[Community-sigs] Win.Adware.OpenCandy signature
Willian Cruz
willianalbertocruz at outlook.com.br
Sat Nov 29 00:32:57 EST 2014
Please disconsider, there's a mistake in the logic, I'll fix it and re-send.
Thanks.
> From: willianalbertocruz at outlook.com.br
> To: community-sigs at lists.clamav.net
> Date: Tue, 25 Nov 2014 01:26:35 -0200
> Subject: [Community-sigs] Win.Adware.OpenCandy signature
>
>
>
>
>
>
>
> Good night guys,
>
> I've collected it from my cousin's computer and decided to study it. I discovered that it's a DLL that scans your computer for info to show ads. It does this while a setup file (that have this dll embedded) is running. I managed to get an "official" copy of this dll from their creators and got some more samples from other setup files that have this file. Here's the sig:
>
> Win.Adware.OpenCandy;Target:1;(0&1&2&3);4F70656E43616E6479;436F6F6B6965;50726F7879;6F6666657273
>
> Files that I used:
> SHA256: 0888ffbfbc082e42c3f2991b61bdcb2a7d64914b55d1da33686c4b4249530f6f
> SHA256: d36861185639313f291fab94a65c12deb60c2539e50b6d2ce8b6ed77b8aae144
> SHA256: a0e1b3836445ff863a01b2110f90741156fb8cb75a17423bf6753a189054d75c
> SHA256: 61f7834d795cae37a1c99b8d5956ca3351faea5c5acd9a83d19b7e594fb87d82
>
> That's all. If somehow It doesn't pass the FP test, please notify me. This sig can detect a wider range of samples because I created it based on common string on those files cited above.
>
> Will.
>
>
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list