DefenderYara/Worm/Win32/Flewon/Worm_Win32_Flewon_B.yar

rule Worm_Win32_Flewon_B{
	meta:
		description = "Worm:Win32/Flewon.B,SIGNATURE_TYPE_PEHSTR_EXT,ffffff97 00 ffffff8d 00 09 00 00 "
		
	strings :
		$a_00_0 = {6d 73 76 62 76 6d 36 30 2e 64 6c 6c 5c 33 } //100 msvbvm60.dll\3
		$a_00_1 = {53 00 63 00 72 00 69 00 70 00 74 00 69 00 6e 00 67 00 2e 00 46 00 69 00 6c 00 65 00 53 00 79 00 73 00 74 00 65 00 6d 00 4f 00 62 00 6a 00 65 00 63 00 74 00 } //11 Scripting.FileSystemObject
		$a_01_2 = {41 00 2a 00 5c 00 41 00 43 00 3a 00 5c 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 73 00 20 00 61 00 6e 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6e 00 67 00 73 00 5c 00 48 00 61 00 69 00 6c 00 75 00 59 00 61 00 2e 00 45 00 54 00 48 00 41 00 49 00 52 00 5c 00 44 00 65 00 73 00 6b 00 74 00 6f 00 70 00 5c 00 70 00 61 00 73 00 73 00 5c 00 61 00 73 00 74 00 65 00 72 00 69 00 65 00 2e 00 76 00 62 00 70 00 } //10 A*\AC:\Documents and Settings\HailuYa.ETHAIR\Desktop\pass\asterie.vbp
		$a_00_3 = {43 00 3a 00 5c 00 70 00 75 00 74 00 6d 00 65 00 74 00 68 00 61 00 74 00 2e 00 74 00 78 00 74 00 } //5 C:\putmethat.txt
		$a_00_4 = {68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 6d 00 61 00 69 00 6c 00 2e 00 6d 00 61 00 64 00 63 00 6f 00 66 00 66 00 65 00 65 00 2e 00 63 00 6f 00 6d 00 2f 00 69 00 6e 00 64 00 65 00 78 00 2e 00 70 00 68 00 70 00 } //5 http://mail.madcoffee.com/index.php
		$a_00_5 = {62 00 74 00 74 00 6e 00 73 00 65 00 72 00 76 00 2e 00 65 00 78 00 65 00 } //5 bttnserv.exe
		$a_01_6 = {3a 00 5c 00 4e 00 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 72 00 2e 00 65 00 78 00 65 00 } //5 :\New Folder.exe
		$a_01_7 = {4f 00 70 00 65 00 72 00 61 00 74 00 69 00 6f 00 6e 00 44 00 65 00 66 00 65 00 63 00 68 00 61 00 40 00 79 00 61 00 68 00 6f 00 6f 00 2e 00 63 00 6f 00 6d 00 } //5 OperationDefecha@yahoo.com
		$a_01_8 = {43 00 50 00 51 00 45 00 41 00 53 00 59 00 42 00 54 00 54 00 4e 00 } //5 CPQEASYBTTN
	condition:
		((#a_00_0  & 1)*100+(#a_00_1  & 1)*11+(#a_01_2  & 1)*10+(#a_00_3  & 1)*5+(#a_00_4  & 1)*5+(#a_00_5  & 1)*5+(#a_01_6  & 1)*5+(#a_01_7  & 1)*5+(#a_01_8  & 1)*5) >=141
 
}