17 lines
1.1 KiB
Plaintext
17 lines
1.1 KiB
Plaintext
|
|
rule Worm_Win32_Phorpiex_Q{
|
|
meta:
|
|
description = "Worm:Win32/Phorpiex.Q,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 06 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {68 80 00 00 00 8d 84 24 b4 00 00 00 50 6a 0c 8d 4c 24 20 51 68 00 14 2d 00 57 ff 15 90 01 04 85 c0 74 6b 8b 94 24 b8 00 00 00 8a 84 14 a8 00 00 00 8d 94 14 a8 00 00 00 90 00 } //01 00
|
|
$a_03_1 = {68 ff 03 00 00 8d 94 24 90 01 02 00 00 52 56 ff d3 85 c0 75 cc 8b 6c 24 14 56 8b 35 90 01 02 40 00 ff d6 55 ff d6 57 90 00 } //01 00
|
|
$a_03_2 = {51 6a 62 8d 54 24 90 01 01 52 55 ff d3 85 c0 74 90 01 01 57 90 90 83 7c 24 90 01 01 00 74 90 01 01 33 ff 80 7c 24 90 01 01 00 74 90 00 } //01 00
|
|
$a_01_3 = {71 65 6d 75 00 00 00 00 76 69 72 74 75 61 6c 00 76 6d 77 61 72 65 00 00 5c 5c 2e 5c 50 68 79 73 69 63 61 6c 44 72 69 76 65 30 00 } //01 00
|
|
$a_01_4 = {53 62 69 65 44 6c 6c 2e 64 6c 6c 00 53 62 69 65 44 6c 6c 58 2e 64 6c 6c 00 00 00 00 68 74 74 70 3a 2f 2f } //01 00
|
|
$a_01_5 = {25 73 5c 25 73 2e 65 78 65 00 00 00 6f 70 65 6e 00 00 00 00 } //00 00
|
|
$a_00_6 = {7e 15 00 } //00 55
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |