SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sobig (Back to overview)

Sobig

aka: Palyh

There is no description at this point.

References
2003-08-22CNNBill Tucker
@online{tucker:20030822:sobigf:19c3849, author = {Bill Tucker}, title = {{SoBig.F breaks virus speed records}}, date = {2003-08-22}, organization = {CNN}, url = {http://edition.cnn.com/2003/TECH/internet/08/21/sobig.virus/index.html}, language = {English}, urldate = {2019-12-05} } SoBig.F breaks virus speed records
Sobig
Yara Rules
[TLP:WHITE] win_sobig_auto (20230407 | Detects win.sobig.)
rule win_sobig_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.sobig."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sobig"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf7 803f00 7459 0fb60e 8a8161be4100 a804 7437 }
            // n = 7, score = 100
            //   8bf7                 | mov                 esi, edi
            //   803f00               | cmp                 byte ptr [edi], 0
            //   7459                 | je                  0x5b
            //   0fb60e               | movzx               ecx, byte ptr [esi]
            //   8a8161be4100         | mov                 al, byte ptr [ecx + 0x41be61]
            //   a804                 | test                al, 4
            //   7437                 | je                  0x39

        $sequence_1 = { ff15???????? 897508 683f000f00 68???????? 6801000080 8d4d08 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   897508               | mov                 dword ptr [ebp + 8], esi
            //   683f000f00           | push                0xf003f
            //   68????????           |                     
            //   6801000080           | push                0x80000001
            //   8d4d08               | lea                 ecx, [ebp + 8]

        $sequence_2 = { 59 ff35???????? 8bcf 6a00 e8???????? 8b45e0 c7451494624100 }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   ff35????????         |                     
            //   8bcf                 | mov                 ecx, edi
            //   6a00                 | push                0
            //   e8????????           |                     
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   c7451494624100       | mov                 dword ptr [ebp + 0x14], 0x416294

        $sequence_3 = { e8???????? 3bfe 5e 7404 8bc7 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   3bfe                 | cmp                 edi, esi
            //   5e                   | pop                 esi
            //   7404                 | je                  6
            //   8bc7                 | mov                 eax, edi

        $sequence_4 = { 8a450b 83c40c 897de0 8845c0 895dc4 895dc8 }
            // n = 6, score = 100
            //   8a450b               | mov                 al, byte ptr [ebp + 0xb]
            //   83c40c               | add                 esp, 0xc
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi
            //   8845c0               | mov                 byte ptr [ebp - 0x40], al
            //   895dc4               | mov                 dword ptr [ebp - 0x3c], ebx
            //   895dc8               | mov                 dword ptr [ebp - 0x38], ebx

        $sequence_5 = { f7de 1bf6 23f7 834dfcff 8d4dd8 e8???????? 8b4df4 }
            // n = 7, score = 100
            //   f7de                 | neg                 esi
            //   1bf6                 | sbb                 esi, esi
            //   23f7                 | and                 esi, edi
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_6 = { e8???????? 834de0ff e9???????? 8a45f3 8845cc 33c0 8945d0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   834de0ff             | or                  dword ptr [ebp - 0x20], 0xffffffff
            //   e9????????           |                     
            //   8a45f3               | mov                 al, byte ptr [ebp - 0xd]
            //   8845cc               | mov                 byte ptr [ebp - 0x34], al
            //   33c0                 | xor                 eax, eax
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax

        $sequence_7 = { eb1c f6c202 7410 8088????????20 8a9405ecfcffff ebe3 80a060bd410000 }
            // n = 7, score = 100
            //   eb1c                 | jmp                 0x1e
            //   f6c202               | test                dl, 2
            //   7410                 | je                  0x12
            //   8088????????20       |                     
            //   8a9405ecfcffff       | mov                 dl, byte ptr [ebp + eax - 0x314]
            //   ebe3                 | jmp                 0xffffffe5
            //   80a060bd410000       | and                 byte ptr [eax + 0x41bd60], 0

        $sequence_8 = { 68???????? 6801000080 8d4d08 e8???????? 8b45ec c7451094624100 }
            // n = 6, score = 100
            //   68????????           |                     
            //   6801000080           | push                0x80000001
            //   8d4d08               | lea                 ecx, [ebp + 8]
            //   e8????????           |                     
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   c7451094624100       | mov                 dword ptr [ebp + 0x10], 0x416294

        $sequence_9 = { 884e01 8a5002 c0ea02 80e20f 0ad1 885601 8a4802 }
            // n = 7, score = 100
            //   884e01               | mov                 byte ptr [esi + 1], cl
            //   8a5002               | mov                 dl, byte ptr [eax + 2]
            //   c0ea02               | shr                 dl, 2
            //   80e20f               | and                 dl, 0xf
            //   0ad1                 | or                  dl, cl
            //   885601               | mov                 byte ptr [esi + 1], dl
            //   8a4802               | mov                 cl, byte ptr [eax + 2]

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules