 |
 | HDB Signatures For New CryptoMiner/DDOS Lucifer Malware |  |
|
GuitarBob
|
|
A new trojan has been discovered that takes advantage of numerous exploits so that if it gets on a computer, there is a very good chance that it will be able to do the bidding of its developers. The trojan has been named Lucifer. Once on a Windows computer, it can mine for virtual currency and also perform Distributed denial of services attacks. It can also install a backdoor, and it could probably be turned into a malware platform in future versions.
Below are 2 HDB signatures for versions of this malware. That is all I could get. I suppose it could be targeting lots of countries/places, but it seems right now to be primarily in the USA. Copy the HDB signature to a Notepad file and save it in the ClamWin db program data folder, or add the signature to an existing HDB file if you already have one in the folder. Do not save the file with a .txt or .text extension on the end of the name. Save the file as Sigfile.hdb. Select file type All Files to prevent the .txt or .text from being used at the end of the filename. ClamWin is unable to recognize a text file as a signature. After saving the file, scan something with ClamWin to make sure the signature works--delete the signature file if it does not or remove the bad signature from an existing HDB file. This signature will probably last about 2 weeks. 7b2f170698522cd844e0423252ad36c1:3212420:Win.Trojan.Lucifer-062620.1008 23d84a7ed2e8e76d0a13197b74913654:1361920:Win.Trojan.Lucifer-062620.1005 Regards, |
|||||||||||
|
|||||||||||||
 |
| |
|
Lipper
|
|
Thanks, Bob. Correct me if I am wrong, but didn't you reverse the file hash and file size?
Lipper |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
Hello Lipper, it's good to hear from you. HDB sigs have the file hash first and then the file size. MDB sigs are just the opposite--file size is first. I have forgotten this on occasion and used the wrong format.
MDB sigs can last longer because they are a hash of an important section of the file, while HDB sigs are a hash for the entire file. If a file changes, the HDB sig is no good, but malware authors sometimes reuse file sections. Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
Lipper
|
|
Thanks for keeping me straight, Bob. I erroneously placed the sigs in the mdb file and got a malformed database error. Doh! All is well now, though. Nice chatting with you.
Lipper  |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
You stay safe, Lipper. Clam AV seems to be getting a bit better now with signatures for high profile malware, but ClamWin is so slow loading signatures/scanning that it's almost not worth using. I have been trying to get Alch to upgrade it, but I think he is going to let it die a natural death. It will probably go away when there are only a few Win 98 users left.
Regards, |
|||||||||||
|
|||||||||||||
|
 | HDB Signatures For New CryptoMiner/DDOS Lucifer Malware | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.