25 lines
1.1 KiB
Plaintext
25 lines
1.1 KiB
Plaintext
|
|
rule Worm_Win32_Mywife{
|
|
meta:
|
|
description = "Worm:Win32/Mywife,SIGNATURE_TYPE_PEHSTR,0e 00 0b 00 0f 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {63 41 70 70 48 69 64 65 72 00 } //02 00
|
|
$a_01_1 = {53 70 72 65 61 64 5f 4e 65 74 77 6f 72 6b 00 } //02 00
|
|
$a_01_2 = {54 68 65 5f 42 65 67 69 6e 00 } //04 00
|
|
$a_01_3 = {57 4f 52 4d 5f 45 6e 67 69 6e } //04 00
|
|
$a_01_4 = {42 6c 61 63 6b 57 6f 72 6d 2e } //02 00
|
|
$a_01_5 = {74 69 6d 62 6f 6d 62 00 } //02 00
|
|
$a_01_6 = {32 00 41 00 44 00 30 00 30 00 45 00 44 00 36 00 } //01 00
|
|
$a_01_7 = {72 65 67 41 50 49 00 } //01 00
|
|
$a_01_8 = {43 4e 65 74 77 6f 72 6b 45 6e 75 6d 00 } //01 00
|
|
$a_01_9 = {42 6c 6f 63 6b 49 6e 70 75 74 00 } //01 00
|
|
$a_01_10 = {57 4e 65 74 45 6e 75 6d 52 65 73 6f 75 72 63 65 41 00 } //01 00
|
|
$a_01_11 = {48 69 64 65 41 70 70 6c 69 63 61 74 69 6f 6e } //01 00
|
|
$a_01_12 = {71 6c 28 fd f5 00 00 00 00 db 6c 2c fd f5 10 00 00 00 c4 f5 10 00 00 00 c7 c4 04 } //01 00
|
|
$a_01_13 = {6c 14 00 04 7a ff 6c 0c 00 0a } //01 00
|
|
$a_01_14 = {6c 28 00 f5 03 00 00 00 c7 6c 28 00 f5 04 00 00 00 c7 c5 1c } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |