22 lines
1.6 KiB
Plaintext
22 lines
1.6 KiB
Plaintext
|
|
rule Worm_Win32_Hamweq_A{
|
|
meta:
|
|
description = "Worm:Win32/Hamweq.A,SIGNATURE_TYPE_PEHSTR_EXT,0a 00 0a 00 0c 00 00 06 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {7e 15 8b 06 8b 4c 24 90 01 01 03 c3 51 8a 14 29 30 10 45 ff d7 3b e8 7c eb 8b 06 03 c3 43 90 02 02 f6 90 00 } //04 00
|
|
$a_01_1 = {8a 04 10 32 04 31 8b 4d fc 8b 49 08 8b 55 f0 8b 0c d1 8b 55 f8 88 04 11 eb } //06 00
|
|
$a_01_2 = {53 74 61 72 74 20 66 6c 6f 6f 64 69 6e 67 2e 00 46 6c 6f 6f 64 69 6e 67 20 64 6f 6e 65 2e 00 00 75 64 70 00 73 79 6e 00 66 73 74 6f 70 00 } //03 00
|
|
$a_01_3 = {59 6a 1a 99 59 f7 f9 80 c2 61 88 14 3e 46 3b 74 24 18 76 } //02 00
|
|
$a_01_4 = {59 99 6a 1a 59 f7 f9 83 c2 61 8b 45 0c 03 45 f8 88 10 eb } //02 00
|
|
$a_01_5 = {3c 31 74 0d 3c 32 74 09 c7 45 fc 01 00 00 00 eb } //02 00
|
|
$a_01_6 = {68 20 03 00 00 ff 50 68 66 89 45 e4 8b 06 68 78 56 34 12 ff 90 84 00 00 00 89 45 e8 8b 06 68 00 40 00 00 } //02 00
|
|
$a_03_7 = {68 20 03 00 00 8b 45 90 01 01 8b 00 ff 50 68 66 89 85 90 01 04 68 78 56 34 12 8b 45 90 01 01 8b 00 ff 90 90 84 00 00 00 90 00 } //02 00
|
|
$a_01_8 = {75 0b 6a 11 6a 02 6a 02 ff 50 5c eb 13 6a 01 53 53 68 ff 00 00 00 6a 03 6a 02 ff 90 80 00 00 00 83 f8 ff 89 45 08 } //02 00
|
|
$a_03_9 = {75 16 6a 11 6a 02 6a 02 8b 45 90 01 01 8b 00 ff 50 5c 89 85 90 01 04 eb 20 6a 01 6a 00 6a 00 68 ff 00 00 00 6a 03 6a 02 8b 45 90 01 01 8b 00 ff 90 90 80 00 00 00 90 00 } //02 00
|
|
$a_01_10 = {eb 13 6a 01 53 53 68 ff 00 00 00 6a 03 6a 02 ff 90 } //04 00
|
|
$a_03_11 = {3c 42 0f 84 90 01 02 00 00 3c 61 0f 84 90 01 02 00 00 3c 62 0f 84 90 01 02 00 00 8b 06 8d 4d 90 01 01 51 ff 50 90 01 01 83 f8 02 0f 85 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |