[Community-sigs] new sig for Win.Worm.Njrat/Bladabindi

Douglas Goddard dgoddard at sourcefire.com
Tue Dec 9 11:12:36 EST 2014


Running fp check on:

Win.Worm.Njrat;Engine:51-255,Target:1;(0|1|2|3|4)>3,3;0A06161F2E9D06171F749D06181F6D9D06191F709D06;2e00640064006e0073002e006e0065007400;2f006b002000700069006e00670020003000200026002000640065006c0020002200;6e00650074007300680020006600690072006500770061006c006c002000610064006400200061006c006c006f00770065006400700072006f006700720061006d00;2e006c006e006b0000??57005300630072006900700074002e005300680065006c006c00

Thanks!

On Tue, Dec 9, 2014 at 11:10 AM, <andreisaygo at live.ie> wrote:

> Thanks for finding that. 3,2 would work, but to be safe I suggest 3,3 :)
>
> > Date: Tue, 9 Dec 2014 09:58:48 -0500
> > From: dgoddard at sourcefire.com
> > To: community-sigs at lists.clamav.net
> > Subject: Re: [Community-sigs] new sig for Win.Worm.Njrat/Bladabindi
> >
> > A colleague pointed out that this will alert on a file if it has '.
> ddns.net'
> > multiple times, and that does not necessarily indicate that it is
> > malicious. Could you revise the logic to rely on the other subsignatures?
> >
> > Perhaps (0|1|2|3)>3,2 would work? Feel free to tune that second number
> > depending on the samples. Here is the doc for that syntax:
> >
> > A>X,Y: If the SUB-EXPRESSION A refers to a single signature then this
> > signature must get matched more than X times; if it refers to a (logical)
> > block of signatures then this block must generate more than X matches and
> > at least Y different signatures must be matched.
> >
> > Thanks!
> >
> > On Mon, Dec 8, 2014 at 10:41 AM, Douglas Goddard <
> dgoddard at sourcefire.com>
> > wrote:
> >
> > > Added for FP check. Thank you!
> > >
> > > On Mon, Dec 8, 2014 at 7:50 AM, <andreisaygo at live.ie> wrote:
> > >
> > >> Signature:
> > >>
> > >>
> Win.Worm.Njrat;Target:1;(0|1|2|3|4)>3;0A06161F2E9D06171F749D06181F6D9D06191F709D06;2e00640064006e0073002e006e0065007400;2f006b002000700069006e00670020003000200026002000640065006c0020002200;6e00650074007300680020006600690072006500770061006c006c002000610064006400200061006c006c006f00770065006400700072006f006700720061006d00;2e006c006e006b0000??57005300630072006900700074002e005300680065006c006c00
> > >>
> > >> Hashes:
> > >> MD5: 776d292d967e7dc6a3fb84cdb0e26017
> > >> SHA1: a5771318e39c4bd281caee5fbfb3616ac2ac0cf5
> > >> SHA256:
> fd2fe31018ee8f4a45402528b6e3c6bf481cc2ffb2f9465f6b0c84dcfaf16399
> > >>
> > >> PWStealer that can spread via USB drives.
> > >> Sig0:
> > >> Appends to a variable (LogsPath)  the ".tmp" string.
> > >> Sig1:
> > >> .ddns.net
> > >> Sig2:
> > >> /k ping.exe 0 del "
> > >> Sig3:
> > >> netsh firewall add allowed program
> > >> Sig4:
> > >> .lnk WScript.Shell
> > >>
> > >>
> > >> Regards,
> > >> Andrei Saygo
> > >>
> > >>
> > >> _______________________________________________
> > >> Community-sigs mailing list
> > >> Community-sigs at lists.clamav.net
> > >> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > >>
> > >> http://www.clamav.net/contact.html#ml
> > >>
> > >
> > >
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>



More information about the Community-sigs mailing list