[Community-sigs] new sigs for Zbot

andreisaygo at live.ie andreisaygo at live.ie
Wed Jan 7 07:14:31 EST 2015


Signatures:
//for 12ff17f046b35562a889404462197d08
Win.PWS.Zbot;Target:1;(0|1|2)>2,2;43003A005C004600410032005C00310032004E005C004C00500050002E00760062007000000000000000;C745A401000000C7459C02000000FFD38D558C528D855CFFFFFF508D8D7CFFFFFF51C78564FFFFFF??000000C7855CFFFFFF02000000FFD750FFD6;6A006A046A016A008D8DD4FEFFFF516A1068800800008985D8FDFFFFFF15????40008B55A08B85D4FEFFFF8995BCFEFFFFC785B4FEFFFF03400000


//for 3a8e85858408b05a8f6a9ccbf12c46b6
Win.LNK.Zbot-1:0:0:4c0000000114020000000000c000000000000046{32}00??(05|06)00??00000001000000*2500630075007200720065006e0074006400690072002500??002f0043002000??205c00660069006c0065002e006e0066006f00??002500530079007300740065006d0052006f006f00740025005c00

Win.LNK.Zbot-2:0:0:4c0000000114020000000000c000000000000046{32}00??(05|06)00??00000001000000*2577696e646972255c73797374656d33325c636d642e65786500660069006c0065002e006e0066006f


Hashes:
MD5: 12ff17f046b35562a889404462197d08
SHA1: 6369cc1bb19f969f5c7b7f5d6cca3a6370be963b
SHA256: dfb1994ee66044cb3e373f64129925bff0913db1d875cf1fad631a32cdd466c0

MD5: 3a8e85858408b05a8f6a9ccbf12c46b6
SHA1: 7b51e4d95a4436c55e4ad761960d7225a28e4d45
SHA256: ae2f1bdd95c63cfab88b8048270fafe8ddae678a8a80981c5715eb304d874dab


For Win.LNK.Zbot the both signatures start with the following fields:
HeaderSize + LinkCLSID + Skip32 + FileSize + IconIndex + ShowCommand

And any of the following strings:
%currentdir% /C \file.nfo ! %SystemRoot%\
%windir%\system32\cmd.exe file.nfo

Regards,
Andrei Saygo
 		 	   		  


More information about the Community-sigs mailing list