Sneed-Reactivity/yara-ReversingLabs/virus/Linux.Virus.Vit.yara

36 lines
1.2 KiB
Text
Raw Permalink Normal View History

import "elf"
rule Linux_Virus_Vit : tc_detection malicious
{
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "MALWARE"
malware = "VIT"
description = "Yara rule that detects Vit virus."
tc_detection_type = "Virus"
tc_detection_name = "Vit"
tc_detection_factor = 5
strings:
$vit_entry_point = {
55 89 E5 81 EC 40 31 00 00 57 56 50 53 51 52 C7 85 D8 CE FF FF 00 00 00 00 C7 85 D4
CE FF FF 00 00 00 00 C7 85 FC CF FF FF CA 08 00 00 C7 85 F8 CF FF FF B8 06 00 00 C7
85 F4 CF FF FF AD 08 00 00 C7 85 F0 CF FF FF 50 06 00 00 6A 00 6A 00 8B 45 08 50 E8
18 FA FF FF 89 C6 83 C4 0C 85 F6 0F 8C E6 01 00 00 6A 00 68 ?? ?? ?? ?? 56 E8 2E FA
FF FF 83 C4 0C 85 C0 0F 8C C4 01 00 00 8B 85 FC CF FF FF 50 8D 85 00 D0 FF FF 50 56
E8 2A FA FF FF 89 C2 8B 85 FC CF FF FF 83 C4 0C 39 C2 0F 85 9D 01 00 00 56 E8 E1 F9
FF FF BE FF FF FF FF 6A 00 6A 00 E9
}
$vit_str = "vi324.tmp"
condition:
uint32(0) == 0x464C457F and $vit_entry_point at elf.entry_point and $vit_str
}