ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Yara Signature For HermeticWiper Variants

Joined: 09 Jul 2006
Posts: 4935
Location: USA
Reply with quote
Below is a Yara signature for ClamWin that can detect variants of the Russian Hermetic Wiper malware designed to wipe hard drives on Ukranian computers. Yara signatures are similar to C code, and they are used by lots of malware researchers. Clam AV was modified several years ago to process Yara signatures. To use a Yara signature in ClamWin, copy and paste the Yara code (make sure you get all of it), and save it in a Notepad file in the ClamWin database folder with the malware name and a .yar extension. Save it with an ALL Files designation, and make sure there is no .text after the .yar extension. Clam AV/ClamWin will give an error if the file is named with an extension other than .yar.

Name the signature file below HermeticWiper.yar. After you save the signature file, run a ClamWin scan on an individual file to make sure there are no errors. You can put all Yara signatures in one file--name it YaraSigs.yar in that case and put a blank line between signatures. Yara sigs start and end with a bracket, but they usually have identification information before the first bracket. If you get a scan error in one file, delete the file from the ClamWin database folder. If you get an error for the Yara signature you just created in a YaraSigs.yar file, delete the Yara signature you just made, make sure the deleted lines are gone from the file, and save the file again.

Thanks to IBM X-Force


import "pe"
rule XFTI_HermeticWiper : HermeticWiper
author = "IBM X-Force Threat Intelligence Malware Team"
description = "Detects the wiper targeting Ukraine."
threat_type = "Malware"
rule_category = "Malware Family"
usage = "Hunting and Identification"
ticket = "IRIS-12790"
hash = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
yara_version = "4.0.2"
date_created = "24 Feb 22"
date_updated = ""
reference = ""
xfti_reference = ""
$s1 = "\\\\.\\EPMNTDRV\\%u" wide fullword
$s2 = "C:\\Windows\\SYSVOL" wide fullword
$s3 = "DRV_X64" wide fullword
$s4 = "DRV_X86" wide fullword
$s5 = "DRV_XP_X64" wide fullword
$s6 = "DRV_XP_X86" wide fullword
uint16(0) == 0x5A4D and 4 of them and
pe.imports("lz32.dll", "LZOpenFileW") and
pe.imports("kernel32.dll", "FindResourceW") and
pe.imports("advapi32.dll", "CryptAcquireContextW")
View user's profileSend private message
Yara Signature For HermeticWiper Variants
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

 Reply to topic