DefenderYara/Worm/Win32/Gamarue/Worm_Win32_Gamarue_AU.yar

rule Worm_Win32_Gamarue_AU{
	meta:
		description = "Worm:Win32/Gamarue.AU,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 0f 00 00 01 00 "
		
	strings :
		$a_01_0 = {c7 45 fc 00 68 6e 70 } //01 00 
		$a_01_1 = {35 63 72 73 00 } //01 00 
		$a_01_2 = {35 74 69 78 65 } //01 00 
		$a_01_3 = {35 63 6a 6e 69 } //01 00 
		$a_01_4 = {81 f9 4b 43 41 50 } //01 00 
		$a_01_5 = {35 74 73 69 6c } //01 00 
		$a_80_6 = {69 73 5f 6e 6f 74 5f 76 6d 00 } //is_not_vm  01 00 
		$a_80_7 = {63 64 6f 25 6c 75 2e 64 6c 6c 00 } //cdo%lu.dll  01 00 
		$a_80_8 = {4b 42 25 30 38 6c 75 2e 65 78 65 00 } //KB%08lu.exe  02 00 
		$a_01_9 = {99 ac 8a c8 3c 0f 74 0f 66 81 7e ff cd 20 75 0a 46 ad } //01 00 
		$a_03_10 = {8b ce 2b cb 8d 04 1f 8b 1d 90 02 08 83 e9 05 c6 00 e9 89 48 01 90 00 } //01 00 
		$a_02_11 = {3a 00 25 00 6c 00 75 00 90 02 04 74 00 69 00 64 00 90 02 04 3a 00 25 00 6c 00 75 00 90 02 04 65 00 72 00 72 00 90 02 04 3a 00 25 00 6c 00 75 00 90 02 04 77 00 33 00 32 00 90 02 04 3a 00 25 00 6c 00 75 00 90 00 } //01 00 
		$a_02_12 = {3a 25 6c 75 90 02 04 74 69 64 90 02 04 3a 25 6c 75 90 02 04 65 72 72 90 02 04 3a 25 6c 75 90 02 04 77 33 32 90 02 04 3a 25 6c 75 90 00 } //02 00 
		$a_02_13 = {3a 00 25 00 6c 00 75 00 90 02 04 62 00 69 00 64 00 90 02 04 3a 00 25 00 6c 00 75 00 90 02 04 6f 00 73 00 90 02 04 3a 00 25 00 6c 00 75 00 90 02 04 6c 00 61 00 90 02 04 3a 00 25 00 6c 00 75 00 90 02 04 72 00 67 00 90 02 04 3a 00 25 00 6c 00 75 00 90 00 } //02 00 
		$a_02_14 = {3a 25 6c 75 90 02 04 62 69 64 90 02 04 3a 25 6c 75 90 02 04 6f 73 90 02 04 3a 25 6c 75 90 02 04 6c 61 90 02 04 3a 25 6c 75 90 02 04 72 67 90 02 04 3a 25 6c 75 90 00 } //00 00 
	condition:
		any of ($a_*)
 
}