qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Worm/Win32/Amend/Worm_Win32_Amend_A.yar

50 lines
7.1 KiB
Plaintext
Raw Permalink Blame History

rule Worm_Win32_Amend_A{
meta:
description = "Worm:Win32/Amend.A,SIGNATURE_TYPE_PEHSTR,05 00 05 00 07 00 00 "
strings :
$a_01_0 = {4f 00 50 00 45 00 4e 00 3d 00 43 00 6f 00 6d 00 61 00 6e 00 64 00 2e 00 63 00 6f 00 6d 00 } //1 OPEN=Comand.com
$a_01_1 = {63 00 6d 00 64 00 20 00 2f 00 63 00 20 00 6e 00 65 00 74 00 20 00 73 00 68 00 61 00 72 00 65 00 20 00 44 00 24 00 3d 00 64 00 3a 00 5c 00 } //1 cmd /c net share D$=d:\
$a_01_2 = {31 00 73 00 61 00 73 00 73 00 2e 00 65 00 78 00 65 00 } //1 1sass.exe
$a_01_3 = {65 00 72 00 75 00 5f 00 6b 00 6b 00 6b 00 40 00 73 00 6f 00 68 00 75 00 2e 00 63 00 6f 00 6d 00 } //1 eru_kkk@sohu.com
$a_01_4 = {54 00 68 00 69 00 73 00 20 00 46 00 69 00 6c 00 65 00 20 00 49 00 73 00 20 00 57 00 72 00 6f 00 6e 00 67 00 21 00 20 00 50 00 6c 00 65 00 61 00 73 00 65 00 20 00 74 00 72 00 79 00 20 00 69 00 74 00 20 00 61 00 67 00 61 00 69 00 6e 00 21 00 21 00 } //1 This File Is Wrong! Please try it again!!
$a_01_5 = {4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 56 00 69 00 73 00 75 00 61 00 6c 00 20 00 53 00 74 00 75 00 64 00 69 00 6f 00 20 00 20 00 69 00 73 00 20 00 66 00 6f 00 75 00 6e 00 64 00 20 00 41 00 20 00 4c 00 4f 00 54 00 20 00 42 00 55 00 47 00 21 00 20 00 54 00 72 00 79 00 20 00 74 00 6f 00 20 00 72 00 65 00 70 00 61 00 69 00 72 00 20 00 62 00 79 00 20 00 61 00 74 00 74 00 61 00 63 00 68 00 6d 00 65 00 6e 00 74 00 73 00 21 00 } //1 Microsoft Visual Studio is found A LOT BUG! Try to repair by attachments!
$a_01_6 = {54 00 68 00 65 00 20 00 62 00 65 00 73 00 74 00 20 00 69 00 6d 00 70 00 6f 00 72 00 74 00 61 00 6e 00 74 00 20 00 6d 00 65 00 6e 00 64 00 20 00 6f 00 66 00 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 2c 00 50 00 6c 00 65 00 61 00 73 00 65 00 20 00 72 00 75 00 6e 00 20 00 74 00 68 00 65 00 20 00 6d 00 65 00 6e 00 64 00 21 00 21 00 } //1 The best important mend of Microsoft ,Please run the mend!!
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1) >=5
}
rule Worm_Win32_Amend_A_2{
meta:
description = "Worm:Win32/Amend.A,SIGNATURE_TYPE_PEHSTR_EXT,ffffff93 00 ffffff93 00 18 00 00 "
strings :
$a_00_0 = {5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 4d 69 63 72 6f 73 6f 66 74 20 56 69 73 75 61 6c 20 53 74 75 64 69 6f 5c 56 42 39 38 5c 56 42 36 2e 4f 4c 42 } //100 \Program Files\Microsoft Visual Studio\VB98\VB6.OLB
$a_00_1 = {63 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 2e 00 63 00 6f 00 6d 00 20 00 2f 00 63 00 20 00 6e 00 65 00 74 00 20 00 73 00 68 00 61 00 72 00 65 00 20 00 43 00 24 00 3d 00 63 00 3a 00 5c 00 } //10 command.com /c net share C$=c:\
$a_00_2 = {4f 00 75 00 74 00 6c 00 6f 00 6f 00 6b 00 2e 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 } //10 Outlook.Application
$a_02_3 = {3c 00 73 00 63 00 72 00 69 00 70 00 74 00 20 00 6c 00 61 00 6e 00 67 00 75 00 61 00 67 00 65 00 3d 00 [0-04] 73 00 63 00 72 00 69 00 70 00 74 00 3e 00 } //10
$a_00_4 = {54 00 45 00 4e 00 43 00 45 00 4e 00 54 00 20 00 54 00 52 00 41 00 56 00 45 00 4c 00 45 00 52 00 } //1 TENCENT TRAVELER
$a_00_5 = {63 00 74 00 66 00 6d 00 6f 00 6e 00 2e 00 65 00 78 00 65 00 } //1 ctfmon.exe
$a_00_6 = {48 00 4b 00 45 00 59 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 5f 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 5c 00 53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 4e 00 54 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 5c 00 57 00 69 00 6e 00 6c 00 6f 00 67 00 6f 00 6e 00 } //1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
