DefenderYara/Spammer/Win32/Boblat/Spammer_Win32_Boblat_A.yar

rule Spammer_Win32_Boblat_A{
	meta:
		description = "Spammer:Win32/Boblat.A,SIGNATURE_TYPE_PEHSTR_EXT,11 00 11 00 06 00 00 "
		
	strings :
		$a_02_0 = {3d 0e 00 07 80 74 ?? 3d 08 00 0c 80 74 ?? 3b c7 75 ?? 33 c0 40 a3 } //10
		$a_00_1 = {50 68 13 00 00 20 57 } //5
		$a_00_2 = {0f b6 86 99 01 00 00 50 0f b6 86 98 01 00 00 50 0f b6 86 97 01 00 00 50 0f b6 86 96 01 00 00 50 0f b6 86 95 01 00 00 50 0f b6 86 94 01 00 00 50 } //1
		$a_01_3 = {2d 2d 3d 5f 42 6c 61 74 42 6f 75 6e 64 61 72 79 2d } //1 --=_BlatBoundary-
		$a_01_4 = {68 74 74 70 3a 2f 2f 25 73 25 73 25 73 } //1 http://%s%s%s
		$a_01_5 = {2f 73 6d 74 70 2f 73 6d 74 70 2e 70 68 70 } //1 /smtp/smtp.php
	condition:
		((#a_02_0  & 1)*10+(#a_00_1  & 1)*5+(#a_00_2  & 1)*1+(#a_01_3  & 1)*1+(#a_01_4  & 1)*1+(#a_01_5  & 1)*1) >=17
 
}