24 lines
1.7 KiB
Plaintext
24 lines
1.7 KiB
Plaintext
|
|
rule Worm_Win32_Yoybot{
|
|
meta:
|
|
description = "Worm:Win32/Yoybot,SIGNATURE_TYPE_PEHSTR_EXT,0f 00 0d 00 0e 00 00 05 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {2e 6a 70 65 67 2d 77 77 77 2e 69 6d 61 67 65 73 68 61 63 6b 2e 63 6f 6d } //05 00
|
|
$a_01_1 = {6d 47 fe 74 e8 bf c2 45 90 35 d1 5e 33 0a 24 6d } //03 00
|
|
$a_00_2 = {5c 70 68 6f 74 6f 20 61 6c 62 75 6d 2e } //03 00
|
|
$a_01_3 = {59 4f 20 59 4f 20 59 4f 20 3a } //03 00
|
|
$a_03_4 = {6a 2e 50 53 89 7c 24 90 01 01 c7 44 24 90 01 01 50 4b 01 02 66 c7 44 24 90 01 01 14 00 66 89 ac 24 90 01 01 00 00 00 c7 84 24 90 01 01 00 00 00 20 00 00 90 00 } //03 00
|
|
$a_03_5 = {50 4b 01 02 66 c7 45 90 01 01 14 00 66 c7 45 90 01 01 00 00 c7 45 90 01 01 20 00 00 00 8b f4 6a 00 8d 8d 90 01 02 ff ff 51 6a 2e 8d 55 90 01 01 52 8b 45 90 01 01 50 90 00 } //02 00
|
|
$a_00_6 = {69 6d 73 74 61 72 74 00 } //02 00
|
|
$a_00_7 = {00 69 6e 64 69 72 00 } //01 00
|
|
$a_00_8 = {64 6f 77 6e 6c 6f 61 64 00 } //01 00
|
|
$a_00_9 = {2e 7a 69 70 00 } //01 00
|
|
$a_01_10 = {53 65 74 43 6c 69 70 62 6f 61 72 64 44 61 74 61 } //05 00
|
|
$a_03_11 = {56 6a 01 56 6a 11 ff d3 56 56 56 6a 56 ff 15 90 01 04 50 ff d3 56 6a 03 6a 2d 6a 11 ff d3 56 56 56 6a 0d ff d3 6a 32 90 00 } //05 00
|
|
$a_03_12 = {6a 00 6a 01 6a 00 6a 11 ff 15 90 01 04 3b f4 e8 90 01 04 8b f4 6a 00 6a 00 6a 00 8b fc 6a 56 ff 15 90 01 04 3b fc e8 90 01 04 50 ff 15 90 01 04 3b f4 e8 90 01 04 8b f4 6a 00 6a 03 6a 2d 6a 11 ff 15 90 01 04 3b f4 e8 90 01 04 8b f4 6a 00 6a 00 6a 00 6a 0d ff 15 90 01 04 3b f4 e8 90 01 04 8b f4 6a 32 90 00 } //05 00
|
|
$a_01_13 = {6a 00 6a 01 6a 00 6a 11 ff d6 6a 00 6a 00 6a 00 6a 56 ff d3 50 ff d6 6a 00 6a 03 6a 2d 6a 11 ff d6 6a 00 6a 00 6a 00 6a 0d ff d6 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |