24 lines
2.8 KiB
Plaintext
24 lines
2.8 KiB
Plaintext
|
|
rule Worm_Win32_VB_CB{
|
|
meta:
|
|
description = "Worm:Win32/VB.CB,SIGNATURE_TYPE_PEHSTR_EXT,ffffffe4 00 ffffffe2 00 0e 00 00 64 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {4d 53 56 42 56 4d 36 30 2e 44 4c 4c } //64 00 MSVBVM60.DLL
|
|
$a_01_1 = {44 6c 6c 46 75 6e 63 74 69 6f 6e 43 61 6c 6c } //0a 00 DllFunctionCall
|
|
$a_00_2 = {5c 00 53 00 6f 00 75 00 72 00 63 00 65 00 44 00 75 00 6e 00 67 00 63 00 6f 00 69 00 5c 00 44 00 75 00 6e 00 67 00 5f 00 44 00 61 00 6b 00 4e 00 6f 00 6e 00 67 00 2e 00 76 00 62 00 70 00 } //0a 00 \SourceDungcoi\Dung_DakNong.vbp
|
|
$a_00_3 = {49 00 20 00 61 00 6d 00 20 00 44 00 75 00 6e 00 67 00 43 00 6f 00 69 00 20 00 62 00 79 00 20 00 44 00 75 00 6e 00 67 00 43 00 6f 00 69 00 44 00 61 00 6b 00 4e 00 6f 00 6e 00 67 00 } //0a 00 I am DungCoi by DungCoiDakNong
|
|
$a_00_4 = {68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 64 00 75 00 6e 00 67 00 63 00 6f 00 69 00 76 00 62 00 2e 00 67 00 6f 00 6f 00 67 00 6c 00 65 00 70 00 61 00 67 00 65 00 73 00 2e 00 63 00 6f 00 6d 00 2f 00 4e 00 57 00 42 00 2e 00 74 00 78 00 74 00 } //0a 00 http://dungcoivb.googlepages.com/NWB.txt
|
|
$a_00_5 = {43 00 68 00 75 00 63 00 20 00 6d 00 75 00 6e 00 67 00 2c 00 20 00 62 00 61 00 6e 00 20 00 64 00 61 00 20 00 74 00 61 00 6d 00 20 00 74 00 68 00 6f 00 69 00 20 00 74 00 68 00 6f 00 61 00 74 00 20 00 6b 00 68 00 6f 00 69 00 20 00 57 00 6f 00 72 00 6d 00 20 00 44 00 75 00 6e 00 67 00 43 00 6f 00 69 00 } //0a 00 Chuc mung, ban da tam thoi thoat khoi Worm DungCoi
|
|
$a_00_6 = {4f 00 6c 00 61 00 6c 00 61 00 6c 00 61 00 2c 00 20 00 6d 00 61 00 79 00 20 00 74 00 69 00 6e 00 68 00 20 00 63 00 75 00 61 00 20 00 62 00 61 00 6e 00 20 00 64 00 61 00 20 00 64 00 69 00 6e 00 68 00 20 00 57 00 6f 00 72 00 6d 00 20 00 44 00 75 00 6e 00 67 00 43 00 6f 00 69 00 } //05 00 Olalala, may tinh cua ban da dinh Worm DungCoi
|
|
$a_00_7 = {64 00 75 00 6e 00 67 00 63 00 6f 00 69 00 5f 00 76 00 62 00 } //05 00 dungcoi_vb
|
|
$a_00_8 = {79 00 61 00 68 00 6f 00 6f 00 62 00 75 00 64 00 64 00 79 00 6d 00 61 00 69 00 6e 00 } //05 00 yahoobuddymain
|
|
$a_00_9 = {79 00 6d 00 73 00 67 00 72 00 3a 00 73 00 65 00 6e 00 64 00 49 00 4d 00 3f 00 } //01 00 ymsgr:sendIM?
|
|
$a_00_10 = {53 68 65 6c 6c 45 78 65 63 75 74 65 41 } //01 00 ShellExecuteA
|
|
$a_01_11 = {43 72 65 61 74 65 54 6f 6f 6c 68 65 6c 70 33 32 53 6e 61 70 73 68 6f 74 } //01 00 CreateToolhelp32Snapshot
|
|
$a_00_12 = {49 6e 74 65 72 6e 65 74 47 65 74 43 6f 6e 6e 65 63 74 65 64 53 74 61 74 65 45 78 } //01 00 InternetGetConnectedStateEx
|
|
$a_00_13 = {53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 5c 00 52 00 75 00 6e 00 } //00 00 Software\Microsoft\Windows\CurrentVersion\Run
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |