[clamav-users] FN with unknown virus attachment
Steve Basford
steveb_clamav at sanesecurity.com
Mon Jun 23 07:08:25 UTC 2014
> Okay, great, thanks. Can you describe the risk for me? What does it do,
> and what's necessary for the user to do to become infected? It appears to
> be a rogue link phishing attack? So it requires the user to open the Word
> doc then click the link, correct?
Hi Alex,
1. I used strings on the doc file...
----(rot13 below)---
Nhgb_Bcra
nhgbBcra
JBexobbx_Bcra
\UJVCTZDKMBU.fpe
uggcf://qy.qebcobkhfrepbagrag.pbz/f/87pfejq4j7o6e09/pnyp.rkr?qy=1&gbxra_unfu=NNTt8WbYmal7GDikp4Vlq7NcK_Ls9sP9-9u67kIRnboKbN&rkcvel=1402160255
uggc://oneavrsvyz1996.eh/vzt.rkr
\UJVCTZDKMBU.fpe
--------------------
Which isn't looking good...
2. Quick check...
https://malwr.com/analysis/MWZmZjk5OTZmNDk1NGZkYzk3YTVmODcxNDE0ZDU5OGY/
So, looks like there might be some user input needed to actually run it,
but best it's blocked anyway.
Cheers,
Steve
Sanesecurity
More information about the clamav-users
mailing list