[Community-sigs] new sig: Win.Downloader.Upatre

Douglas Goddard dgoddard at sourcefire.com
Fri Dec 19 11:10:08 EST 2014


This has passed FP testing and will be published today. Thank you!

On Fri, Dec 19, 2014 at 5:48 AM, <andreisaygo at live.ie> wrote:
>
> Sig:
>
> Win.Downloader.Upatre;Target:1;0|1;60B8??00000033DBB80000000003C46683C3??68??00000059C1C1??668BF0663BF10F87??000000;68447573658A5C0CFF8BD603D1885C10FF83E90185C975ED
>
> Sig0:
> 60                             pushad
> B864000000             mov          eax,000000064
> 33DB                         xor          ebx,ebx
> B800000000             mov          eax,0
> 03C4                         add          eax,esp
> 6683C301                 add          bx,1
> 68FF000000             push         0000000FF
> 59                             pop          ecx
> C1C108                    rol          ecx,8
> 668BF0                     mov          si,ax
> 663BF1                     cmp          si,cx
> 0F8715000000         ja          .00040103D
>
>
> //check Duser.dll
> 6844757365             push    'esuD'
> 8A5C0CFF               mov     bl, [esp+ecx-1]
> 8BD6                        mov     edx, esi
> 03D1                        add     edx, ecx
> 885C10FF                mov     [eax+edx-1], bl
> 83E901                     sub     ecx, 1
> 85C9                         test    ecx, ecx
> 75ED                         jnz     short loc_401261
>
>
> MD5: bc3d9392e0a96fd2c0b480b6ae43f3af
> SHA1: d11396bda23845e4db91b1735fde3b4ea1492bc0
> SHA256: d7fcd215f8d3e74be7f9d76c72c67dc2027e0f23c6de1a2ab07b508c6b9a536f
>
> MD5: f130b4c9581f47752a681a26a075dd76
> SHA1: 009260394b204bcd3f91fbe625ee3f56c18ac6ef
> SHA256: ef0717bce91c868c367b3bbac22a28fe4ec72a230ec96ae646cb76a850ec6358
>
> Regards,
> Andrei Saygo
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>



More information about the Community-sigs mailing list