[Community-sigs] new sig Win.Trojan-Chanitor
Ben Baker
bbaker at sourcefire.com
Tue Feb 17 15:48:37 EST 2015
Thanks Andrei! I've queued your signature for FP testing. It should be
published shortly after it passes.
On Tue, Feb 17, 2015 at 1:40 PM, <andreisaygo at live.ie> wrote:
>
> Win.Trojan-Chanitor:1:*:8B4424??8B7C24??037C24??8D1408321732D1881783F8??7E0E*83C0????83F9??????2BC2D1F8EB*014424??FF4424??8B4424??3B4424??7C
>
> Hashes:
> MD5: 53752a41ed21172343f678423d6c9a44
> SHA1: 415303f86603b61b49509f9764ecc9c5d77af853
> SHA256: f5b1deee9f83f8567e02e1f303a35606e2cd60f01136f8b5eea264239538e60a
>
> Sig explained:
> .text:003C22B9 8B 44 24 1C mov eax, [esp+2CF0h+lpvObj]
> .text:003C22BD 8B 7C 24 28 mov edi,
> [esp+2CF0h+NumberOfBytesWritten]
> .text:003C22C1 03 7C 24 14 add edi, [esp+2CF0h+ppstm]
> .text:003C22C5 8D 14 08 lea edx, [eax+ecx]
> .text:003C22C8 32 17 xor dl, [edi]
> .text:003C22CA 32 D1 xor dl, cl
> .text:003C22CC 88 17 mov [edi], dl
> .text:003C22CE 83 F8 64 cmp eax, 64h
> .text:003C22D1 7E 0E jle short loc_3C22E1
> *.text:003C22E1 83 C0 07 add eax, 7
> .text:003C22E4 ?? cdq
> .text:003C22E5 83 F9 37 cmp ecx, 37h.text:003C22E8 ??
> ?? jle short loc_3C22F0
> .text:003C22EA 2B C2 sub eax, edx.text:003C22EC D1
> F8 sar eax, 1
> .text:003C22EE EB 05 jmp short loc_3C22F5
> *.text:003C22F5 01 44 24 1C add [esp+2CF0h+lpvObj], eax
> .text:003C22F9 FF 44 24 28 inc
> [esp+2CF0h+NumberOfBytesWritten]
> .text:003C22FD 8B 44 24 28 mov eax,
> [esp+2CF0h+NumberOfBytesWritten]
> .text:003C2301 3B 44 24 20 cmp eax, [esp+2CF0h+h]
> .text:003C2305 7C B2 jl short loc_3C22B9
>
> Regards,
> Andrei Saygo
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list