13 lines
730 B
Plaintext
13 lines
730 B
Plaintext
|
|
rule Worm_Win32_Tipax_A{
|
|
meta:
|
|
description = "Worm:Win32/Tipax.A,SIGNATURE_TYPE_PEHSTR_EXT,0b 00 0b 00 03 00 00 0a 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {6f 72 6c 61 6e 64 5c 44 65 6c 70 68 69 5c 52 54 4c } //01 00
|
|
$a_00_1 = {33 45 45 35 34 39 46 31 42 32 41 30 34 32 33 45 46 35 39 34 33 45 38 32 44 46 31 31 44 35 33 35 43 38 45 30 37 41 39 34 30 42 38 32 35 33 44 44 34 36 42 45 43 45 33 36 36 43 45 46 43 30 41 41 39 46 32 30 36 42 39 36 30 35 37 35 35 43 43 37 39 44 35 37 45 32 33 33 44 38 38 44 35 30 } //01 00
|
|
$a_00_2 = {31 31 31 37 39 35 38 41 32 46 38 31 45 38 45 30 34 43 32 30 37 36 38 45 34 34 46 38 41 30 32 38 44 44 39 35 35 31 44 30 32 46 32 32 43 31 44 37 32 38 39 43 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |