[Community-sigs] new sig for Win.Backdoor.Bladabindi

Douglas Goddard dgoddard at sourcefire.com
Tue Dec 2 16:31:12 EST 2014


Passed FP testing. Will be published shortly.

On Tue, Dec 2, 2014 at 10:19 AM, Douglas Goddard <dgoddard at sourcefire.com>
wrote:

> Added for FP testing. Will follow up when published.
>
> On Tue, Dec 2, 2014 at 9:54 AM, <andreisaygo at live.ie> wrote:
>
>> Sig:
>>
>> Win.Backdoor.Bladabindi;Target:1;(0|1)&2&3&4&5&6;2e006e006f002d00690070002e00620069007a00;7c0027007c0027007c00;53006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c00520075006e00;6e00650074007300680020006600690072006500770061006c006c002000640065006c00650074006500200061006c006c006f00770065006400700072006f006700720061006d0020002200????2200????2e00650078006500;63006d0064002e0065007800650020002f0063002000700069006e0067002000300020002d006e002000??00200026002000640065006c0020002200;4765744173796e634b65795374617465;6361704765744472697665724465736372697074696f6e41
>> (0).no-ip.biz
>> (1)|'|'|
>> (2)Software\Microsoft\Windows\CurrentVersion\Run
>> (3)netsh firewall delete allowedprogram " ".exe"
>> (4)cmd.exe /c ping 0 -n 2 & del "
>> (5)GetAsyncKeyState
>> (6)capGetDriverDescriptionA
>> MD5: 68e596ae5235fc5ebbf9e3f3ecad55a7
>> SHA1: af66e432f57e6c771cabdf966c4a091b4e0311bd
>> SHA256: 9db5ae45879422b1ebbfd1d3b661bd1e7a891ce4687ae7087b611b3658150390
>>
>> MD5: 295e61958b62097811c29b347c7fd215
>> SHA1: 2e149c0acc0b9ca300d5b42039a10733c02ffb0b
>> SHA256: e23c79c16f5e80d27f6edafd5df314e54ceee24dc21605df5679e52aec25fb7d
>>
>> Regards,
>> Andrei Saygo
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>



More information about the Community-sigs mailing list