmail.
		$a_01_1 = {67 72 61 66 66 69 74 69 2e } //1 graffiti.
		$a_01_2 = {2e 63 6f 6d 2f 63 75 72 72 65 6e 74 2f } //1 .com/current/
		$a_01_3 = {3f 61 3d 25 64 26 64 3d 30 3a 30 3a 25 64 } //1 ?a=%d&d=0:0:%d
		$a_01_4 = {3c 66 72 61 6d 65 20 73 72 63 3d } //1 <frame src=
		$a_01_5 = {45 78 70 6c 6f 72 65 72 5c 53 68 65 6c 6c 20 46 6f 6c 64 65 72 73 } //1 Explorer\Shell Folders
		$a_01_6 = {61 70 70 6c 69 63 61 74 69 6f 6e 2f 70 64 66 } //1 application/pdf
		$a_01_7 = {49 6e 74 65 72 6e 65 74 20 41 63 63 6f 75 6e 74 20 4d 61 6e 61 67 65 72 5c 41 63 63 6f 75 6e 74 73 } //1 Internet Account Manager\Accounts
		$a_01_8 = {50 72 65 66 65 72 65 6e 63 65 3d } //1 Preference=
		$a_01_9 = {63 6f 6e 6e 65 63 74 20 74 6f 20 73 65 72 76 65 72 20 25 73 2c 20 25 64 } //1 connect to server %s, %d
		$a_01_10 = {4c 6f 6f 6b 20 61 74 20 74 68 69 73 21 } //1 Look at this!
		$a_01_11 = {70 61 73 73 77 6f 72 64 73 2e 64 6f 63 } //1 passwords.doc
		$a_01_12 = {5f 53 54 41 52 54 5f 46 49 4c 45 5f } //1 _START_FILE_
		$a_01_13 = {5f 45 4e 44 5f 46 49 4c 45 5f } //1 _END_FILE_
		$a_01_14 = {5f 45 4e 44 5f 41 44 44 52 53 5f } //1 _END_ADDRS_
		$a_01_15 = {48 45 4c 4f 20 25 73 } //1 HELO %s
		$a_01_16 = {55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 20 4f 75 74 6c 6f 6f 6b } //1 User-Agent: Microsoft Outlook
		$a_01_17 = {44 61 74 65 3a 20 25 73 2c 20 25 2e 32 64 20 25 73 20 25 2e 34 64 } //1 Date: %s, %.2d %s %.4d
		$a_01_18 = {46 72 6f 6d 3a 20 22 25 73 22 20 3c 25 73 3e } //1 From: "%s" <%s>
	condition:
		((#a_01_0  & 1)*1+(#a_01_1  & 1)*1+(#a_01_2  & 1)*1+(#a_01_3  & 1)*1+(#a_01_4  & 1)*1+(#a_01_5  & 1)*1+(#a_01_6  & 1)*1+(#a_01_7  & 1)*1+(#a_01_8  & 1)*1+(#a_01_9  & 1)*1+(#a_01_10  & 1)*1+(#a_01_11  & 1)*1+(#a_01_12  & 1)*1+(#a_01_13  & 1)*1+(#a_01_14  & 1)*1+(#a_01_15  & 1)*1+(#a_01_16  & 1)*1+(#a_01_17  & 1)*1+(#a_01_18  & 1)*1) >=14
 
}
init 2024-02-05 06:12:47 -08:00
			`rule Worm_Win32_Womble_D{`
			`meta:`
fix condition 2024-07-06 23:13:08 -07:00			`description = "Worm:Win32/Womble.D,SIGNATURE_TYPE_PEHSTR,0f 00 0e 00 13 00 00 "`
init 2024-02-05 06:12:47 -08:00
			`strings :`
fix condition 2024-07-06 23:13:08 -07:00			`$a_01_0 = {66 61 73 74 6d 61 69 6c 2e } //1 fastmail.`
			`$a_01_1 = {67 72 61 66 66 69 74 69 2e } //1 graffiti.`
			`$a_01_2 = {2e 63 6f 6d 2f 63 75 72 72 65 6e 74 2f } //1 .com/current/`
			`$a_01_3 = {3f 61 3d 25 64 26 64 3d 30 3a 30 3a 25 64 } //1 ?a=%d&d=0:0:%d`
			`$a_01_4 = {3c 66 72 61 6d 65 20 73 72 63 3d } //1 <frame src=`
			`$a_01_5 = {45 78 70 6c 6f 72 65 72 5c 53 68 65 6c 6c 20 46 6f 6c 64 65 72 73 } //1 Explorer\Shell Folders`
			`$a_01_6 = {61 70 70 6c 69 63 61 74 69 6f 6e 2f 70 64 66 } //1 application/pdf`
			`$a_01_7 = {49 6e 74 65 72 6e 65 74 20 41 63 63 6f 75 6e 74 20 4d 61 6e 61 67 65 72 5c 41 63 63 6f 75 6e 74 73 } //1 Internet Account Manager\Accounts`
			`$a_01_8 = {50 72 65 66 65 72 65 6e 63 65 3d } //1 Preference=`
			`$a_01_9 = {63 6f 6e 6e 65 63 74 20 74 6f 20 73 65 72 76 65 72 20 25 73 2c 20 25 64 } //1 connect to server %s, %d`
			`$a_01_10 = {4c 6f 6f 6b 20 61 74 20 74 68 69 73 21 } //1 Look at this!`
			`$a_01_11 = {70 61 73 73 77 6f 72 64 73 2e 64 6f 63 } //1 passwords.doc`
			`$a_01_12 = {5f 53 54 41 52 54 5f 46 49 4c 45 5f } //1 _START_FILE_`
			`$a_01_13 = {5f 45 4e 44 5f 46 49 4c 45 5f } //1 _END_FILE_`
			`$a_01_14 = {5f 45 4e 44 5f 41 44 44 52 53 5f } //1 _END_ADDRS_`
			`$a_01_15 = {48 45 4c 4f 20 25 73 } //1 HELO %s`
			`$a_01_16 = {55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 20 4f 75 74 6c 6f 6f 6b } //1 User-Agent: Microsoft Outlook`
			`$a_01_17 = {44 61 74 65 3a 20 25 73 2c 20 25 2e 32 64 20 25 73 20 25 2e 34 64 } //1 Date: %s, %.2d %s %.4d`
			`$a_01_18 = {46 72 6f 6d 3a 20 22 25 73 22 20 3c 25 73 3e } //1 From: "%s" <%s>`
init 2024-02-05 06:12:47 -08:00			`condition:`
fix condition 2024-07-06 23:13:08 -07:00			`((#a_01_0 & 1)1+(#a_01_1 & 1)1+(#a_01_2 & 1)1+(#a_01_3 & 1)1+(#a_01_4 & 1)1+(#a_01_5 & 1)1+(#a_01_6 & 1)1+(#a_01_7 & 1)1+(#a_01_8 & 1)1+(#a_01_9 & 1)1+(#a_01_10 & 1)1+(#a_01_11 & 1)1+(#a_01_12 & 1)1+(#a_01_13 & 1)1+(#a_01_14 & 1)1+(#a_01_15 & 1)1+(#a_01_16 & 1)1+(#a_01_17 & 1)1+(#a_01_18 & 1)*1) >=14`
init 2024-02-05 06:12:47 -08:00
			`}`