[Community-sigs] new sig for Win.Trojan.Upatre
Alain Zidouemba
azidouemba at sourcefire.com
Wed Nov 26 12:15:42 EST 2014
Thanks Andrei! We'll review your signature and try to release it today.
- Alain
On Wed, Nov 26, 2014 at 11:43 AM, <andreisaygo at live.ie> wrote:
>
> Signature:Win.Trojan.Upatre;Target:1;(0|1);68647573658a5c0cff8bd703d1885c10ff83e90185c975ed;33c005001e00008a4c38ffc0c107884c38ff483d0000000075ed61
> Hashes:MD5 110e56e45219af2944dc6619aa0f2b0eSHA1
> 17ed0d030c5516304e5d5fb9dc397ad35d279af7SHA256
> b2f700d7ca5aced0e13af86dd39d056d3e9bef2f5c113ac44b964c145cb3a1f7
> Sig0:
> add duser.dll to the systemdir string
> (c:\windows\system32\duser.dll)0040126f push
> 0x6573756400401274 mov bl, byte
> [ss:esp+ecx-0x0+arg_FFFFFFFFFFFFFFFB]00401278 mov edx,
> edi0040127a add edx, ecx0040127c mov byte
> [ds:eax+edx+0xffffffff], bl00401280 sub ecx, 0x100401283
> test ecx, ecx00401285 jne 0x401274
>
> Sig1:decrypt API names004012b8 xor eax, eax004012ba
> add eax, 0x1e00004012bf mov cl, byte
> [ds:eax+edi+0xffffffff]004012c3 rol cl, 0x7004012c6
> mov byte [ds:eax+edi+0xffffffff], cl004012ca dec
> eax004012cb cmp eax, 0x0004012d0 jne 0x4012bf
> Thanks.Andrei Saygo
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list