[Community-sigs] new sig Win.Downloader.Agent

Alain Zidouemba azidouemba at sourcefire.com
Thu Dec 11 13:00:46 EST 2014


Thanks Andrei.

I believe this signature could be rewritten as follows, given the logic of
your original logical signature:

Win.Downloader.Agent:1:*:6A0D68????400068????4000FF15*6A0D68????400068????
4000FF15*6A0D68????400068????4000FF15*6A0D68????400068????
4000FF15*6A0D68????400068????4000FF15*BE0000000056B8FFFFFFFF508D15??
??4000FF12*89E2*FF22

- Alain

On Thu, Dec 11, 2014 at 12:34 PM, <andreisaygo at live.ie> wrote:

> Sig:
>
> Win.Downloader.Agent;Target:1;0;6A0D68????400068????4000FF15*6A0D68????400068????4000FF15*6A0D68????400068????4000FF15*6A0D68????400068????4000FF15*6A0D68????400068????4000FF15*BE0000000056B8FFFFFFFF508D15????4000FF12*89E2*FF22
>
> (this repeats a few times)6A0D                             push       0xd
> 68????4000                  push       0x40408e                    ;
> 0x40408e
> 68????4000                  push       0x404084                    ;
> "dFIBVjkRK"
> FF15                          call       dword [ds:imp_GetVolumePathNameA]
> *
> BE00000000             mov        esi, 0x0
> 56                              push       esi
> B8FFFFFFFF            mov        eax, 0xffffffff
> 50                              push       eax
> 8D15????4000         lea        edx, dword [ds:0x40407c]
> FF12                         call       dword [ds:edx]
> *
> 89 e2                     mov edx, esp
> *
> FF22                          jmp        dword [ds:edx]
>
>
> MD5: 4694161d34854c07b50b4880efc2f8da
> SHA1: 3beed25f32177492178bb30144505e00873bdbee
> SHA256: d65babd2e58211751e9b532a0e33b6c76846f7e6f379174547711ee6dbb11289
>
>
> Regards,
> Andrei Saygo
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>



More information about the Community-sigs mailing list