20 lines
1.3 KiB
Plaintext
20 lines
1.3 KiB
Plaintext
|
|
rule Worm_Win32_Koobface_G{
|
|
meta:
|
|
description = "Worm:Win32/Koobface.G,SIGNATURE_TYPE_PEHSTR_EXT,35 00 35 00 0a 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {6d 79 73 70 61 63 65 2e 63 6f 6d } //10 myspace.com
|
|
$a_00_1 = {64 65 6c 20 22 25 73 22 } //10 del "%s"
|
|
$a_00_2 = {25 73 20 22 25 73 22 20 67 6f 74 6f } //10 %s "%s" goto
|
|
$a_00_3 = {25 73 5c 65 78 5f 25 64 2e 65 78 65 } //10 %s\ex_%d.exe
|
|
$a_00_4 = {55 73 65 25 73 69 6c 6c 25 73 6e 64 25 73 76 } //10 Use%sill%snd%sv
|
|
$a_00_5 = {68 74 74 70 3a 2f 2f 77 77 77 2e 25 73 2f 4d 79 46 72 69 65 6e 64 73 2e 6a 73 70 } //1 http://www.%s/MyFriends.jsp
|
|
$a_02_6 = {72 65 67 65 64 69 74 20 2f 73 20 63 3a 5c 90 02 02 2e 72 65 67 90 00 } //1
|
|
$a_00_7 = {6e 69 63 6b 3d 25 73 26 6c 6f 67 69 6e 3d 25 73 26 73 75 63 63 65 73 73 3d 25 64 26 66 72 69 65 6e 64 73 3d 25 64 26 63 61 70 74 63 68 61 3d 25 64 } //2 nick=%s&login=%s&success=%d&friends=%d&captcha=%d
|
|
$a_00_8 = {55 72 6c 45 73 63 61 70 65 41 } //1 UrlEscapeA
|
|
$a_00_9 = {49 6e 74 65 72 6e 65 74 47 65 74 43 6f 6e 6e 65 63 74 65 64 53 74 61 74 65 } //1 InternetGetConnectedState
|
|
condition:
|
|
((#a_00_0 & 1)*10+(#a_00_1 & 1)*10+(#a_00_2 & 1)*10+(#a_00_3 & 1)*10+(#a_00_4 & 1)*10+(#a_00_5 & 1)*1+(#a_02_6 & 1)*1+(#a_00_7 & 1)*2+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1) >=53
|
|
|
|
} |