36 lines
1.2 KiB
Text
36 lines
1.2 KiB
Text
|
import "elf"
|
||
|
|
||
|
rule Linux_Virus_Vit : tc_detection malicious
|
||
|
{
|
||
|
meta:
|
||
|
|
||
|
author = "ReversingLabs"
|
||
|
|
||
|
source = "ReversingLabs"
|
||
|
status = "RELEASED"
|
||
|
sharing = "TLP:WHITE"
|
||
|
category = "MALWARE"
|
||
|
malware = "VIT"
|
||
|
description = "Yara rule that detects Vit virus."
|
||
|
|
||
|
tc_detection_type = "Virus"
|
||
|
tc_detection_name = "Vit"
|
||
|
tc_detection_factor = 5
|
||
|
|
||
|
strings:
|
||
|
|
||
|
$vit_entry_point = {
|
||
|
55 89 E5 81 EC 40 31 00 00 57 56 50 53 51 52 C7 85 D8 CE FF FF 00 00 00 00 C7 85 D4
|
||
|
CE FF FF 00 00 00 00 C7 85 FC CF FF FF CA 08 00 00 C7 85 F8 CF FF FF B8 06 00 00 C7
|
||
|
85 F4 CF FF FF AD 08 00 00 C7 85 F0 CF FF FF 50 06 00 00 6A 00 6A 00 8B 45 08 50 E8
|
||
|
18 FA FF FF 89 C6 83 C4 0C 85 F6 0F 8C E6 01 00 00 6A 00 68 ?? ?? ?? ?? 56 E8 2E FA
|
||
|
FF FF 83 C4 0C 85 C0 0F 8C C4 01 00 00 8B 85 FC CF FF FF 50 8D 85 00 D0 FF FF 50 56
|
||
|
E8 2A FA FF FF 89 C2 8B 85 FC CF FF FF 83 C4 0C 39 C2 0F 85 9D 01 00 00 56 E8 E1 F9
|
||
|
FF FF BE FF FF FF FF 6A 00 6A 00 E9
|
||
|
}
|
||
|
|
||
|
$vit_str = "vi324.tmp"
|
||
|
|
||
|
condition:
|
||
|
uint32(0) == 0x464C457F and $vit_entry_point at elf.entry_point and $vit_str
|
||
|
}
|