Advertisement
Guest User

Yara rules Zeus

a guest
May 22nd, 2015
1,586
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.46 KB | None | 0 0
  1. rule xmlc : banker
  2. {
  3. strings:
  4. $a = "/c del" fullword
  5. $b = "PostDel" fullword
  6. $c = ">> NUL" fullword
  7. $d = "LOADXML"
  8. $e = "lm.dat"
  9. $f = "---------------%s----------------"
  10.  
  11. condition:
  12. filesize < 150KB and (3 of ($a,$b,$c,$d,$e,$f))
  13. }
  14.  
  15. rule silent_banker : banker
  16. {
  17. strings:
  18. $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
  19. $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
  20. $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
  21.  
  22. condition:
  23. $a or $b or $c
  24. }
  25.  
  26. rule zbot : banker
  27. {
  28. strings:
  29. $a = "__SYSTEM__" wide
  30. $b = "*tanentry*"
  31. $c = "*<option"
  32. $d = "*<select"
  33. $e = "*<input"
  34.  
  35. condition:
  36. ($a and $b) or ($c and $d and $e)
  37. }
  38.  
  39. rule banbra : banker
  40. {
  41. strings:
  42. $a = "senha" fullword nocase
  43. $b = "cartao" fullword nocase
  44. $c = "caixa"
  45. $d = "login" fullword nocase
  46. $e = ".com.br"
  47.  
  48. condition:
  49. #a > 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3
  50. }
  51.  
  52.  
  53.  
  54. rule spyeye
  55. {
  56. meta:
  57. description = "Indicates that the SpyEye Trojan is installed"
  58.  
  59. strings:
  60. $a = "SPYNET"
  61. $b = "SpyEye"
  62.  
  63. condition:
  64. ($a and $b)
  65. }
  66.  
  67. rule tdl3
  68. {
  69. meta:
  70. null_string = 1
  71.  
  72. strings:
  73. $1 = "\\\\?\\globalroot\\"
  74. $2 = ".ini"
  75.  
  76. condition:
  77. all of them
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement