179 lines
No EOL
5.4 KiB
Text
179 lines
No EOL
5.4 KiB
Text
rule compiled_autoit {
|
|
strings:
|
|
$str1 = "This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support."
|
|
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule MSFTConnectionManagerPhonebook {
|
|
strings:
|
|
$cmpbk1 = "cmpbk32.dll"
|
|
$cmpbk2 = "PhoneBookEnumNumbersWithRegionsZero"
|
|
$cmpbk3 = "PhoneBookLoad"
|
|
$cmpbk4 = "PhoneBookUnload"
|
|
$cmpbk5 = "PhoneBookGetCurrentCountryId"
|
|
$cmpbk6 = "PhoneBookGetCountryNameA"
|
|
$cmpbk7 = "PhoneBookFreeFilter"
|
|
$cmpbk8 = "PhoneBookCopyFilter"
|
|
$cmpbk9 = "PhoneBookMatchFilter"
|
|
$cmpbk10 = "PhoneBookGetCountryId"
|
|
$cmpbk11 = "PhoneBookGetPhoneDescA"
|
|
$cmpbk12 = "PhoneBookHasPhoneType"
|
|
$cmpbk13 = "PhoneBookGetRegionNameA"
|
|
$cmpbk14 = "PhoneBookEnumRegions"
|
|
$cmpbk15 = "PhoneBookParseInfoA"
|
|
$cmpbk16 = "PhoneBookGetPhoneDUNA"
|
|
$cmpbk17 = "PhoneBookGetPhoneDispA"
|
|
$cmpbk18 = "PhoneBookGetPhoneCanonicalA"
|
|
$cmpbk19 = "PhoneBookGetPhoneType"
|
|
$cmpbk20 = "PhoneBookEnumNumbers"
|
|
$cmpbk21 = "PhoneBookMergeChanges"
|
|
$cmpbk22 = "PhoneBookGetPhoneNonCanonicalA"
|
|
|
|
condition:
|
|
12 of them
|
|
}
|
|
rule delphi_wlan {
|
|
strings:
|
|
$dll = "wlanapi.dll"
|
|
|
|
$api2 = "WlanOpenHandle"
|
|
$api3 = "WlanCloseHandle"
|
|
$api4 = "WlanEnumInterfaces"
|
|
$api5 = "WlanQueryInterface"
|
|
$api6 = "WlanGetAvailableNetworkList"
|
|
|
|
$options1 = "80211_OPEN"
|
|
$options2 = "80211_SHARED_KEY"
|
|
$options3 = "WPA_PSK"
|
|
$options4 = "WPA_NONE"
|
|
$options5 = "RSNA"
|
|
$options6 = "RSNA_PSK"
|
|
$options7 = "IHV_START"
|
|
$options8 = "IHV_END"
|
|
$options9 = "WEP104"
|
|
$options10 = "WPA_USE_GROUP OR RSN_USE_GROUP"
|
|
$options11 = "IHV_START"
|
|
$options12 = "IHV_END"
|
|
$options13 = "WEP40"
|
|
|
|
condition:
|
|
$dll and 3 of ($api*) and 6 of ($options*)
|
|
}
|
|
|
|
|
|
rule ejects_cdrom {
|
|
strings:
|
|
$cddoor1 = "mciSendString"
|
|
$cddoor2 = "set cdaudio door open"
|
|
$cddoor3 = "set cdaudio door closed"
|
|
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule lowers_security {
|
|
strings:
|
|
$actions1 = "EnableLUA"
|
|
$actions2 = "AntiVirusDisableNotify"
|
|
$actions3 = "DisableNotifications"
|
|
$actions4 = "UpdatesDisableNotify"
|
|
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
|
|
|
|
rule reads_clipboard {
|
|
strings:
|
|
$clipboard1 = "CloseClipboard"
|
|
$clipboard2 = "EmptyClipboard"
|
|
$clipboard3 = "EnumClipboardFormats"
|
|
$clipboard4 = "GetClipboardData"
|
|
$clipboard5 = "IsClipboardFormatAvailable"
|
|
$clipboard6 = "OpenClipboard"
|
|
$clipboard7 = "RefreshClipboard"
|
|
$clipboard8 = "RegisterClipboardFormat"
|
|
$clipboard9 = "SendYourClipboard"
|
|
$clipboard10 = "SetClipboardData"
|
|
|
|
condition:
|
|
5 of them
|
|
}
|
|
|
|
rule pcre {
|
|
strings:
|
|
$pcre1 = "this version of PCRE is not compiled with PCRE_UTF8 support"
|
|
$pcre2 = "this version of PCRE is not compiled with PCRE_UCP support"
|
|
$pcre3 = "alpha"
|
|
$pcre4 = "lower"
|
|
$pcre5 = "upper"
|
|
$pcre6 = "alnum"
|
|
$pcre7 = "ascii"
|
|
$pcre8 = "blank"
|
|
$pcre9 = "cntrl"
|
|
$pcre10 = "digit"
|
|
$pcre11 = "graph"
|
|
$pcre12 = "print"
|
|
$pcre13 = "punct"
|
|
$pcre14 = "space"
|
|
$pcre15 = "word"
|
|
$pcre16 = "xdigit"
|
|
$pcre17 = "at end of pattern"
|
|
$pcre18 = "numbers out of order in {} quantifier"
|
|
$pcre19 = "number too big in {} quantifier"
|
|
$pcre20 = "missing terminating ] for character class"
|
|
$pcre21 = "invalid escape sequence in character class"
|
|
$pcre22 = "range out of order in character class"
|
|
$pcre23 = "nothing to repeat"
|
|
$pcre24 = "operand of unlimited repeat could match the empty string"
|
|
$pcre25 = "internal error: unexpected repeat"
|
|
$pcre26 = "unrecognized character after (? or (?-"
|
|
$pcre27 = "POSIX named classes are supported only within a class"
|
|
$pcre28 = "missing )"
|
|
$pcre29 = "reference to non-existent subpattern"
|
|
$pcre30 = "erroffset passed as NULL"
|
|
$pcre31 = "unknown option bit(s) set"
|
|
$pcre32 = "missing ) after comment"
|
|
$pcre33 = "parentheses nested too deeply"
|
|
$pcre34 = "regular expression is too large"
|
|
$pcre35 = "failed to get memory"
|
|
$pcre36 = "unmatched parentheses"
|
|
$pcre37 = "internal error: code overflow"
|
|
$pcre38 = "unrecognized character after (?<"
|
|
$pcre39 = "lookbehind assertion is not fixed length"
|
|
$pcre40 = "malformed number or name after (?("
|
|
$pcre41 = "conditional group contains more than two branches"
|
|
$pcre42 = "assertion expected after (?("
|
|
$pcre43 = "(?R or (?[+-]digits must be followed by )"
|
|
$pcre44 = "unknown POSIX class name"
|
|
$pcre45 = "POSIX collating elements are not supported"
|
|
$pcre46 = "this version of PCRE is not compiled with PCRE_UTF8 support"
|
|
$pcre47 = "spare error"
|
|
$pcre48 = "character value in x{...} sequence is too large"
|
|
$pcre49 = "invalid condition (?(0)"
|
|
$pcre50 = "number after (?C is > 255"
|
|
$pcre51 = "closing ) for (?C expected"
|
|
$pcre52 = "recursive call could loop indefinitely"
|
|
$pcre53 = "unrecognized character after (?P"
|
|
$pcre54 = "syntax error in subpattern name (missing terminator)"
|
|
$pcre55 = "two named subpatterns have the same name"
|
|
$pcre56 = "invalid UTF-8 string"
|
|
$pcre57 = "subpattern name is too long (maximum 32 characters)"
|
|
$pcre58 = "too many named subpatterns (maximum 10000)"
|
|
$pcre59 = "repeated subpattern is too long"
|
|
$pcre60 = "octal value is greater than 377 (not in UTF-8 mode)"
|
|
$pcre61 = "internal error: overran compiling workspace"
|
|
$pcre62 = "internal error: previously-checked referenced subpattern not found"
|
|
$pcre63 = "DEFINE group contains more than one branch"
|
|
$pcre64 = "repeating a DEFINE group is not allowed"
|
|
$pcre65 = "inconsistent NEWLINE options"
|
|
$pcre66 = "different names for subpatterns of the same number are not allowed"
|
|
$pcre67 = "subpattern name expected"
|
|
$pcre68 = "a numbered reference must not be zero"
|
|
|
|
condition:
|
|
30 of them
|
|
} |