21 lines
1.3 KiB
Plaintext
21 lines
1.3 KiB
Plaintext
|
|
rule Worm_Win32_Skuffbot_A{
|
|
meta:
|
|
description = "Worm:Win32/Skuffbot.A,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 0b 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {8a 04 01 88 45 ec 8b 45 fc 2b 45 f4 8b 4d 08 8a 44 01 01 88 45 ed 80 65 ee 00 6a 10 6a 00 8d 45 ec 50 e8 } //3
|
|
$a_00_1 = {73 6b 75 66 66 73 00 } //1
|
|
$a_01_2 = {02 03 30 34 20 4e 65 77 } //1 ̂㐰丠睥
|
|
$a_01_3 = {6e 69 67 67 61 00 } //1 楮杧a
|
|
$a_00_4 = {55 6e 6b 6e 6f 77 6e 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 64 6f 77 6e 6c 6f 61 64 69 6e 67 20 3a 7c 00 } //1
|
|
$a_01_5 = {2f 4e 45 57 53 48 49 54 00 } //1
|
|
$a_00_6 = {46 61 69 6c 65 64 20 74 6f 20 73 74 61 72 74 20 64 6c 20 74 68 72 65 61 64 2e 00 } //1
|
|
$a_00_7 = {72 61 6e 20 6e 65 77 2c 20 71 75 69 74 74 69 6e 67 20 6f 6c 64 2e 2e 2e 00 } //1
|
|
$a_01_8 = {2f 00 75 00 70 00 64 00 00 00 00 00 2f 00 6e 00 65 00 77 00 00 00 } //2
|
|
$a_01_9 = {74 00 66 00 6e 00 00 00 5c 00 75 00 70 00 64 00 61 00 74 00 65 00 2e 00 65 00 78 00 65 00 00 00 } //2
|
|
$a_00_10 = {7b 44 4c 7d 3a 20 9b 20 25 73 20 28 25 73 29 20 2d 20 55 70 64 61 74 65 3a 20 25 73 } //2
|
|
condition:
|
|
((#a_01_0 & 1)*3+(#a_00_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_00_4 & 1)*1+(#a_01_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_01_8 & 1)*2+(#a_01_9 & 1)*2+(#a_00_10 & 1)*2) >=5
|
|
|
|
} |