Corrected Yara rule for the Wiper malware

Ars Technica has recently published an article about the “wiper” malware. In that article they published a Yara  rule provided by FBI. However, the rule does not work due to a syntax error. Following rule corrects the syntax error and can be used with Yara 3.2.0.
Happy hunting!

rule unknown_wiper_error_strings
        description = "unique custom error debug strings discovered in the wiper malware"

        $IP1 = "" fullword nocase
        $IP2 = "" fullword nocase
        $IP3 = "" fullword nocase
        $MZ = "MZ"

        $MZ at 0 and all of them


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.