[Community-sigs] new sig for Win.Backdoor.Bladabindi

Douglas Goddard dgoddard at sourcefire.com
Wed Dec 17 10:08:37 EST 2014


This has been added for FP check. Thank you very much!

On Wed, Dec 17, 2014 at 9:48 AM, <andreisaygo at live.ie> wrote:
>
> Minor changes to the previous sig to detect more samples:
>
> Win.Backdoor.Bladabindi;Target:1;(0|1|2|3|4|5|6)>4,4;2e006e006f002d00690070002e00620069007a00;7c0027007c0027007c00;53006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c00520075006e00;6e00650074007300680020006600690072006500770061006c006c002000640065006c00650074006500200061006c006c006f00770065006400700072006f006700720061006d00;63006d0064002e0065007800650020002f0063002000700069006e006700;4765744173796e634b65795374617465;6361704765744472697665724465736372697074696f6e41
>
> MD5: a639e4538df844e297aca9411419e129
> SHA1: 0774efd76fe90c5b08c44293677aa59e14a2c1ff
> SHA256: f41444bd8a2c4592178833625795f64b1058988c37e467ecfaacad09c0d67ee5
>
> Thanks.
> Regards,
> Andrei Saygo
>
> > From: andreisaygo at live.ie
> > To: community-sigs at lists.clamav.net
> > Date: Tue, 2 Dec 2014 14:54:00 +0000
> > Subject: [Community-sigs] new sig for Win.Backdoor.Bladabindi
> >
> > Sig:
> >
> Win.Backdoor.Bladabindi;Target:1;(0|1)&2&3&4&5&6;2e006e006f002d00690070002e00620069007a00;7c0027007c0027007c00;53006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c00520075006e00;6e00650074007300680020006600690072006500770061006c006c002000640065006c00650074006500200061006c006c006f00770065006400700072006f006700720061006d0020002200????2200????2e00650078006500;63006d0064002e0065007800650020002f0063002000700069006e0067002000300020002d006e002000??00200026002000640065006c0020002200;4765744173796e634b65795374617465;6361704765744472697665724465736372697074696f6e41
> > (0).no-ip.biz
> > (1)|'|'|
> > (2)Software\Microsoft\Windows\CurrentVersion\Run
> > (3)netsh firewall delete allowedprogram " ".exe"
> > (4)cmd.exe /c ping 0 -n 2 & del "
> > (5)GetAsyncKeyState
> > (6)capGetDriverDescriptionA
> > MD5: 68e596ae5235fc5ebbf9e3f3ecad55a7
> > SHA1: af66e432f57e6c771cabdf966c4a091b4e0311bd
> > SHA256: 9db5ae45879422b1ebbfd1d3b661bd1e7a891ce4687ae7087b611b3658150390
> >
> > MD5: 295e61958b62097811c29b347c7fd215
> > SHA1: 2e149c0acc0b9ca300d5b42039a10733c02ffb0b
> > SHA256: e23c79c16f5e80d27f6edafd5df314e54ceee24dc21605df5679e52aec25fb7d
> >
> > Regards,
> > Andrei Saygo
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>



More information about the Community-sigs mailing list