[Community-sigs] new sig for Win.Trojan.Upatre

Wed Nov 26 11:43:34 EST 2014

Signature:Win.Trojan.Upatre;Target:1;(0|1);68647573658a5c0cff8bd703d1885c10ff83e90185c975ed;33c005001e00008a4c38ffc0c107884c38ff483d0000000075ed61
Hashes:MD5		110e56e45219af2944dc6619aa0f2b0eSHA1	17ed0d030c5516304e5d5fb9dc397ad35d279af7SHA256	b2f700d7ca5aced0e13af86dd39d056d3e9bef2f5c113ac44b964c145cb3a1f7
Sig0:
add duser.dll to the systemdir string (c:\windows\system32\duser.dll)0040126f         push       0x6573756400401274         mov        bl, byte [ss:esp+ecx-0x0+arg_FFFFFFFFFFFFFFFB]00401278         mov        edx, edi0040127a         add        edx, ecx0040127c         mov        byte [ds:eax+edx+0xffffffff], bl00401280         sub        ecx, 0x100401283         test       ecx, ecx00401285         jne        0x401274

Sig1:decrypt API names004012b8         xor        eax, eax004012ba         add        eax, 0x1e00004012bf         mov        cl, byte [ds:eax+edi+0xffffffff]004012c3         rol        cl, 0x7004012c6         mov        byte [ds:eax+edi+0xffffffff], cl004012ca         dec        eax004012cb         cmp        eax, 0x0004012d0         jne        0x4012bf
Thanks.Andrei Saygo