14 lines
646 B
Plaintext
14 lines
646 B
Plaintext
|
|
rule Worm_Win32_Small_AF{
|
|
meta:
|
|
description = "Worm:Win32/Small.AF,SIGNATURE_TYPE_PEHSTR_EXT,04 00 03 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {4c 45 00 00 61 6e 67 65 6c 00 00 00 70 61 73 73 77 6f 72 64 00 00 00 00 70 61 73 73 77 64 } //1
|
|
$a_01_1 = {62 61 72 72 79 73 77 6f 72 6c 64 2e 63 6f 6d 00 00 00 00 44 41 54 41 } //1
|
|
$a_01_2 = {48 45 4c 4f 20 3c 00 00 32 30 39 2e 38 35 2e 31 33 33 2e 31 31 34 00 00 57 55 70 64 61 74 65 } //1
|
|
$a_01_3 = {68 49 6e 66 6f 30 38 30 32 40 67 6d 61 69 6c 2e 63 6f 6d 00 00 00 00 74 65 73 74 31 32 33 34 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1) >=3
|
|
|
|
} |