HIPS HIPS Hooray for proactive detection

This morning looking through the customer submissions to Sophos (how to submit samples). I saw a sample with the ‘Rule or identity name triggered by this file (if applicable)’ form filled in as HIPS/RegMon-009.

Looking at SophosLabs automated scans of this sample it was a malicious AutoIT file. Running the file through the automated replication rigs here in SophosLabs it also hit the following HIPS rules:

HIPS/RegMod-001
HIPS/RegMod-002
HIPS/RegMod-009
HIPS/RegMod-012
HIPS/FileMod-004

For a description of HIPS rules click here.

I have written exact detection, and disinfection, for this malicious AutoIT file as Troj/Tiotua-U. Enabling HIPS detection on your network could have prevented an infection of this Trojan.

Posted on October 27th, 2008 by Pob, SophosLabs, UK
Filed under: General, Malware

Free virus scan - Download the Threat Detection Test

About SophosLabs

SophosLabs protects businesses from known and emerging malware - viruses, rootkits and spyware - and other computer threats like phishing, spam and scams. Learn more about the people who write this blog.

RSS feed

Search blog

Hot video

Twitter hit by BZPharma LOL phishing attack

SophosLabs blog