DefenderYara/Backdoor/Win32/Wudfok/Backdoor_Win32_Wudfok_A.yar


rule Backdoor_Win32_Wudfok_A{
	meta:
		description = "Backdoor:Win32/Wudfok.A,SIGNATURE_TYPE_PEHSTR_EXT,08 00 08 00 03 00 00 03 00 "
		
	strings :
		$a_01_0 = {57 69 6e 58 53 20 32 2e 30 20 64 65 6d 6f 6e } //03 00  WinXS 2.0 demon
		$a_01_1 = {5c 57 75 64 66 53 76 63 2e 65 78 65 } //02 00  \WudfSvc.exe
		$a_01_2 = {25 73 20 25 73 20 48 54 54 50 2f 25 64 2e 25 64 } //00 00  %s %s HTTP/%d.%d
	condition:
		any of ($a_*)
 
}
init 2024-02-05 06:12:47 -08:00
			`rule Backdoor_Win32_Wudfok_A{`
			`meta:`
			`description = "Backdoor:Win32/Wudfok.A,SIGNATURE_TYPE_PEHSTR_EXT,08 00 08 00 03 00 00 03 00 "`

			`strings :`
feat: hex text add comment 2024-02-07 06:09:14 -08:00			`$a_01_0 = {57 69 6e 58 53 20 32 2e 30 20 64 65 6d 6f 6e } //03 00 WinXS 2.0 demon`
			`$a_01_1 = {5c 57 75 64 66 53 76 63 2e 65 78 65 } //02 00 \WudfSvc.exe`
			`$a_01_2 = {25 73 20 25 73 20 48 54 54 50 2f 25 64 2e 25 64 } //00 00 %s %s HTTP/%d.%d`
init 2024-02-05 06:12:47 -08:00			`condition:`
			`any of ($a_*)`

			`}`