14 lines
735 B
Plaintext
14 lines
735 B
Plaintext
|
|
rule VirTool_WinNT_Ghodow_A{
|
|
meta:
|
|
description = "VirTool:WinNT/Ghodow.A,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {81 3e 5c 00 3f 00 74 90 14 f3 a4 83 ef 02 80 3f 5c 74 05 c6 07 30 eb f3 90 00 } //01 00
|
|
$a_01_1 = {66 81 3f c2 08 74 07 66 81 3f c2 10 75 ec 80 7f 02 00 75 e6 8d 59 50 81 c1 50 04 00 00 68 80 00 00 00 } //01 00
|
|
$a_00_2 = {5c 00 43 00 3a 00 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 66 00 69 00 6c 00 65 00 73 00 5c 00 4d 00 53 00 44 00 4e 00 5c 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 00 00 } //01 00
|
|
$a_01_3 = {81 39 1d 00 00 c0 75 15 90 8b 4d 10 8b 91 b8 00 00 00 83 c2 02 89 91 b8 00 00 00 eb } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |