DefenderYara/Worm/Win32/Ambler/Worm_Win32_Ambler_A.yar

rule Worm_Win32_Ambler_A{
	meta:
		description = "Worm:Win32/Ambler.A,SIGNATURE_TYPE_PEHSTR_EXT,0c 00 0a 00 12 00 00 05 00 "
		
	strings :
		$a_03_0 = {2b fe 80 71 ff 90 01 01 80 31 90 01 01 80 71 01 90 01 01 83 c1 03 83 c2 03 8d 1c 0f 3b d8 72 e8 90 00 } //05 00 
		$a_03_1 = {84 00 00 00 c7 05 90 01 04 00 03 00 00 ff 15 90 01 04 b8 90 01 04 8b c8 85 c9 74 10 6a 10 50 68 90 01 04 e8 90 01 04 83 c4 0c 90 01 01 ff 15 90 01 04 eb 90 00 } //05 00 
		$a_03_2 = {6a 02 c6 06 4d 58 c6 46 01 5a 3b f8 76 09 80 34 30 90 01 01 40 3b c7 72 f7 90 00 } //02 00 
		$a_01_3 = {2a 2a 46 4f 52 4d 2a 2a 25 73 } //02 00 
		$a_01_4 = {6e 61 6d 65 3d 22 73 65 63 75 72 69 74 79 4b 65 79 25 64 22 } //02 00 
		$a_01_5 = {69 64 3d 22 73 65 63 75 72 69 74 79 4b 65 79 25 64 41 6e 73 22 } //02 00 
		$a_01_6 = {25 73 3d 4b 45 59 4c 4f 47 47 45 44 3a 25 73 20 4b 45 59 53 52 45 41 44 3a 25 73 } //02 00 
		$a_01_7 = {25 73 3d 4b 45 59 53 52 45 41 44 3a 25 73 } //01 00 
		$a_01_8 = {26 6b 61 76 3b } //01 00 
		$a_01_9 = {6c 6f 67 77 6f 72 64 73 } //01 00 
		$a_01_10 = {4c 4f 41 44 58 4d 4c } //01 00 
		$a_01_11 = {48 4f 53 54 41 44 44 } //01 00 
		$a_01_12 = {44 45 4c 45 54 45 53 45 4c 46 } //01 00 
		$a_01_13 = {44 45 4c 45 54 45 43 4f 4f 4b 49 45 53 } //01 00 
		$a_01_14 = {43 4f 50 59 42 4f 46 41 4b 45 59 53 } //01 00 
		$a_01_15 = {44 45 4c 45 54 45 42 4f 46 41 4b 45 59 53 } //01 00 
		$a_01_16 = {4b 49 4c 4c 57 49 4e } //01 00 
		$a_01_17 = {52 45 53 45 54 47 52 41 42 4c 49 4d 49 54 53 } //00 00 
	condition:
		any of ($a_*)
 
}