11 lines
931 B
Plaintext
11 lines
931 B
Plaintext
|
|
rule Worm_Win32_Ainslot_AI{
|
|
meta:
|
|
description = "Worm:Win32/Ainslot.AI,SIGNATURE_TYPE_PEHSTR_EXT,01 00 01 00 01 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {55 00 32 00 39 00 6d 00 64 00 48 00 64 00 68 00 63 00 6d 00 56 00 63 00 58 00 45 00 31 00 70 00 59 00 33 00 4a 00 76 00 63 00 32 00 39 00 6d 00 64 00 46 00 78 00 63 00 56 00 32 00 6c 00 75 00 5a 00 47 00 39 00 33 00 63 00 31 00 78 00 63 00 51 00 33 00 56 00 79 00 63 00 6d 00 56 00 75 00 64 00 46 00 5a 00 6c 00 63 00 6e 00 4e 00 70 00 62 00 32 00 35 00 63 00 58 00 46 00 4a 00 31 00 62 00 67 00 3d 00 3d 00 00 1f 58 00 58 00 58 00 30 00 30 00 30 00 59 00 59 00 59 00 39 00 39 00 39 00 5a 00 5a 00 5a 00 00 03 5c 00 00 39 53 00 79 00 73 00 74 00 65 00 6d 00 2e 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 2e 00 65 00 78 00 65 00 00 31 53 00 79 00 73 00 74 00 65 00 6d 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |