[Community-sigs] Win.Trojan.Agent
Ben Baker
bbaker at sourcefire.com
Wed Oct 14 09:51:37 EDT 2015
Hey Askar,
Thanks for the submissions of this signature as well as Win.Trojan.Mediyes.
The Mediyes signatures will be published soon, but unfortunately this
Win.Trojan.Agent signature failed our false-positive testing.
I took a quick look at the entry point of 0cf9e999c574ec89595263446978dc9f
and found IDA Pro's Flirt signatures recognize that function and highlight
the address in light-blue to indicate that it is library code. That
function was put there by the compiler to do things like set up command
line arguments. The function calls WinMain at 0x004036ee, which transfers
control to the developer's code starting at 0x004028c0. WinMain itself is a
very small function with only 5 lines, but it calls 0x00402690 which
contains some very unique basic blocks that could be signatured on using
the tool or technique you are currently using.
Keep up the good work, and let us know if you have any questions. We really
appreciate the signatures.
-Ben
On Sat, Oct 3, 2015 at 2:15 PM, Askar Dyussekeyev <dyussekeyev at yandex.kz>
wrote:
>
> Win.Trojan.Agent:1:EP+0:558BEC6AFF68????400068????400064A100000000506489250000000083EC685356578965E833DB895DFC6A02FF15????400059830D????4000FF830D????4000FFFF15????40008B0D????40008908FF15????40008B0D????40008908A1????40008B00A3????4000E8????????391D????4000750C68????4000FF15????400059E8????????68????400068????4000E8????????A1????40008945948D459450FF35????40008D459C508D4590508D45A050FF15????400068????400068????4000E8????????83C424A1????40008B3089758C803E22753A
>
> signature looking for specific piece of code at the entry point
>
> detections:
> cf9c2d5a8fbdd1c5adc20cfc5e663c21
> 0cf9e999c574ec89595263446978dc9f - Win.Trojan.Agent-195528
> 7aecb34616245eb6b2906358151be55b - Win.Trojan.Agent-195516
> 929802a27737cebc59d19da724fdf30a - Win.Trojan.Agent-195662
> c04c796ef126ad7429be7d55720fe392 - Win.Trojan.Agent-195663
> d34e357461c55d90c52309c1ff952b4c - Win.Trojan.Agent-195664
> dd21d1ea2146861a4219b1cbdaefe59b - Win.Trojan.Agent-195671
> fcdaa67e33357f64bc4ce7b57491fc53 - Win.Trojan.Agent-195515
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list