17 lines
780 B
Plaintext
17 lines
780 B
Plaintext
|
|
rule Worm_Win32_Catchdens_A{
|
|
meta:
|
|
description = "Worm:Win32/Catchdens.A,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 07 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {80 38 2f 75 10 80 78 01 62 75 0a } //01 00
|
|
$a_01_1 = {80 38 2f 75 22 8a 48 01 80 f9 62 75 1a 80 78 02 69 } //01 00
|
|
$a_01_2 = {0f 00 45 f4 38 5d f4 74 09 38 5d f5 0f 85 } //01 00
|
|
$a_03_3 = {30 0c 30 fe c1 40 3b 90 02 02 72 90 00 } //01 00
|
|
$a_03_4 = {33 c9 a8 01 75 90 01 01 d1 e8 41 83 f9 1a 7c f4 8b 90 02 06 eb 06 83 c1 41 90 00 } //01 00
|
|
$a_03_5 = {0f b7 c8 a1 90 01 04 33 d2 05 f8 00 00 00 66 39 08 74 12 42 40 40 83 fa 08 7c f3 90 00 } //01 00
|
|
$a_03_6 = {6a 61 58 6a 75 66 89 45 90 01 01 58 6a 74 66 89 45 90 01 01 58 6a 6f 66 89 45 90 01 01 58 6a 72 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |