Update heuristic signatures for browsers and IM apps

Expand and refine PE heuristic checks: add Firefox artifacts (mozsqlite3.dll, encryptedPassword) to improve Firefox profile/password detection; normalize Yahoo name casing and add Yahoo Messenger profile/archive paths; add MSN "\My Received Files\" string and new Skype and Paltalk heuristics (Skype folder checks, Paltalk registry/software keys); include Opera wand.dat locations to catch older Opera profile files. These changes broaden detection coverage for various browsers and instant‑messaging clients.
2026-06-24 01:54:08 +00:00 · 2026-06-12 13:04:04 +03:00 · 2026-06-12 13:04:04 +03:00 · d4928d2f41
commit d4928d2f41
parent 53315c082b
1 changed files with 18 additions and 6 deletions
--- a/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
+++ b/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
@ -6669,15 +6669,16 @@ function scanForMaliciousCode_NET_and_Native() {
        }, {
            names: ["FireFox", "Firefox", "firefox", "GetFirefox", "Gecko"],
            strings: [
-                "\\mozglue.dll", "mozcrt19.dll", "nss3.dll", "softokn3.dll", "\\Firefox\\Profiles\\", "signons.sqlite", "2a864886f70d0209",
+                "\\mozglue.dll", "mozcrt19.dll", "nss3.dll", "mozsqlite3.dll", "softokn3.dll", "\\Firefox\\Profiles\\", "signons.sqlite", "2a864886f70d0209",
                "2a864886f70d010c050103", "moz_places", "moz_cookies", "moz_bookmarks", "\\Mozilla Firefox\\", "Mozilla Firefox\\",
                "\\Mozilla\\Firefox\\Profiles", "webappsstore.sqlite", "SELECT * FROM moz_disabledHosts;", "SELECT * FROM moz_logins;",
-                "SELECT * FROM moz_places", "moz_logins"
+                "SELECT * FROM moz_places", "moz_logins", "encryptedPassword"
            ]
        }, {
-            names: ["yahoo"],
+            names: ["Yahoo", "yahoo"],
            strings: [
-                "\\Local Settings\\Application Data\\Yahoo Messenger\\", "\\ys.scr", "ys.scr", "Software\\Yahoo\\pager"
+                "\\Local Settings\\Application Data\\Yahoo Messenger\\", "\\ys.scr", "ys.scr", "Software\\Yahoo\\pager", "\\Yahoo!\\Messenger\\Profiles",
+                "\\Archive\\Messages\\"
            ]
        }, {
            names: ["Electrum", "electrum", "ElectrumRule"],
@ -6720,13 +6721,23 @@ function scanForMaliciousCode_NET_and_Native() {
            names: ["MSN", "GetMSN", "getMSN75Passwords", "CMSNMessengerPasswords"],
            strings: [
                "\\MSN Messenger\\msidcrl.dll", "msidcrl.dll", "Software\\Microsoft\\MessengerService", "Software\\Microsoft\\MSNMessenger",
-                "82BD0E67-9FEA-4748-8672-D5EFE5B779B0\0", "msidcrl.dll", "WindowsLive:name=*",
+                "82BD0E67-9FEA-4748-8672-D5EFE5B779B0\0", "msidcrl.dll", "WindowsLive:name=*", "\\My Received Files\\"
+            ]
+        }, {
+            names: ["Skype", "skype", "GetSkype"],
+            strings: [
+                "\\Skype\\", "\\Skype"
            ]
        }, {
            names: ["IMVU"],
            strings: [
                "HKEY_CURRENT_USER\\Software\\IMVU\\username\\", "HKEY_CURRENT_USER\\Software\\IMVU\\password\\"
            ]
+        }, {
+            names: ["Paltalk", "paltalk", "GetPaltalk"],
+            strings: [
+                "Software\\Paltalk", "HKEY_CURRENT_USER\\Software\\Paltalk\\"
+            ]
        }, {
            names: ["Chromium", "chromium", "chrome", "GetChrome"],
            strings: [
@ -6736,7 +6747,8 @@ function scanForMaliciousCode_NET_and_Native() {
        }, {
            names: ["Opera", "opera", "GetOpera"],
            strings: [
-                "\\Opera Software\\Opera Stable\\Cookies", "\\Opera Software\\Opera GX Stable\\Cookies", "\\Cookies"
+                "\\Opera Software\\Opera Stable\\Cookies", "\\Opera Software\\Opera GX Stable\\Cookies", "\\Cookies", "\\Opera\\Opera\\wand.dat",
+                "\\Opera\\Opera\\profile\\wand.dat", "wand.dat"
            ]
        }, {
            names: ["Bytecoin", "ByteCoin", "bytecoin"],