DefenderYara/VirTool/WinNT/Rootkitdrv/VirTool_WinNT_Rootkitdrv_GC.yar

rule VirTool_WinNT_Rootkitdrv_GC{
	meta:
		description = "VirTool:WinNT/Rootkitdrv.GC,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 02 00 00 01 00 "
		
	strings :
		$a_03_0 = {59 f3 ab a1 90 01 02 01 00 83 f8 20 bf 90 01 02 01 00 76 0d 83 f8 78 77 08 90 00 } //01 00 
		$a_03_1 = {81 f9 67 e0 22 00 0f 85 90 01 04 83 65 fc 00 6a 04 6a 04 53 ff 15 90 01 02 01 00 83 4d fc ff 8b 1b a1 90 01 02 01 00 39 58 08 90 00 } //00 00 
	condition:
		any of ($a_*)
 
}