18 lines
792 B
Plaintext
18 lines
792 B
Plaintext
|
|
rule Worm_Win32_Fasong_I{
|
|
meta:
|
|
description = "Worm:Win32/Fasong.I,SIGNATURE_TYPE_PEHSTR_EXT,11 00 0f 00 08 00 00 0a 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {83 f8 03 75 0a 8b d6 8b 45 fc e8 90 01 04 43 83 fb 57 75 c3 90 00 } //01 00
|
|
$a_03_1 = {61 75 74 6f 72 75 6e 2e 69 6e 66 90 01 09 5b 61 75 74 6f 72 75 6e 5d 90 00 } //01 00
|
|
$a_01_2 = {73 76 72 61 70 69 2e 64 6c 6c 00 00 4e 65 74 53 68 61 72 65 41 64 64 00 } //01 00
|
|
$a_01_3 = {00 6b 61 76 73 76 63 75 69 2e 65 78 65 00 } //01 00
|
|
$a_01_4 = {00 70 61 73 73 77 6f 72 64 67 75 61 72 64 2e 65 78 65 00 } //01 00
|
|
$a_01_5 = {00 66 61 73 6f 6e 67 5f 79 6f 75 78 69 61 6e 67 00 } //01 00
|
|
$a_01_6 = {00 73 6d 74 70 5f 66 75 77 75 71 69 00 } //01 00
|
|
$a_01_7 = {00 71 71 70 61 73 73 37 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |