[Community-sigs] Win.Trojan.KillAV

Askar Dyussekeyev dyussekeyev at yandex.kz
Thu Aug 4 12:05:11 EDT 2016 

Good day!

I have changed signature:

Win.Trojan.KillAV:1:4406:47803F2074FA31F646803F2275224789FBEB01470FBE0709C0740583F82275F3803F007406897DF447EB2D897DF4EB28803F00742189FBEB01470FBE0709C0740583F82075F3803F007406897DF447EB07897DF4EB0231F68B45F88B55FC39107506837D0800750E09F67403FF45FC31DB803F00758B837D080075058B45FCEB1F09DB74138B45088B55F429DA89108B45F8FF0089D8EB088B450883200089F85F5E5BC9C20400

Can you check it for FP ?

02.08.2016, 23:03, "Mariano Graziano" <magrazia at sourcefire.com>:
> Hi Askar,
> your signature didn't pass the FP tests.
> I refined it a little bit, but it's still failing (I added a
> couple of common and peculiar strings).
> The signature now looks like:
>
> Win.Trojan.KillAV;Target:1;(0&1&2&3&4);626174636866696c652e626174;6f70656e;726d646972;73656c6664656c;5712:5589E55356578B5D088B7D0C50EB47833FFE752531F6EB17FF771089F00FAF470C8B570801DA01D050E8????????463B77047CE483C714EB1D8B07833C030074128B07FF34036A00FF35????????E8????????83C704833FFF75B431F6585F5E5B5DC20800
>
> I added the hardcoded name of the BAT file and some of its commands:
> batchfile.bat
> open
> rmdir
> selfdel
>
> You mentioned it correctly trigger for 120 samples.
> At the moment I have the following FPs:
>
> d29b047f4b9f1d182764c355b31e65e7
> 31b20f8a98000bd412657688fb5b5fc7
> bdec4ee6b8247040c99518b6ab1fc95c
> 0c692440478de345dd724a50673074c7
> 01509e631eddfc129dce9968d5805135
> 7a306b2d010422e34fc09c1794a12d7a
> 98ea2cde6f0f942b744d26e14c9577f0
> 1b0cfba123bd0775efe2d13f3dcc7810
> 8ccba5325bca8ded1ff2e55b752d9082
> 28cd30ef797f43bd50bab8ad00dda7b5
> 02bddcc0aa757962af74aad0d6a068df
> 477b15ec28bc8b4583a308341f55e840
> cae147d98196f9140c9c0eed014c0e2e
> e454d887e15e336417a99e65d351524c
> b095382512844554888b2f0d17d66a27
> 9325adacff560b94abe8a915102005c9
> 910ebfbbff9263a390fbbc13432a5eba
> 6319306825c3b51166648d929c06db9f
> 5beeb34d71f976e75839a4eb0c843725
> a7c966f22b3cf7d2fb3486ba78445997
> 94a5d888bc657260abd5b2b273c779b3
>
> Are they in your list?
> In case they are not, you should find another peculiar block of code.
>
> Thanks for submission and your time.
>
> On Mon, Aug 1, 2016 at 2:43 AM, Mariano Graziano <magrazia at sourcefire.com>
> wrote:
>
>>  Hello Askar,
>>  thanks for you submission.
>>  Your signature has been queued for the FP tests and it will be published
>>  soon.
>>
>>  On Sun, Jul 31, 2016 at 7:11 PM, Askar Dyussekeyev <dyussekeyev at yandex.kz>
>>  wrote:
>>
>>>  Win.Trojan.KillAV:1:5712:5589E55356578B5D088B7D0C50EB47833FFE752531F6EB17FF771089F00FAF470C8B570801DA01D050E8????????463B77047CE483C714EB1D8B07833C030074128B07FF34036A00FF35????????E8????????83C704833FFF75B431F6585F5E5B5DC20800
>>>
>>>  signature looks for specific block of code
>>>
>>>  detections (120):
>>>  03607ee9a08da7e903163e357c3d371f
>>>  07531fa88d87c27f7a571e3fad3dc4ac
>>>  0918839dc43af49c044205b7067611eb
>>>  0986379c13c7a5d0ce90787f83be9eb5
>>>  ................................
>>>  f873baef7ec87c4bbb35385391fcff67
>>>  fae56b2ae07f1e9efdd66affe2b79e1c
>>>  fd64ddd5a373eb464097f9c05788d43f
>>>  fd8d03dd67db805f5225f6b2438903ba
>>>  _______________________________________________
>>>  Community-sigs mailing list
>>>  Community-sigs at lists.clamav.net
>>>  http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>>
>>>  http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml

More information about the Community-sigs mailing list