23 lines
683 B
Text
23 lines
683 B
Text
|
/*
|
||
|
yara-rule-havex-netscan.yar
|
||
|
This searches for "~tracedscn.yls" or
|
||
|
port activity indicative of the
|
||
|
W32.Havex.Netscan malware module.
|
||
|
NOTE: 5 ports are scanned by W32.Havex.Netscan; only 44818 was
|
||
|
chosen due to its high port number and hex rule limiting the
|
||
|
chance for a false positive!
|
||
|
Val A. Red, 20151206
|
||
|
*/
|
||
|
|
||
|
rule W32HavexNetscan
|
||
|
{
|
||
|
meta:
|
||
|
description = "Havex.Netscan search based on temp file & ports"
|
||
|
in_the_wild = true
|
||
|
reference = "https://github.com/vred/yara-rule-havex-netscan/blob/master/havex-netscan.yar"
|
||
|
strings:
|
||
|
$file = "~tracedscn.yls" wide nocase
|
||
|
//$p1 = { 0A F1 2? } // Rslinx 44818 only selected
|
||
|
condition:
|
||
|
($file)// and ($p1)
|
||
|
}
|