DefenderYara/Worm/Win32/Vundo/Worm_Win32_Vundo_B.yar


rule Worm_Win32_Vundo_B{
	meta:
		description = "Worm:Win32/Vundo.B,SIGNATURE_TYPE_PEHSTR_EXT,2b 00 2b 00 0a 00 00 "
		
	strings :
		$a_02_0 = {6d 00 72 00 74 00 2e 00 65 00 78 00 65 00 [0-10] 65 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 2e 00 65 00 78 00 65 00 [0-80] 69 00 65 00 78 00 70 00 6c 00 6f 00 72 00 65 00 2e 00 65 00 78 00 65 00 [0-80] 6f 00 70 00 65 00 72 00 61 00 2e 00 65 00 78 00 65 00 [0-80] 66 00 69 00 72 00 65 00 66 00 6f 00 78 00 2e 00 65 00 78 00 65 00 } //10
		$a_00_1 = {53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 53 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 20 00 43 00 65 00 6e 00 74 00 65 00 72 00 } //10 Software\Microsoft\Security Center
		$a_00_2 = {5c 00 49 00 6e 00 74 00 65 00 72 00 6e 00 65 00 74 00 20 00 45 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 5c 00 50 00 68 00 69 00 73 00 68 00 69 00 6e 00 67 00 46 00 69 00 6c 00 74 00 65 00 72 00 } //10 \Internet Explorer\PhishingFilter
		$a_00_3 = {4c 00 6f 00 61 00 64 00 41 00 70 00 70 00 49 00 6e 00 69 00 74 00 5f 00 44 00 4c 00 4c 00 73 00 } //10 LoadAppInit_DLLs
		$a_03_4 = {0f b7 06 66 83 f8 41 74 ?? 66 83 f8 61 74 ?? 66 83 f8 42 74 ?? 66 83 f8 62 74 ?? 66 3b 45 f4 74 ?? 56 ff 15 ?? ?? ?? ?? 83 f8 03 74 } //2
		$a_00_5 = {66 6f 72 6d 2f 69 6e 64 65 78 2e 68 74 6d 6c } //1 form/index.html
		$a_00_6 = {47 6c 6f 62 61 6c 5c } //1 Global\
		$a_00_7 = {38 35 2e 31 32 2e 34 33 2e 31 30 32 } //1 85.12.43.102
		$a_00_8 = {65 78 66 69 63 61 6c 65 2e 63 6f 6d } //1 exficale.com
		$a_00_9 = {70 61 6e 63 6f 6c 70 2e 63 6f 6d } //1 pancolp.com
	condition:
		((#a_02_0  & 1)*10+(#a_00_1  & 1)*10+(#a_00_2  & 1)*10+(#a_00_3  & 1)*10+(#a_03_4  & 1)*2+(#a_00_5  & 1)*1+(#a_00_6  & 1)*1+(#a_00_7  & 1)*1+(#a_00_8  & 1)*1+(#a_00_9  & 1)*1) >=43
 
}
init 2024-02-05 06:12:47 -08:00
			`rule Worm_Win32_Vundo_B{`
			`meta:`
fix condition 2024-07-06 23:13:08 -07:00			`description = "Worm:Win32/Vundo.B,SIGNATURE_TYPE_PEHSTR_EXT,2b 00 2b 00 0a 00 00 "`
init 2024-02-05 06:12:47 -08:00
			`strings :`
update like regex pattern strings 2024-07-09 05:28:14 -07:00			`$a_02_0 = {6d 00 72 00 74 00 2e 00 65 00 78 00 65 00 [0-10] 65 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 2e 00 65 00 78 00 65 00 [0-80] 69 00 65 00 78 00 70 00 6c 00 6f 00 72 00 65 00 2e 00 65 00 78 00 65 00 [0-80] 6f 00 70 00 65 00 72 00 61 00 2e 00 65 00 78 00 65 00 [0-80] 66 00 69 00 72 00 65 00 66 00 6f 00 78 00 2e 00 65 00 78 00 65 00 } //10`
fix condition 2024-07-06 23:13:08 -07:00			`$a_00_1 = {53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 53 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 20 00 43 00 65 00 6e 00 74 00 65 00 72 00 } //10 Software\Microsoft\Security Center`
			`$a_00_2 = {5c 00 49 00 6e 00 74 00 65 00 72 00 6e 00 65 00 74 00 20 00 45 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 5c 00 50 00 68 00 69 00 73 00 68 00 69 00 6e 00 67 00 46 00 69 00 6c 00 74 00 65 00 72 00 } //10 \Internet Explorer\PhishingFilter`
			`$a_00_3 = {4c 00 6f 00 61 00 64 00 41 00 70 00 70 00 49 00 6e 00 69 00 74 00 5f 00 44 00 4c 00 4c 00 73 00 } //10 LoadAppInit_DLLs`
update like regex pattern strings 2024-07-09 05:28:14 -07:00			`$a_03_4 = {0f b7 06 66 83 f8 41 74 ?? 66 83 f8 61 74 ?? 66 83 f8 42 74 ?? 66 83 f8 62 74 ?? 66 3b 45 f4 74 ?? 56 ff 15 ?? ?? ?? ?? 83 f8 03 74 } //2`
fix condition 2024-07-06 23:13:08 -07:00			`$a_00_5 = {66 6f 72 6d 2f 69 6e 64 65 78 2e 68 74 6d 6c } //1 form/index.html`
			`$a_00_6 = {47 6c 6f 62 61 6c 5c } //1 Global\`
			`$a_00_7 = {38 35 2e 31 32 2e 34 33 2e 31 30 32 } //1 85.12.43.102`
			`$a_00_8 = {65 78 66 69 63 61 6c 65 2e 63 6f 6d } //1 exficale.com`
			`$a_00_9 = {70 61 6e 63 6f 6c 70 2e 63 6f 6d } //1 pancolp.com`
init 2024-02-05 06:12:47 -08:00			`condition:`
fix condition 2024-07-06 23:13:08 -07:00			`((#a_02_0 & 1)10+(#a_00_1 & 1)10+(#a_00_2 & 1)10+(#a_00_3 & 1)10+(#a_03_4 & 1)2+(#a_00_5 & 1)1+(#a_00_6 & 1)1+(#a_00_7 & 1)1+(#a_00_8 & 1)1+(#a_00_9 & 1)1) >=43`
init 2024-02-05 06:12:47 -08:00
			`}`