2016/2016.11.09_down-the-h-w0rm-hole-with-houdinis-rat/hworm.yar

rule win_vbs_rat_hworm

{

    strings:

        $sa1 = "CONFIG"

        $sa2 = "MYCODE"

        $sa3 = "SHELLOBJ.EXPANDENVIRONMENTSTRINGS"

        $sa4 = "BASE64TOHEX"

        $sa5 = "DCOM.VIRTUALALLOC"

        $sa6 = "LOADER_"

        $sa7 = "PE_PTR"

        $sa8 = "OBJWMISERVICE.EXECQUERY"

        $sa9 = "WSCRIPT.EXE" nocase

        $sa10 = "FUNCTION"

        $sa11 = "DIM"

        $sa12 = "END SUB"

        $sb1 = "HOST_FILE"

        $sb2 = "FILE_NAME"

        $sb3 = "INSTALL_DIR"

        $sb4 = "START_UP_REG"

        $sb5 = "START_UP_TASK"

        $sb6 = "START_UP_FOLDER"

        $sc1 = "DCOM_DATA"

        $sc2 = "LOADER_DATA"

        $sc3 = "FILE_DATA"

        $sc4 = "(1)"

        $sc5 = "(2)"

        $sc6 = "(3)"

        $sc7 = "FILE_SIZE"

    condition:

                (all of ($sa*)) and ( (all of ($sb*)) or (all of ($sc*)) )

}

rule win_exe_rat_hworm

{

    strings:

                $sa1 = "connection_host" wide ascii

                $sa2 = "connection_port" wide ascii

                $sa3 = "install_folder" wide ascii

                $sa4 = "install_name" wide ascii

                $sa5 = "nickname_id" wide ascii

                $sa6 = "password" wide ascii

                $sa7 = "injection" wide ascii

                $sa8 = "startup_registry" wide ascii

                $sa9 = "startup_folder" wide ascii

                $sa10 = "startup_task" wide ascii

                $sa11 = "process_name" wide ascii

                $sa12 = "fkeylogger_host" wide ascii

                $sa13 = "fkeylogger_port" wide ascii

                $sa14 = "keylogger_init" wide ascii

                $sa15 = "keylogger_offline" wide ascii

                $sa16 = "file_manager" wide ascii

                $sa17 = "usb" wide ascii

                $sa18 = "password" wide ascii

                $sa19 = "filemanager" wide ascii

                $sa20 = "keylogger" wide ascii

                $sa21 = "screenshot" wide ascii

                $sa22 = "show" nocase wide ascii

                $sa23 = "open" wide ascii

                $sa25 = "create" wide ascii

                $sa26 = "Self" wide ascii

                $sa27 = "createsuspended" wide ascii

    condition:

                (uint16(0) == 0x5A4D) and (all of them)

}