18 lines
1.3 KiB
Plaintext
18 lines
1.3 KiB
Plaintext
|
|
rule Worm_Win32_Citeary_B{
|
|
meta:
|
|
description = "Worm:Win32/Citeary.B,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 08 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {4d 6f 64 75 6c 65 41 6e 74 69 2e 64 6c 6c 00 45 78 70 6f 72 74 00 } //01 00
|
|
$a_01_1 = {4d 6f 64 75 65 44 6f 77 6e 2e 64 6c 6c 00 45 78 70 6f 72 74 00 } //01 00
|
|
$a_01_2 = {7d 16 8b 55 08 03 55 fc 0f be 02 33 45 14 8b 4d 0c 03 4d fc 88 01 eb d9 } //01 00
|
|
$a_03_3 = {ff d1 c6 85 90 01 04 5c c6 85 90 01 04 5c c6 85 90 01 04 2e c6 85 90 01 04 5c c6 85 90 01 04 49 c6 85 90 01 04 63 c6 85 90 01 04 79 c6 85 90 01 04 48 90 00 } //01 00
|
|
$a_03_4 = {ff d2 c6 45 90 01 01 73 c6 45 90 01 01 61 c6 45 90 01 01 66 c6 45 90 01 01 65 c6 45 90 01 01 6d c6 45 90 01 01 6f c6 45 90 01 01 6e 90 00 } //01 00
|
|
$a_03_5 = {ff 70 c6 85 90 01 02 ff ff 20 c6 85 90 01 02 ff ff 77 c6 85 90 01 02 ff ff 73 c6 85 90 01 02 ff ff 63 c6 85 90 01 02 ff ff 73 c6 85 90 01 02 ff ff 76 c6 85 90 01 02 ff ff 63 90 00 } //01 00
|
|
$a_01_6 = {c6 45 db 43 eb 08 8a 45 db 04 01 88 45 db 0f be 4d db 83 f9 5a 0f 8f } //01 00
|
|
$a_03_7 = {ff 5b c6 85 90 01 02 ff ff 41 c6 85 90 01 02 ff ff 75 c6 85 90 01 02 ff ff 74 c6 85 90 01 02 ff ff 6f c6 85 90 01 02 ff ff 52 c6 85 90 01 02 ff ff 75 c6 85 90 01 02 ff ff 6e 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |