DefenderYara/Worm/Win32/Mytob/Worm_Win32_Mytob.yar

59 lines
5.5 KiB
Plaintext

rule Worm_Win32_Mytob{
meta:
description = "Worm:Win32/Mytob,SIGNATURE_TYPE_PEHSTR,19 00 10 00 27 00 00 "
strings :
$a_01_0 = {5c 43 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 5c 53 65 72 76 69 63 65 73 5c 53 68 61 72 65 64 41 63 63 65 73 73 } //1 \CurrentControlSet\Services\SharedAccess
$a_01_1 = {2e 68 65 6c 6c 2e } //1 .hell.
$a_01_2 = {5b 42 4f 54 5d } //2 [BOT]
$a_01_3 = {62 6f 74 7a 6f 72 } //2 botzor
$a_01_4 = {5b 78 5d 20 43 6f 6e 6e 65 63 74 65 64 20 74 6f } //2 [x] Connected to
$a_01_5 = {5b 78 5d 20 41 74 74 65 6d 70 74 69 6e 67 20 74 6f 20 63 6f 6e 6e 65 63 74 } //2 [x] Attempting to connect
$a_01_6 = {5b 78 5d 20 63 6f 70 79 69 6e 67 20 74 6f 20 73 79 73 74 65 6d 20 64 69 72 65 63 74 6f 72 79 } //2 [x] copying to system directory
$a_01_7 = {5b 78 5d 20 66 69 6e 69 73 68 65 64 20 63 6f 70 79 69 6e 67 20 74 6f 20 73 79 73 74 65 6d 20 64 69 72 } //2 [x] finished copying to system dir
$a_01_8 = {5b 78 5d 20 63 61 6e 6e 6f 74 20 63 6f 70 79 20 74 6f 20 73 79 73 74 65 6d 20 64 69 72 } //2 [x] cannot copy to system dir
$a_01_9 = {5b 78 5d 20 63 61 6e 6e 6f 74 20 73 74 61 72 74 20 63 6f 70 69 65 64 20 66 69 6c 65 } //2 [x] cannot start copied file
$a_01_10 = {50 52 49 56 4d 53 47 20 25 73 20 3a 68 74 74 70 28 66 69 6c 65 29 20 64 6f 77 6e 6c 6f 61 64 69 6e 67 2e 2e 2e } //3 PRIVMSG %s :http(file) downloading...
$a_01_11 = {50 52 49 56 4d 53 47 20 25 73 20 3a 68 74 74 70 28 66 69 6c 65 29 20 64 6f 77 6e 6c 6f 61 64 65 64 20 2d 3e 20 28 73 69 7a 65 3a 20 25 64 4b 42 29 2e } //3 PRIVMSG %s :http(file) downloaded -> (size: %dKB).
$a_01_12 = {50 52 49 56 4d 53 47 20 25 73 20 3a 75 70 64 61 74 69 6e 67 2e 2e 2e } //3 PRIVMSG %s :updating...
$a_01_13 = {50 52 49 56 4d 53 47 20 25 73 20 3a 66 69 6c 65 20 63 61 6e 6e 6f 74 20 62 65 20 65 78 65 63 75 74 65 64 2e } //3 PRIVMSG %s :file cannot be executed.
$a_01_14 = {50 52 49 56 4d 53 47 20 25 73 20 3a 63 75 72 72 65 6e 74 20 66 69 6c 65 20 69 73 20 61 6c 72 65 61 64 79 20 75 70 64 61 74 65 64 2e } //3 PRIVMSG %s :current file is already updated.
$a_01_15 = {62 6f 74 63 61 73 68 } //2 botcash
$a_01_16 = {50 52 49 56 4d 53 47 20 25 73 20 3a 6f 70 65 6e 65 64 20 66 69 6c 65 2e } //3 PRIVMSG %s :opened file.
$a_01_17 = {50 52 49 56 4d 53 47 20 25 73 20 3a 68 74 74 70 28 66 69 6c 65 29 20 63 61 6e 6e 6f 74 20 62 65 20 64 6f 77 6e 6c 6f 61 64 65 64 2e } //3 PRIVMSG %s :http(file) cannot be downloaded.
$a_01_18 = {50 52 49 56 4d 53 47 20 25 73 20 3a 41 63 63 65 70 74 65 64 2e } //2 PRIVMSG %s :Accepted.
$a_01_19 = {48 65 6c 6c 42 6f 74 } //2 HellBot
$a_01_20 = {32 32 30 20 53 74 6e 79 46 74 70 64 } //3 220 StnyFtpd
$a_01_21 = {65 63 68 6f 20 6f 70 65 6e 20 25 73 20 25 64 20 3e } //2 echo open %s %d >
$a_01_22 = {42 2d 4f 2d 54 2d 5a 2d 4f 2d 52 } //2 B-O-T-Z-O-R
$a_01_23 = {25 64 4b 42 20 66 72 65 65 20 5b 2e 4f 53 2e 5d 3a 20 57 69 6e 64 6f 77 73 20 25 73 } //3 %dKB free [.OS.]: Windows %s
$a_01_24 = {31 32 37 2e 30 2e 30 2e 31 09 73 65 63 75 72 69 74 79 72 65 73 70 6f 6e 73 65 2e 73 79 6d 61 6e 74 65 63 2e 63 6f 6d } //5
$a_01_25 = {31 32 37 2e 30 2e 30 2e 31 09 77 77 77 2e 6d 63 61 66 65 65 2e 63 6f 6d } //5
$a_01_26 = {99 b9 80 51 01 00 f7 f9 8b c2 99 b9 10 0e 00 00 f7 f9 8b c2 99 b9 3c } //5
$a_01_27 = {89 85 64 fc ff ff 6a 04 8d 8d 88 fb ff ff 51 6a 04 68 ff ff 00 00 8b 95 64 fc ff ff } //5
$a_01_28 = {83 c4 08 85 c0 75 1a 6a 00 6a 16 68 } //5
$a_01_29 = {25 2a 73 20 25 5b 5e 2c 5d 2c 25 5b 5e 2c 5d 2c 25 5b 5e 2c } //3 %*s %[^,],%[^,],%[^,
$a_01_30 = {83 e0 10 85 c0 75 3f 8b 4d fc 51 6a 01 68 00 04 00 00 8d 95 f8 fa ff ff 52 ff 15 } //3
$a_01_31 = {26 65 63 68 6f 20 62 69 6e 61 72 79 20 3e 3e } //2 &echo binary >>
$a_01_32 = {32 32 36 20 54 72 61 6e 73 66 65 72 20 63 6f 6d 70 6c 65 74 65 } //1 226 Transfer complete
$a_01_33 = {50 52 49 56 4d 53 47 20 25 73 20 3a 2f 2f 20 2d 3d 50 4e 50 34 34 35 3d 2d } //4 PRIVMSG %s :// -=PNP445=-
$a_01_34 = {01 00 00 6a 00 68 00 10 00 00 8d 95 } //1
$a_01_35 = {31 34 30 30 00 00 00 00 31 34 30 32 00 00 00 00 31 34 30 35 00 00 00 00 31 34 30 36 } //4
$a_01_36 = {65 78 70 6c 6f 72 65 72 20 25 73 } //1 explorer %s
$a_01_37 = {50 43 20 4e 45 54 57 4f 52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 } //1 PC NETWORK PROGRAM 1.0
$a_01_38 = {4e 49 43 4b 20 25 73 0d 0a 55 53 45 52 20 25 73 } //3 䥎䭃┠൳唊䕓⁒猥
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*2+(#a_01_3 & 1)*2+(#a_01_4 & 1)*2+(#a_01_5 & 1)*2+(#a_01_6 & 1)*2+(#a_01_7 & 1)*2+(#a_01_8 & 1)*2+(#a_01_9 & 1)*2+(#a_01_10 & 1)*3+(#a_01_11 & 1)*3+(#a_01_12 & 1)*3+(#a_01_13 & 1)*3+(#a_01_14 & 1)*3+(#a_01_15 & 1)*2+(#a_01_16 & 1)*3+(#a_01_17 & 1)*3+(#a_01_18 & 1)*2+(#a_01_19 & 1)*2+(#a_01_20 & 1)*3+(#a_01_21 & 1)*2+(#a_01_22 & 1)*2+(#a_01_23 & 1)*3+(#a_01_24 & 1)*5+(#a_01_25 & 1)*5+(#a_01_26 & 1)*5+(#a_01_27 & 1)*5+(#a_01_28 & 1)*5+(#a_01_29 & 1)*3+(#a_01_30 & 1)*3+(#a_01_31 & 1)*2+(#a_01_32 & 1)*1+(#a_01_33 & 1)*4+(#a_01_34 & 1)*1+(#a_01_35 & 1)*4+(#a_01_36 & 1)*1+(#a_01_37 & 1)*1+(#a_01_38 & 1)*3) >=16
}
rule Worm_Win32_Mytob_2{
meta:
description = "Worm:Win32/Mytob,SIGNATURE_TYPE_PEHSTR_EXT,01 00 01 00 01 00 00 "
strings :
$a_02_0 = {4d 79 52 65 61 6c 4e 61 6d 65 90 02 10 4e 54 53 68 65 6c 6c 20 54 61 73 6b 6d 61 6e 20 53 74 61 72 74 75 70 20 4d 75 74 65 78 90 02 10 5c 74 61 73 6b 6d 67 72 2e 65 78 65 90 02 10 75 73 65 72 33 32 2e 64 6c 6c 90 02 10 50 72 6f 67 6d 61 6e 90 02 10 50 72 6f 67 72 61 6d 20 4d 61 6e 61 67 65 72 90 02 10 4f 55 54 50 4f 53 54 90 00 } //1
condition:
((#a_02_0 & 1)*1) >=1
}