Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family XWorm
This is a concrete detection of Trojan:MSIL/XWorm.GPB!MTB, a variant of the XWorm Trojan family targeting .NET applications. The malware is designed to establish persistence on the compromised system by creating scheduled tasks and modifying Windows startup entries.
Relevant strings associated with this threat: - create /f /sc minute (PEHSTR_EXT) - SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
rule Trojan_MSIL_XWorm_GPB_2147906996_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/XWorm.GPB!MTB"
threat_id = "2147906996"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "XWorm"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "1"
strings_accuracy = "Low"
strings:
$x_1_1 = {0c 08 17 61 d1 0c 07 08 6f ?? 00 00 0a 26 09 17 58 0d 09 02} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}e64ea1919733003e81ccf173f4cb27b02206602ccc21dabed13d6a8e9a62f838Isolate the infected system, perform a full system scan with updated antivirus, and manually review/remove suspicious entries in `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` and scheduled tasks. Consider system re-imaging for complete eradication.