19 lines
764 B
Plaintext
19 lines
764 B
Plaintext
|
|
rule Worm_Win32_Looked{
|
|
meta:
|
|
description = "Worm:Win32/Looked,SIGNATURE_TYPE_PEHSTR_EXT,ffffffb4 00 ffffffb4 00 09 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {52 61 76 4d 6f 6e 43 6c 61 73 73 00 } //02 00
|
|
$a_01_1 = {5a 41 46 72 61 6d 65 57 6e 64 00 } //02 00
|
|
$a_00_2 = {73 68 65 6c 6c 65 78 65 63 75 74 65 3d } //04 00
|
|
$a_01_3 = {00 3a 5c 41 75 74 6f 72 75 6e 2e 69 6e 66 00 } //64 00
|
|
$a_01_4 = {3c 69 66 72 61 6d 65 20 73 72 63 3d 68 74 74 70 3a } //06 00
|
|
$a_01_5 = {5c 69 70 63 24 00 } //06 00
|
|
$a_01_6 = {5c 61 64 6d 69 6e 24 00 } //1e 00
|
|
$a_00_7 = {57 4e 65 74 43 61 6e 63 65 6c 43 6f 6e 6e 65 63 74 69 6f 6e 32 41 } //1e 00
|
|
$a_01_8 = {57 4e 65 74 41 64 64 43 6f 6e 6e 65 63 74 69 6f 6e 32 41 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |