signature-base/yara/gen_thumbs_cloaking.yar

rule Exe_Cloaked_as_ThumbsDb
    {
    meta:
        description = "Detects an executable cloaked as thumbs.db - Malware"
        date = "2014-07-18"
        author = "Florian Roth"
        score = 50
    condition:
        uint16(0) == 0x5a4d and filename matches /[Tt]humbs\.db/
}
First Signature Set 2016-02-15 09:22:28 +00:00			`rule Exe_Cloaked_as_ThumbsDb`
			`{`
			`meta:`
			`description = "Detects an executable cloaked as thumbs.db - Malware"`
			`date = "2014-07-18"`
			`author = "Florian Roth"`
			`score = 50`
			`condition:`
			`uint16(0) == 0x5a4d and filename matches /[Tt]humbs\.db/`
			`}`