[Community-sigs] Win.Trojan.Autoit
Matthew Molyett
mmolyett at sourcefire.com
Mon Jul 18 11:18:33 EDT 2016
Arnaud,
Thank you for your submission. The signature and submitted sample failed to
detect due to the submitted sample exceeding the default Max Script Size.
To avoid this problem, the signature was modified to use Type 0 and a
bounded offset to detect the beginning of the malicious script.
Win.Trojan.Autoit-2290;Target:0;0&1;4,32:203d20405343524950544e414d45;2820307830303030303035632029202620{-20}2820307830303030303037322029202620{-20}2820307830303030303036352029202620{-20}2820307830303030303037332029202620
Win.Trojan.Autoit-2291;Target:0;0&1;128,256:23234e6f5472617949636f6e;2820307830303030303035632029202620{-20}2820307830303030303037322029202620{-20}2820307830303030303036352029202620{-20}2820307830303030303037332029202620
This pair of signatures has passed FP check and will be published soon.
Thanks!
On Thu, Jul 14, 2016 at 3:22 AM, Arnaud Jacques / SecuriteInfo.com <
webmaster at securiteinfo.com> wrote:
> Hello,
>
> >
> Win.Trojan.Autoit:7:*:2820307830303030303035632029202620{-20}282030783030303
> >
> 0303037322029202620{-20}2820307830303030303036352029202620{-20}2820307830
> 303
> > 030303037332029202620
>
> Any news for this signature ? Did it passed the FP tests ?
>
>
> --
> Best regards,
>
> Arnaud Jacques
> SecuriteInfo.com
>
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
--
Matthew Molyett
Cisco Talos Researcher
More information about the Community-sigs
mailing list