16 lines
837 B
Plaintext
16 lines
837 B
Plaintext
|
|
rule Worm_Win32_Phorpiex_Y{
|
|
meta:
|
|
description = "Worm:Win32/Phorpiex.Y,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 05 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {83 c0 02 83 c1 02 84 d2 75 90 01 01 33 c0 eb 05 1b c0 83 d8 ff 85 c0 74 90 01 01 8d 4c 24 90 01 01 51 56 e8 90 00 } //01 00
|
|
$a_01_1 = {25 73 5c 72 6d 72 66 25 69 25 69 25 69 25 69 2e 62 61 74 00 } //01 00
|
|
$a_03_2 = {5c 48 6f 6d 65 5c 43 6f 64 65 5c 53 6b 79 70 65 72 90 02 02 5c 52 65 6c 65 61 73 65 5c 53 6b 79 70 65 2e 70 64 62 90 00 } //01 00
|
|
$a_03_3 = {5c 78 5c 44 65 73 6b 74 6f 70 5c 48 6f 6d 65 5c 43 6f 64 65 5c 49 4d 77 6f 72 6d 90 02 02 5c 52 65 6c 65 61 73 65 5c 53 6b 79 70 65 2e 70 64 62 90 00 } //01 00
|
|
$a_01_4 = {54 5a 61 70 43 6f 6d 6d 75 6e 69 63 61 74 6f 72 } //00 00 TZapCommunicator
|
|
$a_00_5 = {80 10 00 } //00 9a
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |