29 lines
1.8 KiB
Plaintext
29 lines
1.8 KiB
Plaintext
|
|
rule Worm_Win32_Womble_D{
|
|
meta:
|
|
description = "Worm:Win32/Womble.D,SIGNATURE_TYPE_PEHSTR,0f 00 0e 00 13 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {66 61 73 74 6d 61 69 6c 2e } //01 00 fastmail.
|
|
$a_01_1 = {67 72 61 66 66 69 74 69 2e } //01 00 graffiti.
|
|
$a_01_2 = {2e 63 6f 6d 2f 63 75 72 72 65 6e 74 2f } //01 00 .com/current/
|
|
$a_01_3 = {3f 61 3d 25 64 26 64 3d 30 3a 30 3a 25 64 } //01 00 ?a=%d&d=0:0:%d
|
|
$a_01_4 = {3c 66 72 61 6d 65 20 73 72 63 3d } //01 00 <frame src=
|
|
$a_01_5 = {45 78 70 6c 6f 72 65 72 5c 53 68 65 6c 6c 20 46 6f 6c 64 65 72 73 } //01 00 Explorer\Shell Folders
|
|
$a_01_6 = {61 70 70 6c 69 63 61 74 69 6f 6e 2f 70 64 66 } //01 00 application/pdf
|
|
$a_01_7 = {49 6e 74 65 72 6e 65 74 20 41 63 63 6f 75 6e 74 20 4d 61 6e 61 67 65 72 5c 41 63 63 6f 75 6e 74 73 } //01 00 Internet Account Manager\Accounts
|
|
$a_01_8 = {50 72 65 66 65 72 65 6e 63 65 3d } //01 00 Preference=
|
|
$a_01_9 = {63 6f 6e 6e 65 63 74 20 74 6f 20 73 65 72 76 65 72 20 25 73 2c 20 25 64 } //01 00 connect to server %s, %d
|
|
$a_01_10 = {4c 6f 6f 6b 20 61 74 20 74 68 69 73 21 } //01 00 Look at this!
|
|
$a_01_11 = {70 61 73 73 77 6f 72 64 73 2e 64 6f 63 } //01 00 passwords.doc
|
|
$a_01_12 = {5f 53 54 41 52 54 5f 46 49 4c 45 5f } //01 00 _START_FILE_
|
|
$a_01_13 = {5f 45 4e 44 5f 46 49 4c 45 5f } //01 00 _END_FILE_
|
|
$a_01_14 = {5f 45 4e 44 5f 41 44 44 52 53 5f } //01 00 _END_ADDRS_
|
|
$a_01_15 = {48 45 4c 4f 20 25 73 } //01 00 HELO %s
|
|
$a_01_16 = {55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 20 4f 75 74 6c 6f 6f 6b } //01 00 User-Agent: Microsoft Outlook
|
|
$a_01_17 = {44 61 74 65 3a 20 25 73 2c 20 25 2e 32 64 20 25 73 20 25 2e 34 64 } //01 00 Date: %s, %.2d %s %.4d
|
|
$a_01_18 = {46 72 6f 6d 3a 20 22 25 73 22 20 3c 25 73 3e } //00 00 From: "%s" <%s>
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |