A malware group called Orangeworm has been targeting the health care sector, including hospitals for several years with a nasty Trojan called Kwampirs. The Trojan is an information scavenger and has infected computers and vulnerable equipment such as MRI machines that are connected to the health care network. The USA has the most infections, but there are also infections in several other countries. In case we have any ClamWin users in the health care sector, below is a Yara signature from Symantec for the Trojan. Copy the entire signature into a Notepad/text file, name it Kwampirs.yar (do not use a .txt extension), and save it in the C:\ProgramData\.clamwin\db folder with the other ClamWin signatures. Make sure that this file does not have a .txt extension in the db folder. ClamWin has been able to process Yara signature files for the last few versions, and they are a good way to detect malware families. If you also use Clam Sentinel, do not use this Yara signature because Clam Sentinel was not set up for Yara signatures and will choke on them.

Regards,


rule Kwampirs
{
meta:
copyright = "Symantec"
family = "Kwampirs"
description = "Kwampirs dropper and main payload components"

strings:
$pubkey =
{
06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00
01 00 01 00 CD 74 15 BC 47 7E 0A 5E E4 35 22 A5
97 0C 65 BE E0 33 22 F2 94 9D F5 40 97 3C 53 F9
E4 7E DD 67 CF 5F 0A 5E F4 AD C9 CF 27 D3 E6 31
48 B8 00 32 1D BE 87 10 89 DA 8B 2F 21 B4 5D 0A
CD 43 D7 B4 75 C9 19 FE CC 88 4A 7B E9 1D 8C 11
56 A6 A7 21 D8 C6 82 94 C1 66 11 08 E6 99 2C 33
02 E2 3A 50 EA 58 D2 A7 36 EE 5A D6 8F 5D 5D D2
9E 04 24 4A CE 4C B6 91 C0 7A C9 5C E7 5F 51 28
4C 72 E1 60 AB 76 73 30 66 18 BE EC F3 99 5E 4B
4F 59 F5 56 AD 65 75 2B 8F 14 0C 0D 27 97 12 71
6B 49 08 84 61 1D 03 BA A5 42 92 F9 13 33 57 D9
59 B3 E4 05 F9 12 23 08 B3 50 9A DA 6E 79 02 36
EE CE 6D F3 7F 8B C9 BE 6A 7E BE 8F 85 B8 AA 82
C6 1E 14 C6 1A 28 29 59 C2 22 71 44 52 05 E5 E6
FE 58 80 6E D4 95 2D 57 CB 99 34 61 E9 E9 B3 3D
90 DC 6C 26 5D 70 B4 78 F9 5E C9 7D 59 10 61 DF
F7 E4 0C B3
}

$network_xor_key =
{
B7 E9 F9 2D F8 3E 18 57 B9 18 2B 1F 5F D9 A5 38
C8 E7 67 E9 C6 62 9C 50 4E 8D 00 A6 59 F8 72 E0
91 42 FF 18 A6 D1 81 F2 2B C8 29 EB B9 87 6F 58
C2 C9 8E 75 3F 71 ED 07 D0 AC CE 28 A1 E7 B5 68
CD CF F1 D8 2B 26 5C 31 1E BC 52 7C 23 6C 3E 6B
8A 24 61 0A 17 6C E2 BB 1D 11 3B 79 E0 29 75 02
D9 25 31 5F 95 E7 28 28 26 2B 31 EC 4D B3 49 D9
62 F0 3E D4 89 E4 CC F8 02 41 CC 25 15 6E 63 1B
10 3B 60 32 1C 0D 5B FA 52 DA 39 DF D1 42 1E 3E
BD BC 17 A5 96 D9 43 73 3C 09 7F D2 C6 D4 29 83
3E 44 44 6C 97 85 9E 7B F0 EE 32 C3 11 41 A3 6B
A9 27 F4 A3 FB 2B 27 2B B6 A6 AF 6B 39 63 2D 91
75 AE 83 2E 1E F8 5F B5 65 ED B3 40 EA 2A 36 2C
A6 CF 8E 4A 4A 3E 10 6C 9D 28 49 66 35 83 30 E7
45 0E 05 ED 69 8D CF C5 40 50 B1 AA 13 74 33 0F
DF 41 82 3B 1A 79 DC 3B 9D C3 BD EA B1 3E 04 33
}

$decrypt_string =
{
85 DB 75 09 85 F6 74 05 89 1E B0 01 C3 85 FF 74
4F F6 C3 01 75 4A 85 F6 74 46 8B C3 D1 E8 33 C9
40 BA 02 00 00 00 F7 E2 0F 90 C1 F7 D9 0B C8 51
E8 12 28 00 00 89 06 8B C8 83 C4 04 33 C0 85 DB
74 16 8B D0 83 E2 0F 8A 92 1C 33 02 10 32 14 38
40 88 11 41 3B C3 72 EA 66 C7 01 00 00 B0 01 C3
32 C0 C3
}

$init_strings =
{
55 8B EC 83 EC 10 33 C9 B8 0D 00 00 00 BA 02 00
00 00 F7 E2 0F 90 C1 53 56 57 F7 D9 0B C8 51 E8
B3 27 00 00 BF 05 00 00 00 8D 77 FE BB 4A 35 02
10 2B DE 89 5D F4 BA 48 35 02 10 4A BB 4C 35 02
10 83 C4 04 2B DF A3 C8 FC 03 10 C7 45 FC 00 00
00 00 8D 4F FC 89 55 F8 89 5D F0 EB 06
}

condition:
2 of them
}