Fix duplicate identifiers in the rules

38e0f419 · Adam Polkosnik · aeb19024 · 38e0f419 · 38e0f419 · 38e0f419
Commit 38e0f419 authored Feb 10, 2016 by Adam Polkosnik
Showing with 3 additions and 3 deletions

APT_bluetermite_emdivi.yar malware/APT_bluetermite_emdivi.yar +1 -1

APT_indetectables_RAT.yar malware/APT_indetectables_RAT.yar +1 -1

Miscelanea.yar malware/Miscelanea.yar +1 -1

No files found.
--- a/malware/APT_bluetermite_emdivi.yar
+++ b/malware/APT_bluetermite_emdivi.yar
@@ -40,7 +40,7 @@ rule Emdivi_Gen1 {
 	strings:
 		$x1 = "wmic nteventlog where filename=\"SecEvent\" call cleareventlog" fullword wide
 		$s0 = "del %Temp%\\*.exe %Temp%\\*.dll %Temp%\\*.bat %Temp%\\*.ps1 %Temp%\\*.cmd /f /q" fullword wide
-		$s3 = "userControl-v80.exe" fullword ascii
+		$x3 = "userControl-v80.exe" fullword ascii
 		$s1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" fullword wide
 		$s2 = "http://www.msftncsi.com" fullword wide

--- a/malware/APT_indetectables_RAT.yar
+++ b/malware/APT_indetectables_RAT.yar
@@ -29,7 +29,7 @@ rule Indetectables_RAT {
 		$s7 = "[[__M3_F_U_D_M3__]]$" fullword ascii
 		$s8 = "M3_F_U_D_M3" ascii
 		$s9 = "M3n3gatt1hack3r" fullword wide
-		$s9 = "M3n3gatt1hack3r" fullword ascii
+		$s9a = "M3n3gatt1hack3r" fullword ascii
 	condition:
 		uint16(0) == 0x5a4d and filesize < 5000KB and 1 of them
 }

--- a/malware/Miscelanea.yar
+++ b/malware/Miscelanea.yar
@@ -118,7 +118,7 @@ rule ScanBox_Malware_Generic {
 		/* Certificate and Keywords */
 		$x1 = "Management Support Team1" fullword ascii
 		$x2 = "DTOPTOOLZ Co.,Ltd.0" fullword ascii
-		$s3 = "SEOUL1" fullword ascii
+		$x3 = "SEOUL1" fullword ascii
 	condition:
 		( 1 of ($s*) and 2 of ($x*) ) or 
 		( 3 of ($x*) )