17 lines
1.0 KiB
Plaintext
17 lines
1.0 KiB
Plaintext
|
|
rule Worm_Win32_Pushbot_gen_E{
|
|
meta:
|
|
description = "Worm:Win32/Pushbot.gen!E,SIGNATURE_TYPE_PEHSTR_EXT,0b 00 0a 00 07 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {20 4d 65 73 73 61 67 65 20 73 65 6e 74 20 74 6f 3a 20 25 64 20 43 6f 6e 74 61 63 74 73 2e } //01 00
|
|
$a_00_1 = {20 6d 65 73 73 61 67 65 20 73 65 6e 74 20 74 6f 20 25 64 20 6c 6f 73 65 72 73 2e } //01 00
|
|
$a_00_2 = {49 20 74 72 69 65 64 20 74 6f 20 66 6f 6f 6c 20 25 64 20 6d 6f 72 6f 6e 73 2e } //0a 00
|
|
$a_03_3 = {83 f8 01 7e 25 50 a1 90 01 04 69 c0 90 01 01 01 00 00 90 03 08 08 05 90 01 04 68 90 01 04 68 90 01 04 05 90 01 04 50 ff b5 90 01 02 ff ff e8 90 00 } //0a 00
|
|
$a_03_4 = {83 f8 01 7e 1d 50 68 90 01 04 68 90 01 04 e8 90 01 04 59 50 ff 75 00 e8 90 00 } //0a 00
|
|
$a_03_5 = {69 c0 60 01 00 00 05 90 01 04 50 ff b5 90 01 02 ff ff e8 90 09 19 00 83 3d 90 01 04 01 7e 90 01 01 ff 35 90 01 04 68 90 01 04 a1 90 00 } //0a 00
|
|
$a_03_6 = {00 01 7e 1e ff 35 90 01 03 00 68 90 01 03 00 68 90 01 03 00 ff b5 90 01 02 ff ff e8 90 09 05 00 83 3d 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |