17 lines
801 B
Plaintext
17 lines
801 B
Plaintext
|
|
rule Worm_Win32_Catchdens_A{
|
|
meta:
|
|
description = "Worm:Win32/Catchdens.A,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 07 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {80 38 2f 75 10 80 78 01 62 75 0a } //1
|
|
$a_01_1 = {80 38 2f 75 22 8a 48 01 80 f9 62 75 1a 80 78 02 69 } //1
|
|
$a_01_2 = {0f 00 45 f4 38 5d f4 74 09 38 5d f5 0f 85 } //1
|
|
$a_03_3 = {30 0c 30 fe c1 40 3b [0-02] 72 } //1
|
|
$a_03_4 = {33 c9 a8 01 75 ?? d1 e8 41 83 f9 1a 7c f4 8b [0-06] eb 06 83 c1 41 } //1
|
|
$a_03_5 = {0f b7 c8 a1 ?? ?? ?? ?? 33 d2 05 f8 00 00 00 66 39 08 74 12 42 40 40 83 fa 08 7c f3 } //1
|
|
$a_03_6 = {6a 61 58 6a 75 66 89 45 ?? 58 6a 74 66 89 45 ?? 58 6a 6f 66 89 45 ?? 58 6a 72 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1+(#a_03_5 & 1)*1+(#a_03_6 & 1)*1) >=3
|
|
|
|
} |