12 lines
724 B
Plaintext
12 lines
724 B
Plaintext
|
|
rule Worm_Win32_Nuwar_KA{
|
|
meta:
|
|
description = "Worm:Win32/Nuwar.KA,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 02 00 00 "
|
|
|
|
strings :
|
|
$a_02_0 = {55 8b ec 83 ec 90 02 f0 8b 45 90 01 01 8b 40 90 01 01 89 45 90 01 01 8b 45 90 01 01 8b 40 90 01 01 89 45 90 02 40 83 7d 90 01 01 00 75 90 90 00 90 02 50 c7 45 90 01 01 b9 79 37 9e 90 02 18 6a 34 58 99 90 02 28 69 c0 b9 79 37 9e 90 00 } //1
|
|
$a_02_1 = {c1 e8 05 8b 4d 90 01 01 c1 e1 02 33 c1 8b 4d 90 01 01 c1 e9 03 8b 55 90 01 01 c1 e2 04 33 ca 03 c1 8b 4d 90 01 01 33 4d 90 01 01 8b 55 90 01 01 83 e2 03 33 55 90 01 01 8b 75 90 01 01 8b 14 96 33 55 90 01 01 03 ca 33 c1 8b 4d 90 02 48 e9 90 01 01 ff ff ff 90 00 } //2
|
|
condition:
|
|
((#a_02_0 & 1)*1+(#a_02_1 & 1)*2) >=3
|
|
|
|
} |