Common Information
| Type | Value |
|---|---|
| Value |
import "pe"
rule diskknight {
meta:
description = "Disk Knight detection (worm.diskknight/knight) - VERY SPECIFIC"
author = "Luca D'Amico"
date = "2023/06/24"
hash0 = "d25c1d1423ed31b5436678318ca815092102e88d06a130481bc0728d14d74bb4"
strings:
$a1 = "http://www.ariful.esmartweb.com"
$a2 = "action=Disk Knight(Protection Against Mobile Disk Viruses)"
$a3 = "[Disk Knight]"
condition:
uint16(0) == 0x5A4D and pe.machine == pe.MACHINE_I386 and for any i in (0 .. (pe.number_of_resources) - 1) : ( pe.resources[i].type_string == "C\x00U\x00S\x00T\x00O\x00M\x00" and (pe.resources[i].name_string == "A\x00U\x00T\x00O\x00R\x00U\x00N\x00.\x00I\x00N\x00F\x00" or pe.resources[i].name_string == "R\x00E\x00C\x00O\x00V\x00E\x00R\x00.\x00R\x00E\x00G\x00") ) and pe.imports("MSVBVM60.DLL") and all of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |