[clamav-users] [ext] Re: Vbs.Trojan.AsyncRAT-9889434-1
Ralf Hildebrandt
Ralf.Hildebrandt at charite.de
Wed May 17 09:01:46 UTC 2023
* Andrew Salway via clamav-users <clamav-users at lists.clamav.net>:
> Many thanks Ralf for the speedy reply.
>
> Is it then triggered if the three strings (urldecode, msbuild.exe, .xml) are all present anywhere in a normalised ASCII file?
Probably. As long as the file is smaller then 2097152 bytes.
> # sigtool --find="Vbs.Trojan.AsyncRAT-9889434-1" | sigtool --decode
>
> VIRUS NAME: Vbs.Trojan.AsyncRAT-9889434-1
> TDB: Engine:90-255,FileSize:0-2097152,Target:7
>
> LOGICAL EXPRESSION: 0&1&2
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> urldecode
>
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> msbuild.exe
>
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> .xml
>
> So it must be 0 AND 1 and 2.
>
> 0 is urldecode ANYWHERE
> 1 is msbuild.exe ANYWHERE
> 2 is .xml ANYWHERE
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebrandt at charite.de
https://www.charite.de
More information about the clamav-users
mailing list