[Community-sigs] Win.Trojan.KillAV
Mariano Graziano
magrazia at sourcefire.com
Tue Aug 2 14:03:38 EDT 2016
Hi Askar,
your signature didn't pass the FP tests.
I refined it a little bit, but it's still failing (I added a
couple of common and peculiar strings).
The signature now looks like:
Win.Trojan.KillAV;Target:1;(0&1&2&3&4);626174636866696c652e626174;6f70656e;726d646972;73656c6664656c;5712:5589E55356578B5D088B7D0C50EB47833FFE752531F6EB17FF771089F00FAF470C8B570801DA01D050E8????????463B77047CE483C714EB1D8B07833C030074128B07FF34036A00FF35????????E8????????83C704833FFF75B431F6585F5E5B5DC20800
I added the hardcoded name of the BAT file and some of its commands:
batchfile.bat
open
rmdir
selfdel
You mentioned it correctly trigger for 120 samples.
At the moment I have the following FPs:
d29b047f4b9f1d182764c355b31e65e7
31b20f8a98000bd412657688fb5b5fc7
bdec4ee6b8247040c99518b6ab1fc95c
0c692440478de345dd724a50673074c7
01509e631eddfc129dce9968d5805135
7a306b2d010422e34fc09c1794a12d7a
98ea2cde6f0f942b744d26e14c9577f0
1b0cfba123bd0775efe2d13f3dcc7810
8ccba5325bca8ded1ff2e55b752d9082
28cd30ef797f43bd50bab8ad00dda7b5
02bddcc0aa757962af74aad0d6a068df
477b15ec28bc8b4583a308341f55e840
cae147d98196f9140c9c0eed014c0e2e
e454d887e15e336417a99e65d351524c
b095382512844554888b2f0d17d66a27
9325adacff560b94abe8a915102005c9
910ebfbbff9263a390fbbc13432a5eba
6319306825c3b51166648d929c06db9f
5beeb34d71f976e75839a4eb0c843725
a7c966f22b3cf7d2fb3486ba78445997
94a5d888bc657260abd5b2b273c779b3
Are they in your list?
In case they are not, you should find another peculiar block of code.
Thanks for submission and your time.
On Mon, Aug 1, 2016 at 2:43 AM, Mariano Graziano <magrazia at sourcefire.com>
wrote:
> Hello Askar,
> thanks for you submission.
> Your signature has been queued for the FP tests and it will be published
> soon.
>
> On Sun, Jul 31, 2016 at 7:11 PM, Askar Dyussekeyev <dyussekeyev at yandex.kz>
> wrote:
>
>>
>> Win.Trojan.KillAV:1:5712:5589E55356578B5D088B7D0C50EB47833FFE752531F6EB17FF771089F00FAF470C8B570801DA01D050E8????????463B77047CE483C714EB1D8B07833C030074128B07FF34036A00FF35????????E8????????83C704833FFF75B431F6585F5E5B5DC20800
>>
>> signature looks for specific block of code
>>
>> detections (120):
>> 03607ee9a08da7e903163e357c3d371f
>> 07531fa88d87c27f7a571e3fad3dc4ac
>> 0918839dc43af49c044205b7067611eb
>> 0986379c13c7a5d0ce90787f83be9eb5
>> ................................
>> f873baef7ec87c4bbb35385391fcff67
>> fae56b2ae07f1e9efdd66affe2b79e1c
>> fd64ddd5a373eb464097f9c05788d43f
>> fd8d03dd67db805f5225f6b2438903ba
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
More information about the Community-sigs
mailing list