DefenderYara/VirTool/WinNT/Haxdoor/VirTool_WinNT_Haxdoor.yar

rule VirTool_WinNT_Haxdoor{
	meta:
		description = "VirTool:WinNT/Haxdoor,SIGNATURE_TYPE_PEHSTR_EXT,16 00 0b 00 09 00 00 0a 00 "
		
	strings :
		$a_03_0 = {45 0c c7 40 18 00 00 00 00 90 02 01 83 60 1c 00 90 02 01 6a 00 ff 75 0c e8 90 01 01 03 00 00 83 c4 08 90 02 01 b8 00 00 00 00 c9 c2 08 00 90 00 } //0a 00 
		$a_03_1 = {e8 4e 03 00 00 59 90 90 3b c8 75 90 03 01 01 22 23 68 c4 09 01 00 68 f4 09 01 00 e8 3f 03 00 00 8b 4d 08 90 02 01 c7 41 38 e1 01 01 00 60 e8 48 00 00 00 90 00 } //0a 00 
		$a_00_2 = {e8 e1 02 00 00 0b c0 75 29 68 34 06 01 00 68 64 06 01 00 e8 d4 02 00 00 0b c0 75 16 8b 75 08 c7 46 38 40 02 01 00 b8 00 00 00 00 5f 5e 5b c9 c2 08 00 } //01 00 
		$a_00_3 = {5c 00 44 00 6f 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5c 00 77 00 69 00 6e 00 6d 00 33 00 32 00 } //01 00  \DosDevices\winm32
		$a_00_4 = {5c 00 44 00 65 00 76 00 69 00 63 00 65 00 5c 00 77 00 69 00 6e 00 6d 00 33 00 32 00 } //01 00  \Device\winm32
		$a_00_5 = {5c 00 44 00 6f 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5c 00 65 00 6d 00 75 00 6c 00 36 00 35 00 } //01 00  \DosDevices\emul65
		$a_00_6 = {5c 00 44 00 65 00 76 00 69 00 63 00 65 00 5c 00 65 00 6d 00 75 00 6c 00 36 00 35 00 } //01 00  \Device\emul65
		$a_00_7 = {5c 00 44 00 6f 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5c 00 62 00 6f 00 6f 00 74 00 33 00 32 00 } //01 00  \DosDevices\boot32
		$a_00_8 = {5c 00 44 00 65 00 76 00 69 00 63 00 65 00 5c 00 62 00 6f 00 6f 00 74 00 33 00 32 00 } //00 00  \Device\boot32
	condition:
		any of ($a_*)
 
}
rule VirTool_WinNT_Haxdoor_2{
	meta:
		description = "VirTool:WinNT/Haxdoor,SIGNATURE_TYPE_PEHSTR,16 00 0b 00 04 00 00 0a 00 "
		
	strings :
		$a_01_0 = {e8 3b 00 00 00 0b c0 75 32 68 60 04 01 00 68 98 04 01 00 e8 34 00 00 00 0b c0 75 1f 8b 75 08 c7 46 70 2d 03 01 00 c7 46 38 2d 03 01 00 c7 46 34 00 02 01 00 61 33 c0 c9 c2 08 00 } //0a 00 
		$a_01_1 = {55 8b ec 56 57 53 8b 7d 0c 33 c0 89 47 1c 89 47 18 8b 77 60 80 3e 0e 75 29 8b 46 0c 3d 00 09 00 00 75 11 8b 7f 3c be fc 06 01 00 b9 d0 07 00 00 f3 a4 eb 0e } //01 00 
		$a_01_2 = {5c 00 44 00 6f 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5c 00 61 00 33 00 31 00 31 00 63 00 6f 00 6e 00 66 00 69 00 67 00 } //01 00  \DosDevices\a311config
		$a_01_3 = {5c 00 44 00 65 00 76 00 69 00 63 00 65 00 5c 00 61 00 33 00 31 00 31 00 63 00 6f 00 6e 00 66 00 69 00 67 00 } //00 00  \Device\a311config
	condition:
		any of ($a_*)
 
}