[Community-sigs] new sig Linux.Backdoor.Turla
andreisaygo at live.ie
andreisaygo at live.ie
Tue Dec 9 11:38:07 EST 2014
Just a small change:
Linux.Backdoor.Turla;Target:6;(0|1|2|3)>2,2;5f5f77655f6172655f68617070795f5f;772b002f746d702f2e*00722b00;446573637c*46696c656e616d65*73697a65*7c73746174657c;80C305329A??????08889A??????084283FA0876E9
> From: andreisaygo at live.ie
> To: community-sigs at lists.clamav.net
> Date: Tue, 9 Dec 2014 13:57:08 +0000
> Subject: [Community-sigs] new sig Linux.Backdoor.Turla
>
> Signature:
> Linux.Backdoor.Turla;Target:6;(0|1|2|3)>2;5f5f77655f6172655f68617070795f5f;772b002f746d702f2e*00722b00;446573637c*46696c656e616d65*73697a65*7c73746174657c;80C305329A??????08889A??????084283FA0876E9
>
> Hashes:
> MD5: 19fbd8cbfb12482e8020a887d6427315
> SHA1: 7f043eb95d74d051ac780aee52ebf1c497c43060
> SHA256: 8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667
>
>
> Sig3:
> //08048372 80C305 add bl, 0x5
> //08048375 329A??????08 xor bl, byte [ds:edx+0x80cd6cb]
> //0804837b 889A??????08 mov byte [ds:edx+__xored__buffer__], bl
> //08048381 42 inc edx
> //08048382 83FA08 cmp edx, 0x8
> //08048385 76E9 jbe 0x8048370
>
> Regards,
> Andrei Saygo
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list