16 lines
894 B
Plaintext
16 lines
894 B
Plaintext
|
|
rule Worm_Win32_Metibh_A{
|
|
meta:
|
|
description = "Worm:Win32/Metibh.A,SIGNATURE_TYPE_PEHSTR_EXT,06 00 06 00 06 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {50 6a 00 6a 2a ff 15 90 01 03 01 8b f0 85 f6 0f 84 90 01 02 00 00 8b ac 24 90 01 02 00 00 55 ff 15 90 01 03 01 8b f8 6a 04 47 68 00 10 00 00 57 6a 00 56 ff 15 90 01 03 01 8b d8 85 db 75 90 00 } //03 00
|
|
$a_03_1 = {b3 63 8d 4c 24 04 88 5c 24 04 51 e8 90 01 03 ff 83 c4 04 fe c3 80 fb 7a 7e e8 5b 90 00 } //01 00
|
|
$a_01_2 = {77 6f 6f 6f 6c 2e 64 61 74 00 } //01 00
|
|
$a_01_3 = {57 61 74 63 68 65 72 00 53 79 73 69 6e 74 65 72 6e 61 6c 73 00 } //01 00
|
|
$a_01_4 = {73 68 65 6c 6c 65 78 65 63 75 74 65 3d 52 75 6e 44 6c 6c 33 32 2e 65 78 65 20 2e 5c 54 68 75 6d 62 73 2e 6c 6e 6b 2c 47 65 74 50 69 63 } //01 00
|
|
$a_01_5 = {47 65 74 50 69 63 00 49 6e 69 74 4e 65 74 00 4e 76 53 74 61 72 74 75 70 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |