Update Havex.yar

ba136ff5 · mmorenog · 819cd8d7 · ba136ff5
Commit ba136ff5 authored Jan 19, 2016 by mmorenog
Hide whitespace changes
Inline Side-by-side

Showing with 0 additions and 14 deletions

Havex.yar malware/Havex.yar +0 -14

No files found.
--- a/malware/Havex.yar
+++ b/malware/Havex.yar
@@ -69,17 +69,3 @@ rule Havex_Trojan_PHP_Server
    condition:
        all of them
 } 
-rule Havex_NetScan_Malware {
-meta:
-        description = "This rule will search for known indicators of a Havex Network Scan module infection. This module looks for hosts listening on known ICS-related ports to identify OPC or ICS systems and the file created when the scanning data is written."
-        author = "M4r14ch1"
-        date = "2015/12/21"
-        strings:
-                $s0 = "~tracedscn.yls" wide nocase //yls file created in temp directory
-                $s1 = { 2B E2 ?? }      //Measuresoft ScadaPro
-                $s2 = { 30 71 ?? }      //7-Technologies IGSS SCADA
-                $s3 = { 0A F1 2? }      //Rslinx
-        condition:
-                $s0 and ($s1 or $s2 or $s3)
-}