[Community-sigs] new sig Win.Trojan-Chanitor
Ben Baker
bbaker at sourcefire.com
Tue Feb 24 10:10:35 EST 2015
Hi Andrei,
Your sig passed FP testing, and will be published shortly.
On Tue, Feb 24, 2015 at 9:27 AM, <andreisaygo at live.ie> wrote:
> Hi guys,
> Any update on this sig ? Did it fail the FP testing ?
> Thanks.
> Andrei
>
> > Date: Tue, 17 Feb 2015 15:48:37 -0500
> > From: bbaker at sourcefire.com
> > To: community-sigs at lists.clamav.net; azidouemba at sourcefire.com;
> shahurle at sourcefire.com; dgoddard at sourcefire.com; anvilleg at sourcefire.com
> > Subject: Re: [Community-sigs] new sig Win.Trojan-Chanitor
> >
> > Thanks Andrei! I've queued your signature for FP testing. It should be
> > published shortly after it passes.
> >
> > On Tue, Feb 17, 2015 at 1:40 PM, <andreisaygo at live.ie> wrote:
> >
> > >
> > >
> Win.Trojan-Chanitor:1:*:8B4424??8B7C24??037C24??8D1408321732D1881783F8??7E0E*83C0????83F9??????2BC2D1F8EB*014424??FF4424??8B4424??3B4424??7C
> > >
> > > Hashes:
> > > MD5: 53752a41ed21172343f678423d6c9a44
> > > SHA1: 415303f86603b61b49509f9764ecc9c5d77af853
> > > SHA256:
> f5b1deee9f83f8567e02e1f303a35606e2cd60f01136f8b5eea264239538e60a
> > >
> > > Sig explained:
> > > .text:003C22B9 8B 44 24 1C mov eax, [esp+2CF0h+lpvObj]
> > > .text:003C22BD 8B 7C 24 28 mov edi,
> > > [esp+2CF0h+NumberOfBytesWritten]
> > > .text:003C22C1 03 7C 24 14 add edi, [esp+2CF0h+ppstm]
> > > .text:003C22C5 8D 14 08 lea edx, [eax+ecx]
> > > .text:003C22C8 32 17 xor dl, [edi]
> > > .text:003C22CA 32 D1 xor dl, cl
> > > .text:003C22CC 88 17 mov [edi], dl
> > > .text:003C22CE 83 F8 64 cmp eax, 64h
> > > .text:003C22D1 7E 0E jle short loc_3C22E1
> > > *.text:003C22E1 83 C0 07 add eax, 7
> > > .text:003C22E4 ?? cdq
> > > .text:003C22E5 83 F9 37 cmp ecx, 37h.text:003C22E8
> ??
> > > ?? jle short loc_3C22F0
> > > .text:003C22EA 2B C2 sub eax, edx.text:003C22EC
> D1
> > > F8 sar eax, 1
> > > .text:003C22EE EB 05 jmp short loc_3C22F5
> > > *.text:003C22F5 01 44 24 1C add [esp+2CF0h+lpvObj], eax
> > > .text:003C22F9 FF 44 24 28 inc
> > > [esp+2CF0h+NumberOfBytesWritten]
> > > .text:003C22FD 8B 44 24 28 mov eax,
> > > [esp+2CF0h+NumberOfBytesWritten]
> > > .text:003C2301 3B 44 24 20 cmp eax, [esp+2CF0h+h]
> > > .text:003C2305 7C B2 jl short loc_3C22B9
> > >
> > > Regards,
> > > Andrei Saygo
> > >
> > > _______________________________________________
> > > Community-sigs mailing list
> > > Community-sigs at lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list