19 lines
1.4 KiB
Plaintext
19 lines
1.4 KiB
Plaintext
|
|
rule Worm_Win32_Vobfus_gen_A{
|
|
meta:
|
|
description = "Worm:Win32/Vobfus.gen!A,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 09 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {f4 02 eb 6b 90 01 01 ff eb fb cf e8 c4 f5 00 00 00 00 cc 1c 90 00 } //01 00
|
|
$a_01_1 = {f4 02 eb 6b 72 ff eb fb cf e8 c4 e4 f4 00 cb 1c } //01 00
|
|
$a_01_2 = {a9 f3 00 01 c1 e7 04 60 ff 9d fb 12 fc 0d } //01 00
|
|
$a_03_3 = {f5 19 02 00 00 c7 1c 90 08 80 01 f5 90 03 04 04 04 80 00 00 00 80 00 00 c7 1c 90 00 } //01 00
|
|
$a_01_4 = {5b 00 00 00 04 64 ff 0a 16 00 08 00 04 64 ff f5 61 00 00 00 04 54 ff 0a 16 00 08 00 04 54 ff fb ef 44 ff f5 75 00 00 00 04 34 ff 0a 16 00 08 00 04 34 ff fb ef 24 ff f5 74 } //01 00
|
|
$a_01_5 = {f5 2e 00 00 00 04 5c fd 0a 0a 00 08 00 04 5c fd fb ef 4c fd f5 63 00 00 00 04 3c fd 0a 0a 00 08 00 04 3c fd fb ef 2c fd f5 6e 00 00 00 04 1c fd 0a 0a 00 08 00 04 1c fd fb ef 0c fd f5 2f } //01 00
|
|
$a_03_6 = {f5 2e 00 00 00 0b 90 01 02 04 00 23 90 01 01 ff 2a 23 90 01 01 ff f5 73 00 00 00 0b 90 01 02 04 00 23 90 01 01 ff 2a 23 90 01 01 ff f5 63 00 00 00 0b 90 01 02 04 00 23 90 01 01 ff 2a 46 90 01 01 ff f5 72 90 00 } //01 00
|
|
$a_03_7 = {f5 6b 00 00 00 0b 90 01 01 00 04 00 31 90 01 02 f5 65 00 00 00 0b 90 01 01 00 04 00 31 90 01 02 f5 72 00 00 00 04 90 01 02 0a 90 01 01 00 08 00 f5 6e 90 00 } //01 00
|
|
$a_03_8 = {f5 05 00 00 00 ae 71 6c ff 02 00 f5 38 00 00 00 04 90 01 01 ff 0a 90 01 01 00 08 00 04 90 01 01 ff f5 42 00 00 00 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |