18 lines
1.0 KiB
Plaintext
18 lines
1.0 KiB
Plaintext
|
|
rule Worm_Win32_Shedewbot_A{
|
|
meta:
|
|
description = "Worm:Win32/Shedewbot.A,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 08 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {4e 49 43 4b 20 5b 25 73 5d 5b 25 69 48 5d 25 73 } //01 00
|
|
$a_01_1 = {6e 65 77 6a 6f 69 6e 3a 20 25 73 } //01 00
|
|
$a_01_2 = {65 78 65 00 72 61 72 00 47 45 54 20 2f } //01 00
|
|
$a_01_3 = {53 45 52 56 49 43 45 53 2e 45 58 45 00 00 00 00 57 49 4e 4c 4f 47 4f 4e 2e 45 58 45 00 00 00 00 68 69 64 73 65 72 76 2e 65 78 65 00 00 00 00 00 65 78 70 6c 6f 72 65 72 2e 65 78 65 00 00 00 00 } //01 00
|
|
$a_01_4 = {eb 10 5a 4a 33 c9 66 b9 7d 00 00 00 33 c0 64 03 40 30 78 0c 8b } //01 00
|
|
$a_01_5 = {99 b9 5a 00 00 00 f7 f9 89 55 f8 83 7d f8 1e 7d 26 83 7d fc 00 74 20 83 7d 10 01 75 1a e8 } //01 00
|
|
$a_03_6 = {83 c0 01 89 45 fc 8b 45 fc 3b 45 08 7d 25 e8 90 01 04 99 b9 1a 00 00 00 f7 f9 83 c2 61 90 00 } //01 00
|
|
$a_03_7 = {83 c4 08 89 45 90 01 01 66 c7 45 90 01 01 00 80 c6 45 90 01 01 30 c6 45 90 01 01 14 8b 45 14 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |