19 lines
2.1 KiB
Plaintext
19 lines
2.1 KiB
Plaintext
|
|
rule SupportScam_MSIL_TechscamBSOD_A{
|
|
meta:
|
|
description = "SupportScam:MSIL/TechscamBSOD.A,SIGNATURE_TYPE_PEHSTR,06 00 06 00 08 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {5c 53 79 73 74 65 6d 5f 4f 70 74 69 6d 69 7a 65 72 5c 53 59 53 42 6c 75 65 53 63 72 65 65 6e 77 69 6e 37 5c 53 42 53 43 50 5c 6f 62 6a 5c 78 38 36 5c 52 65 6c 65 61 73 65 5c 53 42 53 43 50 2e 70 64 62 00 } //01 00 卜獹整彭灏楴業敺屲奓䉓畬卥牣敥睮湩尷䉓䍓屐扯屪㡸尶敒敬獡履䉓䍓⹐摰b
|
|
$a_01_1 = {43 00 6f 00 6e 00 66 00 69 00 72 00 6d 00 20 00 74 00 6f 00 20 00 72 00 65 00 73 00 74 00 61 00 72 00 74 00 20 00 74 00 68 00 65 00 20 00 63 00 6f 00 6d 00 70 00 75 00 74 00 65 00 72 00 } //01 00 Confirm to restart the computer
|
|
$a_01_2 = {5c 00 56 00 69 00 6e 00 43 00 45 00 } //01 00 \VinCE
|
|
$a_01_3 = {53 00 74 00 69 00 6c 00 6c 00 20 00 74 00 68 00 65 00 20 00 65 00 72 00 72 00 6f 00 72 00 20 00 6f 00 63 00 63 00 75 00 72 00 73 00 20 00 61 00 6e 00 64 00 20 00 77 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 77 00 61 00 73 00 20 00 6e 00 6f 00 74 00 20 00 61 00 62 00 6c 00 65 00 20 00 74 00 6f 00 20 00 66 00 69 00 78 00 20 00 69 00 74 00 2e 00 20 00 43 00 61 00 6c 00 6c 00 20 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 73 00 75 00 70 00 70 00 6f 00 72 00 74 00 20 00 66 00 6f 00 72 00 20 00 70 00 6f 00 73 00 73 00 69 00 62 00 6c 00 65 00 20 00 66 00 69 00 78 00 65 00 73 00 } //01 00 Still the error occurs and windows was not able to fix it. Call Windows support for possible fixes
|
|
$a_01_4 = {70 00 61 00 79 00 6d 00 65 00 6e 00 74 00 40 00 76 00 69 00 74 00 68 00 6f 00 62 00 61 00 61 00 2e 00 63 00 6f 00 6d 00 } //01 00 payment@vithobaa.com
|
|
$a_01_5 = {56 00 69 00 74 00 68 00 6f 00 62 00 61 00 61 00 23 00 31 00 31 00 39 00 31 00 } //01 00 Vithobaa#1191
|
|
$a_01_6 = {53 42 53 43 50 2e 50 72 6f 70 65 72 74 69 65 73 00 } //01 00
|
|
$a_01_7 = {24 66 35 64 30 61 36 62 66 2d 32 31 63 30 2d 34 38 64 63 2d 39 31 30 63 2d 65 39 31 31 62 66 34 36 34 36 62 30 00 } //00 00 昤搵愰戶ⵦㄲっ㐭搸ⵣㄹ挰攭ㄹ戱㑦㐶戶0
|
|
$a_01_8 = {00 5d 04 00 } //00 55
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |