ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Signatures For Latest Necurs Botnet Downloader
GuitarBob


Joined: 09 Jul 2006
Posts: 4370
Location: USA
Reply with quote
Necurs is a botnet distributing malware that runs spam, disables antivirus software, and steals information. The latest version uses scripts that never get copied to user computers. The final script in the infection chain downloads the loader of the actual malware. Some AVs (including Clam AV) will not be able to detect the malware because of the scripts. Below are signatures for the loaders of different versions of the current Necurs campaign. The loaders are placed on a computer via clicked internet shortcut files (.URL) that look like folders and act like .lnk files and are actually internet shortcuts to the downloaders. Copy the signatures, put them in a Notepad file, name the file sigfile.mdb, and save it in the C:\ProgramData\.clamwin\db folder. If you already have an mdb file in the db folder, just add it to the other signatures in the file. Make sure that there is no .txt extension in the saved mdb file. The signatures work for me, but test them by scanning a file with ClamWin after saving the mdb file. Also add .url as an extension to be scanned by ClamWin/Clam Sentinel.

33280:89ce8c7867f0575e2db1045c5c339b7a:Win.Trojan.Quantloader-042618.0958
8192:d1d31a2a01cdfd650c429599d23e7c01:Win.Trojan.Quantloader-042618.0953
30720:e3ab8a8bacf4a74e73549623dbd434cb:Win.Trojan.Quantloader-042618.0953
8192:64631fc4a64b31263c73975381fa1bea:Win.Trojan.Quantloader-042618.0950

Regards,
View user's profileSend private message
Signatures For Latest Necurs Botnet Downloader
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic