18 lines
1.4 KiB
Plaintext
18 lines
1.4 KiB
Plaintext
|
|
rule Worm_Win32_Wecykler_A{
|
|
meta:
|
|
description = "Worm:Win32/Wecykler.A,SIGNATURE_TYPE_PEHSTR_EXT,04 00 03 00 07 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {59 00 55 00 2a 00 2e 00 2a 00 32 00 2a 00 2f 00 2e 00 2a 00 2e 00 36 00 33 00 2d 00 31 00 2d 00 35 00 36 00 33 00 2e 00 2a 00 34 00 2f 00 32 00 30 00 31 00 32 00 32 00 31 00 30 00 2a 00 35 00 30 00 36 00 32 00 2f 00 2f 00 2e 00 2e 00 32 00 2a 00 2e 00 2d 00 2d 00 30 00 } //01 00
|
|
$a_01_1 = {50 00 6c 00 63 00 71 00 74 00 5e 00 6f 00 62 00 59 00 4a 00 66 00 60 00 6f 00 6c 00 70 00 6c 00 63 00 71 00 59 00 54 00 66 00 6b 00 61 00 6c 00 74 00 70 00 59 00 40 00 72 00 6f 00 6f 00 62 00 6b 00 71 00 53 00 62 00 6f 00 70 00 66 00 6c 00 6b 00 59 00 4f 00 72 00 6b 00 } //01 00
|
|
$a_01_2 = {68 d0 07 00 00 57 ff d5 6a 00 6a 00 68 d0 07 00 00 53 ff d5 6a 00 8d 4c 24 18 51 68 de 01 00 00 56 57 ff 15 } //01 00
|
|
$a_01_3 = {66 8b 08 66 3b 0c 10 0f 85 8f 07 00 00 8b 4c 24 20 83 c1 01 83 c0 02 81 f9 ef 00 00 00 89 4c 24 20 7e dd } //01 00
|
|
$a_01_4 = {66 8b 08 83 c0 02 66 85 c9 75 f5 2b c6 d1 f8 83 c0 ff 3b d0 76 da 8b 74 24 14 8d 4c 24 18 51 68 } //01 00
|
|
$a_01_5 = {8d 50 02 66 8b 08 83 c0 02 66 85 c9 75 f5 2b c2 d1 f8 8b d0 8d 4a 5a 3b d1 77 1a 2b ca 83 c1 01 d1 e9 8d 3c 53 } //01 00
|
|
$a_01_6 = {b8 4f ec c4 4e f7 e1 c1 ea 03 6b d2 e6 03 ca 83 c4 04 f6 c3 01 89 4c 24 04 75 05 83 c1 41 eb 03 } //00 00
|
|
$a_00_7 = {7e } //15 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |