17 lines
778 B
Plaintext
17 lines
778 B
Plaintext
|
|
rule Worm_Win32_Selfish{
|
|
meta:
|
|
description = "Worm:Win32/Selfish,SIGNATURE_TYPE_PEHSTR_EXT,0e 00 0d 00 07 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {ff 45 f8 66 c7 45 ec 08 00 6a 00 6a 00 6a 03 6a 00 6a 01 68 00 00 00 80 83 7d 08 00 74 05 8b 55 08 eb 05 ba } //01 00
|
|
$a_01_1 = {83 3d e0 95 4f 00 00 74 08 8b 15 e0 95 4f 00 eb 03 8d 57 1b 52 6a 00 e8 3f 3c 0e 00 } //01 00
|
|
$a_01_2 = {56 69 72 75 73 55 6e 69 74 00 } //03 00
|
|
$a_01_3 = {23 31 00 00 00 4d 5a 00 00 } //03 00
|
|
$a_01_4 = {49 4e 46 41 43 54 00 } //03 00
|
|
$a_01_5 = {57 48 45 52 45 20 64 61 74 65 3d 43 55 52 44 41 54 45 28 29 00 55 50 44 41 54 45 20 63 6f 6e 66 69 67 } //03 00
|
|
$a_01_6 = {28 73 69 74 65 69 64 2c 69 70 2c 64 61 74 65 29 20 56 41 4c 55 45 53 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |