[Community-sigs] Win.Adware.OpenCandy signature
Willian Cruz
willianalbertocruz at outlook.com.br
Mon Nov 24 22:26:35 EST 2014
Good night guys,
I've collected it from my cousin's computer and decided to study it. I discovered that it's a DLL that scans your computer for info to show ads. It does this while a setup file (that have this dll embedded) is running. I managed to get an "official" copy of this dll from their creators and got some more samples from other setup files that have this file. Here's the sig:
Win.Adware.OpenCandy;Target:1;(0&1&2&3);4F70656E43616E6479;436F6F6B6965;50726F7879;6F6666657273
Files that I used:
SHA256: 0888ffbfbc082e42c3f2991b61bdcb2a7d64914b55d1da33686c4b4249530f6f
SHA256: d36861185639313f291fab94a65c12deb60c2539e50b6d2ce8b6ed77b8aae144
SHA256: a0e1b3836445ff863a01b2110f90741156fb8cb75a17423bf6753a189054d75c
SHA256: 61f7834d795cae37a1c99b8d5956ca3351faea5c5acd9a83d19b7e594fb87d82
That's all. If somehow It doesn't pass the FP test, please notify me. This sig can detect a wider range of samples because I created it based on common string on those files cited above.
Will.
More information about the Community-sigs
mailing list