qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Worm/Win32/VB/Worm_Win32_VB_XFX.yar

32 lines
3.5 KiB
Plaintext
Raw Blame History

rule Worm_Win32_VB_XFX{
meta:
description = "Worm:Win32/VB.XFX,SIGNATURE_TYPE_PEHSTR,79 00 79 00 16 00 00 64 00 "
strings :
$a_01_0 = {44 00 2a 00 5c 00 41 00 43 00 3a 00 5c 00 64 00 65 00 6e 00 79 00 5c 00 77 00 61 00 79 00 61 00 6e 00 67 00 2e 00 76 00 62 00 70 00 } //01 00 D*\AC:\deny\wayang.vbp
$a_01_1 = {4b 00 75 00 6a 00 75 00 6d 00 70 00 61 00 69 00 20 00 70 00 75 00 6c 00 61 00 20 00 73 00 65 00 6b 00 65 00 6c 00 6f 00 6d 00 70 00 6f 00 6b 00 20 00 70 00 65 00 6d 00 75 00 64 00 61 00 20 00 74 00 75 00 6e 00 64 00 75 00 6b 00 20 00 64 00 69 00 20 00 72 00 75 00 6d 00 61 00 68 00 2d 00 4d 00 75 00 2e 00 } //01 00 Kujumpai pula sekelompok pemuda tunduk di rumah-Mu.
$a_01_2 = {73 00 68 00 75 00 74 00 64 00 6f 00 77 00 6e 00 20 00 2d 00 72 00 20 00 2d 00 66 00 20 00 2d 00 74 00 20 00 30 00 } //01 00 shutdown -r -f -t 0
$a_01_3 = {6b 00 69 00 6c 00 6c 00 62 00 6f 00 78 00 2e 00 65 00 78 00 65 00 } //01 00 killbox.exe
$a_01_4 = {5c 00 64 00 61 00 4c 00 61 00 6e 00 67 00 20 00 4d 00 69 00 73 00 74 00 69 00 51 00 2e 00 65 00 78 00 65 00 } //01 00 \daLang MistiQ.exe
$a_01_5 = {5c 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 20 00 44 00 61 00 74 00 61 00 5c 00 53 00 4d 00 41 00 20 00 4e 00 65 00 67 00 65 00 72 00 69 00 20 00 34 00 2e 00 65 00 78 00 65 00 } //01 00 \Application Data\SMA Negeri 4.exe
$a_01_6 = {77 00 61 00 79 00 61 00 6e 00 67 00 70 00 61 00 70 00 65 00 72 00 } //01 00 wayangpaper
$a_01_7 = {48 00 61 00 6e 00 75 00 6d 00 61 00 6e 00 2e 00 65 00 78 00 65 00 } //01 00 Hanuman.exe
$a_01_8 = {5c 00 77 00 33 00 32 00 20 00 57 00 61 00 79 00 61 00 6e 00 67 00 2e 00 65 00 78 00 65 00 } //01 00 \w32 Wayang.exe
$a_01_9 = {4d 00 61 00 6a 00 6e 00 75 00 6e 00 20 00 77 00 61 00 73 00 20 00 48 00 33 00 72 00 65 00 2e 00 65 00 78 00 65 00 } //01 00 Majnun was H3re.exe
$a_01_10 = {6e 00 61 00 6b 00 75 00 6c 00 61 00 20 00 73 00 61 00 64 00 65 00 77 00 61 00 5c 00 73 00 76 00 63 00 68 00 6f 00 73 00 74 00 2e 00 65 00 78 00 65 00 } //01 00 nakula sadewa\svchost.exe
$a_01_11 = {2a 00 2e 00 64 00 6f 00 63 00 } //01 00 *.doc
$a_01_12 = {6b 00 69 00 6c 00 6c 00 65 00 72 00 6d 00 61 00 63 00 68 00 69 00 6e 00 65 00 2e 00 65 00 78 00 65 00 } //01 00 killermachine.exe
$a_01_13 = {53 00 43 00 52 00 4e 00 53 00 41 00 56 00 45 00 2e 00 45 00 58 00 45 00 } //01 00 SCRNSAVE.EXE
$a_01_14 = {70 00 63 00 6d 00 61 00 76 00 2e 00 65 00 78 00 65 00 } //01 00 pcmav.exe
$a_01_15 = {5c 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 20 00 44 00 61 00 74 00 61 00 5c 00 4b 00 6f 00 74 00 61 00 20 00 50 00 34 00 68 00 6c 00 61 00 77 00 61 00 6e 00 2e 00 65 00 78 00 65 00 } //01 00 \Application Data\Kota P4hlawan.exe
$a_01_16 = {4d 00 79 00 20 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 73 00 5c 00 6d 00 61 00 6a 00 6e 00 75 00 6e 00 2e 00 74 00 78 00 74 00 } //01 00 My Documents\majnun.txt
$a_01_17 = {78 00 2d 00 72 00 61 00 79 00 70 00 63 00 2e 00 65 00 78 00 65 00 } //01 00 x-raypc.exe
$a_01_18 = {43 00 3a 00 5c 00 64 00 65 00 6e 00 79 00 } //01 00 C:\deny
$a_01_19 = {64 00 75 00 72 00 6a 00 61 00 6e 00 61 00 5c 00 63 00 73 00 72 00 73 00 73 00 2e 00 65 00 78 00 65 00 } //01 00 durjana\csrss.exe
$a_01_20 = {64 00 75 00 72 00 6a 00 61 00 6e 00 61 00 5c 00 73 00 6d 00 73 00 73 00 2e 00 65 00 78 00 65 00 } //01 00 durjana\smss.exe
$a_01_21 = {64 00 75 00 72 00 6a 00 61 00 6e 00 61 00 5c 00 6c 00 73 00 61 00 73 00 73 00 2e 00 65 00 78 00 65 00 } //00 00 durjana\lsass.exe
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink