15 lines
708 B
Plaintext
15 lines
708 B
Plaintext
|
|
rule Worm_Win32_Koobface_U{
|
|
meta:
|
|
description = "Worm:Win32/Koobface.U,SIGNATURE_TYPE_PEHSTR,05 00 05 00 05 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {26 63 72 63 3d 25 64 } //01 00
|
|
$a_01_1 = {26 63 5f 62 65 3d 25 64 26 63 5f 74 67 3d 25 64 26 63 5f 6e 6c 3d 25 64 26 69 65 64 65 66 3d 25 64 } //01 00
|
|
$a_01_2 = {26 63 5f 66 62 3d 25 64 26 63 5f 6d 73 3d 25 64 26 63 5f 68 69 3d 25 64 26 63 5f 74 77 3d 25 64 } //01 00
|
|
$a_01_3 = {43 4c 53 49 44 5c 7b 46 44 36 39 30 35 43 45 2d 39 35 32 46 2d 34 31 46 31 2d 39 41 36 46 2d 31 33 35 44 39 43 36 36 32 32 43 43 7d } //01 00
|
|
$a_01_4 = {68 74 74 70 5c 73 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 6e 64 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |