19 lines
1.3 KiB
Plaintext
19 lines
1.3 KiB
Plaintext
|
|
rule Worm_Win32_Pobtiz{
|
|
meta:
|
|
description = "Worm:Win32/Pobtiz,SIGNATURE_TYPE_PEHSTR_EXT,0e 00 0d 00 09 00 00 0a 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {66 33 45 d0 0f bf d0 52 ff 15 90 01 04 8b d0 8d 4d c8 ff 15 90 01 04 50 ff 15 90 01 04 8b d0 8d 4d d4 ff 15 90 00 } //0a 00
|
|
$a_03_1 = {66 33 45 d0 0f bf c0 50 e8 90 01 04 8b d0 8d 4d c8 e8 90 01 04 50 e8 90 01 04 8b d0 8d 4d d4 e8 90 00 } //0a 00
|
|
$a_03_2 = {6b 70 ff fb 12 e7 0b 90 01 01 00 04 00 23 44 ff 2a 31 74 ff 32 04 00 48 ff 44 ff 35 4c ff 00 0c 6b 70 ff f3 ff 00 c6 1c 90 01 02 00 07 f4 01 70 70 ff 1e 90 01 02 00 0b 6b 70 ff f4 01 a9 70 70 ff 00 0a 04 72 ff 64 6c 90 00 } //01 00
|
|
$a_01_3 = {00 73 70 72 65 64 31 00 } //01 00
|
|
$a_01_4 = {00 74 6f 62 65 73 68 6f 72 65 00 } //01 00
|
|
$a_01_5 = {00 68 69 64 65 69 74 00 } //01 00
|
|
$a_01_6 = {72 00 65 00 64 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 69 00 6e 00 67 00 20 00 74 00 68 00 65 00 20 00 61 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 20 00 61 00 67 00 61 00 69 00 6e 00 00 00 } //01 00
|
|
$a_01_7 = {5c 00 41 00 72 00 65 00 73 00 5c 00 4d 00 79 00 20 00 53 00 68 00 61 00 72 00 65 00 64 00 20 00 46 00 6f 00 6c 00 64 00 65 00 72 00 5c 00 73 00 68 00 61 00 72 00 65 00 5c 00 } //01 00
|
|
$a_00_8 = {00 00 61 00 75 00 74 00 6f 00 72 00 75 00 6e 00 2e 00 69 00 6e 00 66 00 00 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |