14 lines
460 B
Plaintext
14 lines
460 B
Plaintext
|
|
rule Worm_Win32_Gamarue_AN{
|
|
meta:
|
|
description = "Worm:Win32/Gamarue.AN,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {0f be c9 33 c8 c1 c1 09 8b c1 42 8a 0a 84 c9 75 ef } //01 00
|
|
$a_01_1 = {b8 fc fd fe ff fd ab 2d 04 04 04 04 e2 f8 fc } //01 00
|
|
$a_01_2 = {ac 8a c8 3c 0f 74 0f 66 81 7e ff cd 20 75 0a 46 ad } //01 00
|
|
$a_01_3 = {8b 45 fc c7 84 05 e0 fe ff ff 64 6c 6c 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |