08e8d462fe
RED PILL 🔴 💊
97 lines
No EOL
2.8 KiB
Text
97 lines
No EOL
2.8 KiB
Text
rule WormWin32DorkbotSamlpeA
|
|
{
|
|
meta:
|
|
Description = "Worm.Dorkbot.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "from removing our bot file!" ascii wide
|
|
$ = "from moving our bot file" ascii wide
|
|
$ = "Message hijacked!" ascii wide
|
|
$ = "popgrab" ascii wide
|
|
$ = "ftpgrab" ascii wide
|
|
$ = "s.Blocked possible browser exploit pack call on URL" ascii wide
|
|
$ = "webroot." ascii wide
|
|
$ = "fortinet." ascii wide
|
|
$ = "virusbuster.nprotect." ascii wide
|
|
$ = "gdatasoftware." ascii wide
|
|
$ = "virus." ascii wide
|
|
$ = "precisesecurity." ascii wide
|
|
$ = "lavasoft." ascii wide
|
|
$ = "heck.tc" ascii wide
|
|
$ = "emsisoft." ascii wide
|
|
$ = "onlinemalwarescanner." ascii wide
|
|
$ = "onecare.live." ascii wide
|
|
$ = "f-secure." ascii wide
|
|
$ = "bullguard." ascii wide
|
|
$ = "clamav." ascii wide
|
|
$ = "pandasecurity." ascii wide
|
|
$ = "sophos." ascii wide
|
|
$ = "malwarebytes." ascii wide
|
|
$ = "sunbeltsoftware." ascii wide
|
|
$ = "norton." ascii wide
|
|
$ = "norman." ascii wide
|
|
$ = "mcafee." ascii wide
|
|
$ = "symantec" ascii wide
|
|
$ = "comodo." ascii wide
|
|
$ = "avast." ascii wide
|
|
$ = "avira." ascii wide
|
|
$ = "avg." ascii wide
|
|
$ = "bitdefender." ascii wide
|
|
$ = "eset." ascii wide
|
|
$ = "kaspersky." ascii wide
|
|
$ = "trendmicro." ascii wide
|
|
$ = "iseclab." ascii wide
|
|
$ = "virscan." ascii wide
|
|
$ = "garyshood." ascii wide
|
|
$ = "viruschief." ascii wide
|
|
$ = "jotti." ascii wide
|
|
$ = "threatexpert." ascii wide
|
|
$ = "novirusthanks." ascii wide
|
|
$ = "virustotal." ascii wide
|
|
$ = "you stupid cracker" ascii wide
|
|
$ = "ngrBot Error" ascii wide
|
|
$ = "Slowloris]: Finished flood on" ascii wide
|
|
$ = "UDP]: Finished flood on" ascii wide
|
|
$ = "SYN]: Finished flood on" ascii wide
|
|
$ = "USB]: Infected %s" ascii wide
|
|
$ = "MSN]: Updated MSN spread message to" ascii wide
|
|
$ = "MSN]: Updated MSN spread interval to" ascii wide
|
|
$ = "HTTP]: Updated HTTP spread message to" ascii wide
|
|
$ = "HTTP]: Injected value is now %s." ascii wide
|
|
$ = "HTTP]: Updated HTTP spread interval to" ascii wide
|
|
$ = "Visit]: Visited" ascii wide
|
|
$ = "DNS]: Blocked" ascii wide
|
|
$ = "RSOCK4]: Started rsock4" ascii wide
|
|
$ = "Visit]: Error visitng" ascii wide
|
|
$ = "FTP Login]: %s" ascii wide
|
|
$ = "POP3 Login]: %s" ascii wide
|
|
$ = "FTP Infect]: %s was iframed" ascii wide
|
|
$ = "HTTP Login]: %s" ascii wide
|
|
$ = "HTTP Traffic]: %s" ascii wide
|
|
$ = "Ruskill]: Detected File:" ascii wide
|
|
$ = "Ruskill]: Detected DNS:" ascii wide
|
|
$ = "Ruskill]: Detected Reg:" ascii wide
|
|
$ = "PDef+]: %s" ascii wide
|
|
$ = "DNS]: Blocked DNS" ascii wide
|
|
$ = "MSN]: %s" ascii wide
|
|
$ = "HTTP]: %s" ascii wide
|
|
condition:
|
|
8 of them
|
|
}
|
|
|
|
rule WormWin32DorkbotSamlpeB
|
|
{
|
|
meta:
|
|
Description = "Worm.Dorkbot.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "http://ht.ly/jZH8A?yd=" ascii wide
|
|
$ = "DecriptedFiles" ascii wide
|
|
$ = "Infected Drive: %s" ascii wide
|
|
$a = "snkb00pt" ascii wide
|
|
|
|
condition:
|
|
(3 of them) or $a
|
|
} |