$a_00_7 = {46 00 6f 00 6c 00 64 00 65 00 72 00 2e 00 68 00 74 00 74 00 } //1 Folder.htt
$a_00_8 = {75 00 73 00 65 00 72 00 69 00 6e 00 69 00 74 00 2e 00 65 00 78 00 65 00 2c 00 72 00 65 00 67 00 65 00 64 00 69 00 74 00 33 00 32 00 2e 00 63 00 6f 00 6d 00 } //1 userinit.exe,regedit32.com
$a_00_9 = {5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 6e 00 6f 00 74 00 65 00 70 00 61 00 64 00 2e 00 65 00 78 00 65 00 } //1 \system32\notepad.exe
$a_00_10 = {63 00 6d 00 64 00 20 00 2f 00 63 00 20 00 6e 00 65 00 74 00 20 00 6c 00 6f 00 63 00 61 00 6c 00 67 00 72 00 6f 00 75 00 70 00 20 00 61 00 64 00 6d 00 69 00 6e 00 69 00 73 00 74 00 72 00 61 00 74 00 6f 00 72 00 73 00 20 00 61 00 64 00 6d 00 69 00 6e 00 20 00 20 00 2f 00 61 00 64 00 64 00 } //1 cmd /c net localgroup administrators admin /add
$a_00_11 = {4e 00 6f 00 44 00 72 00 69 00 76 00 65 00 54 00 79 00 70 00 65 00 41 00 75 00 74 00 6f 00 52 00 75 00 6e 00 } //1 NoDriveTypeAutoRun
$a_00_12 = {4b 00 61 00 73 00 70 00 65 00 72 00 73 00 6b 00 79 00 20 00 3d 00 20 00 52 00 65 00 70 00 6c 00 61 00 63 00 65 00 28 00 4b 00 61 00 73 00 70 00 65 00 72 00 73 00 6b 00 79 00 2c 00 20 00 43 00 68 00 72 00 28 00 34 00 32 00 29 00 2c 00 20 00 43 00 68 00 72 00 28 00 33 00 34 00 29 00 29 00 } //1 Kaspersky = Replace(Kaspersky, Chr(42), Chr(34))
$a_00_13 = {5b 00 61 00 75 00 74 00 6f 00 72 00 75 00 6e 00 5d 00 } //1 [autorun]
$a_00_14 = {53 00 68 00 65 00 6c 00 6c 00 65 00 78 00 65 00 63 00 75 00 74 00 65 00 3d 00 63 00 6f 00 6d 00 61 00 6e 00 64 00 2e 00 63 00 6f 00 6d 00 } //1 Shellexecute=comand.com
$a_00_15 = {5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 56 00 69 00 73 00 75 00 61 00 6c 00 53 00 74 00 75 00 64 00 69 00 6f 00 5f 00 42 00 75 00 47 00 2e 00 72 00 61 00 72 00 } //1 \MicrosoftVisualStudio_BuG.rar
$a_00_16 = {5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 56 00 69 00 73 00 75 00 61 00 6c 00 53 00 74 00 75 00 64 00 69 00 6f 00 5f 00 42 00 75 00 47 00 2e 00 65 00 78 00 65 00 } //1 \MicrosoftVisualStudio_BuG.exe
$a_00_17 = {5c 00 47 00 61 00 6d 00 65 00 70 00 72 00 6f 00 67 00 72 00 61 00 6d 00 2e 00 70 00 69 00 66 00 } //1 \Gameprogram.pif
$a_00_18 = {5c 00 49 00 6d 00 70 00 6f 00 72 00 74 00 61 00 6e 00 74 00 46 00 69 00 6c 00 65 00 2e 00 64 00 6f 00 63 00 2e 00 65 00 78 00 65 00 } //1 \ImportantFile.doc.exe
$a_00_19 = {5c 00 42 00 65 00 61 00 75 00 74 00 69 00 66 00 75 00 6c 00 67 00 69 00 72 00 6c 00 2e 00 72 00 61 00 72 00 } //1 \Beautifulgirl.rar
$a_00_20 = {5c 00 41 00 63 00 63 00 6f 00 75 00 6e 00 74 00 61 00 66 00 66 00 69 00 72 00 6d 00 2e 00 72 00 61 00 72 00 } //1 \Accountaffirm.rar
$a_00_21 = {5c 00 47 00 61 00 6d 00 65 00 70 00 72 00 6f 00 67 00 72 00 61 00 6d 00 2e 00 72 00 61 00 72 00 } //1 \Gameprogram.rar
$a_00_22 = {5c 00 49 00 6d 00 70 00 6f 00 72 00 74 00 61 00 6e 00 74 00 46 00 69 00 6c 00 65 00 2e 00 72 00 61 00 72 00 } //1 \ImportantFile.rar
$a_00_23 = {77 00 69 00 6e 00 74 00 72 00 61 00 79 00 2e 00 65 00 78 00 65 00 } //1 wintray.exe
condition:
((#a_00_0 & 1)*100+(#a_00_1 & 1)*10+(#a_00_2 & 1)*10+(#a_02_3 & 1)*10+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_00_12 & 1)*1+(#a_00_13 & 1)*1+(#a_00_14 & 1)*1+(#a_00_15 & 1)*1+(#a_00_16 & 1)*1+(#a_00_17 & 1)*1+(#a_00_18 & 1)*1+(#a_00_19 & 1)*1+(#a_00_20 & 1)*1+(#a_00_21 & 1)*1+(#a_00_22 & 1)*1+(#a_00_23 & 1)*1) >=147
}
Reference in New Issue View Git Blame Copy Permalink