DefenderYara/Worm/Win32/Delf/Worm_Win32_Delf_ZAB.yar


rule Worm_Win32_Delf_ZAB{
	meta:
		description = "Worm:Win32/Delf.ZAB,SIGNATURE_TYPE_PEHSTR,0c 00 0c 00 0c 00 00 01 00 "
		
	strings :
		$a_01_0 = {61 75 74 65 6e 74 2e 6a 70 67 } //01 00  autent.jpg
		$a_01_1 = {68 74 74 70 3a 2f 2f 67 65 6f 63 69 74 69 65 73 2e 79 61 68 6f 6f 2e 63 6f 6d 2e 62 72 2f 79 6f 75 74 6f 62 61 30 33 2f 6c 69 73 74 61 61 75 74 2e 6a 70 67 } //01 00  http://geocities.yahoo.com.br/youtoba03/listaaut.jpg
		$a_01_2 = {68 74 74 70 3a 2f 2f 77 77 77 2e 67 72 61 74 69 73 77 65 62 2e 63 6f 6d 2f 76 61 69 73 65 66 75 64 65 72 30 30 } //01 00  http://www.gratisweb.com/vaisefuder00
		$a_01_3 = {68 74 74 70 3a 2f 2f 77 77 77 2e 79 6f 75 74 6f 62 61 30 31 2e 68 70 67 2e 63 6f 6d 2e 62 72 } //01 00  http://www.youtoba01.hpg.com.br
		$a_01_4 = {69 6e 66 76 65 72 2e 74 78 74 } //01 00  infver.txt
		$a_01_5 = {76 65 72 73 61 6f 2e 6a 70 67 } //01 00  versao.jpg
		$a_01_6 = {64 69 73 6b 64 72 69 76 65 2e 65 78 65 } //01 00  diskdrive.exe
		$a_01_7 = {6c 69 6e 6b 73 2e 6a 70 67 } //01 00  links.jpg
		$a_01_8 = {69 6e 66 2e 6a 70 67 } //01 00  inf.jpg
		$a_01_9 = {69 6e 66 2e 74 78 74 } //01 00  inf.txt
		$a_01_10 = {61 75 74 6f 72 75 6e 2e 69 6e 66 } //01 00  autorun.inf
		$a_01_11 = {73 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 6e 64 3d 64 69 73 6b 64 72 69 76 65 2e 65 78 65 } //00 00  shell\open\command=diskdrive.exe
	condition:
		any of ($a_*)
 
}
init 2024-02-05 06:12:47 -08:00
			`rule Worm_Win32_Delf_ZAB{`
			`meta:`
			`description = "Worm:Win32/Delf.ZAB,SIGNATURE_TYPE_PEHSTR,0c 00 0c 00 0c 00 00 01 00 "`

			`strings :`
feat: hex text add comment 2024-02-07 06:09:14 -08:00			`$a_01_0 = {61 75 74 65 6e 74 2e 6a 70 67 } //01 00 autent.jpg`
			`$a_01_1 = {68 74 74 70 3a 2f 2f 67 65 6f 63 69 74 69 65 73 2e 79 61 68 6f 6f 2e 63 6f 6d 2e 62 72 2f 79 6f 75 74 6f 62 61 30 33 2f 6c 69 73 74 61 61 75 74 2e 6a 70 67 } //01 00 http://geocities.yahoo.com.br/youtoba03/listaaut.jpg`
			`$a_01_2 = {68 74 74 70 3a 2f 2f 77 77 77 2e 67 72 61 74 69 73 77 65 62 2e 63 6f 6d 2f 76 61 69 73 65 66 75 64 65 72 30 30 } //01 00 http://www.gratisweb.com/vaisefuder00`
			`$a_01_3 = {68 74 74 70 3a 2f 2f 77 77 77 2e 79 6f 75 74 6f 62 61 30 31 2e 68 70 67 2e 63 6f 6d 2e 62 72 } //01 00 http://www.youtoba01.hpg.com.br`
			`$a_01_4 = {69 6e 66 76 65 72 2e 74 78 74 } //01 00 infver.txt`
			`$a_01_5 = {76 65 72 73 61 6f 2e 6a 70 67 } //01 00 versao.jpg`
			`$a_01_6 = {64 69 73 6b 64 72 69 76 65 2e 65 78 65 } //01 00 diskdrive.exe`
			`$a_01_7 = {6c 69 6e 6b 73 2e 6a 70 67 } //01 00 links.jpg`
			`$a_01_8 = {69 6e 66 2e 6a 70 67 } //01 00 inf.jpg`
			`$a_01_9 = {69 6e 66 2e 74 78 74 } //01 00 inf.txt`
			`$a_01_10 = {61 75 74 6f 72 75 6e 2e 69 6e 66 } //01 00 autorun.inf`
			`$a_01_11 = {73 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 6e 64 3d 64 69 73 6b 64 72 69 76 65 2e 65 78 65 } //00 00 shell\open\command=diskdrive.exe`
init 2024-02-05 06:12:47 -08:00			`condition:`
			`any of ($a_*)`

			`}`