14 lines
773 B
Plaintext
14 lines
773 B
Plaintext
|
|
rule Worm_Win32_Vobfus_AW{
|
|
meta:
|
|
description = "Worm:Win32/Vobfus.AW,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {ee 14 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 } //01 00
|
|
$a_03_1 = {f3 e7 03 2b 90 01 02 f4 01 2b 90 01 02 0b 90 01 01 00 90 01 04 23 90 01 02 2a 23 90 01 02 1b 90 01 01 00 2a 23 90 01 02 1b 90 01 01 00 2a 23 90 01 02 1b 90 01 01 00 90 00 } //01 00
|
|
$a_03_2 = {f5 28 00 00 00 0b 90 01 04 23 90 01 02 f5 5c 00 00 00 0b 90 01 04 23 90 01 02 2a 23 90 01 02 0b 90 01 02 00 00 23 90 01 02 2a 23 90 01 02 94 08 00 7c 00 2a 90 00 } //01 00
|
|
$a_03_3 = {07 08 00 04 00 52 90 02 06 1b 90 01 01 00 1b 90 01 01 00 2a 23 90 01 02 1b 90 01 01 00 2a fd 90 01 01 08 90 01 03 2f 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |