DefenderYara/Exploit/Win32/WebDav/Exploit_Win32_WebDav_A.yar

rule Exploit_Win32_WebDav_A{
	meta:
		description = "Exploit:Win32/WebDav.A,SIGNATURE_TYPE_PEHSTR,16 00 15 00 07 00 00 "
		
	strings :
		$a_01_0 = {57 65 62 64 61 76 20 4d 49 43 52 4f 24 4f 46 54 20 49 49 53 20 44 6f 53 73 65 72 20 2a } //10 Webdav MICRO$OFT IIS DoSser *
		$a_01_1 = {53 65 72 76 65 72 20 69 73 20 70 72 6f 6c 6c 79 20 70 61 74 63 68 65 64 2e } //10 Server is prolly patched.
		$a_01_2 = {53 65 72 76 65 72 20 69 73 20 44 6f 53 73 65 64 21 20 4e 6f 77 20 72 75 6e 20 21 21 20 46 2d 42 2d 65 79 65 65 20 69 73 20 61 66 74 65 72 20 6a 30 30 2e 2e 2e } //10 Server is DoSsed! Now run !! F-B-eyee is after j00...
		$a_01_3 = {44 6f 53 73 69 6e 67 20 74 68 65 20 73 65 72 76 65 72 2e 2e 2e 3c 70 72 61 79 3e } //10 DoSsing the server...<pray>
		$a_01_4 = {2d 2d 2d 2d 3e 20 41 77 77 20 72 69 74 65 21 20 49 49 53 20 35 2e 30 20 66 6f 75 6e 64 20 6f 6e 20 25 73 20 21 } //1 ----> Aww rite! IIS 5.0 found on %s !
		$a_01_5 = {2d 2d 2d 2d 3e 20 25 73 20 69 73 20 6e 6f 74 20 72 75 6e 6e 69 6e 67 20 49 49 53 20 35 2e 30 21 20 61 64 69 6f 73 20 21 } //1 ----> %s is not running IIS 5.0! adios !
		$a_01_6 = {53 45 41 52 43 48 20 2f 25 73 20 48 54 54 50 2f 31 2e 31 } //1 SEARCH /%s HTTP/1.1
	condition:
		((#a_01_0  & 1)*10+(#a_01_1  & 1)*10+(#a_01_2  & 1)*10+(#a_01_3  & 1)*10+(#a_01_4  & 1)*1+(#a_01_5  & 1)*1+(#a_01_6  & 1)*1) >=21
 
}