ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
HDB Signatures For New CryptoMiner/DDOS Lucifer Malware
GuitarBob


Joined: 09 Jul 2006
Posts: 4631
Location: USA
Reply with quote
A new trojan has been discovered that takes advantage of numerous exploits so that if it gets on a computer, there is a very good chance that it will be able to do the bidding of its developers. The trojan has been named Lucifer. Once on a Windows computer, it can mine for virtual currency and also perform Distributed denial of services attacks. It can also install a backdoor, and it could probably be turned into a malware platform in future versions.

Below are 2 HDB signatures for versions of this malware. That is all I could get. I suppose it could be targeting lots of countries/places, but it seems right now to be primarily in the USA.

Copy the HDB signature to a Notepad file and save it in the ClamWin db program data folder, or add the signature to an existing HDB file if you already have one in the folder. Do not save the file with a .txt or .text extension on the end of the name. Save the file as Sigfile.hdb. Select file type All Files to prevent the .txt or .text from being used at the end of the filename. ClamWin is unable to recognize a text file as a signature. After saving the file, scan something with ClamWin to make sure the signature works--delete the signature file if it does not or remove the bad signature from an existing HDB file. This signature will probably last about 2 weeks.

7b2f170698522cd844e0423252ad36c1:3212420:Win.Trojan.Lucifer-062620.1008
23d84a7ed2e8e76d0a13197b74913654:1361920:Win.Trojan.Lucifer-062620.1005

Regards,
View user's profileSend private message
Lipper


Joined: 31 Oct 2010
Posts: 127
Location: USA
Reply with quote
Thanks, Bob. Correct me if I am wrong, but didn't you reverse the file hash and file size?

Lipper
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4631
Location: USA
Reply with quote
Hello Lipper, it's good to hear from you. HDB sigs have the file hash first and then the file size. MDB sigs are just the opposite--file size is first. I have forgotten this on occasion and used the wrong format.

MDB sigs can last longer because they are a hash of an important section of the file, while HDB sigs are a hash for the entire file. If a file changes, the HDB sig is no good, but malware authors sometimes reuse file sections.

Regards,
View user's profileSend private message
Lipper


Joined: 31 Oct 2010
Posts: 127
Location: USA
Reply with quote
Thanks for keeping me straight, Bob. I erroneously placed the sigs in the mdb file and got a malformed database error. Doh! All is well now, though. Nice chatting with you.

Lipper Smile
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4631
Location: USA
Reply with quote
You stay safe, Lipper. Clam AV seems to be getting a bit better now with signatures for high profile malware, but ClamWin is so slow loading signatures/scanning that it's almost not worth using. I have been trying to get Alch to upgrade it, but I think he is going to let it die a natural death. It will probably go away when there are only a few Win 98 users left.

Regards,
View user's profileSend private message
HDB Signatures For New CryptoMiner/DDOS Lucifer Malware
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic