[clamav-virusdb] Update (daily: 21290)

Christopher McBee noreply at sourcefire.com
Fri Jan 22 16:45:25 UTC 2016 

ClamAV database updated (22 Jan 2016 11-37 -0500): daily.cvd
Version: 21290

Submission-ID: 1224847890
Sender: Virus Total
Sender: VRT Sandbox
Submission notes: [RESEARCH]
Submission notes: 
Submission notes: Backdoor.JS.Dashikut.A is a Trojan Backdoor that targets
Submission notes: systems supporting JavaScript and particularly the Windows
Submission notes: platform. The malware sends out system information and
Submission notes: accepts control commands from a remote server. These
Submission notes: capabilities
Submission notes: include:
Submission notes: 
Submission notes: 	-Getting a list of drives on the systems
Submission notes: 	-Getting a list of files and folders
Submission notes: 	-Downloading and executing files
Submission notes: 	-Executing shell commands
Submission notes: 	
Submission notes: Upon execution, the malware downloads the script, "aes.js"
Submission notes: from the 'crypto-js' project on Google Code. This is used to
Submission notes: encrypt and encode data before sending to CnC.
Submission notes: 
Submission notes: As long as the input string is less than 16 characters the
Submission notes: following occurs:
Submission notes: 
Submission notes: 	-The size of the output string by the function
Submission notes: "CryptoJS.AES.encrypt" remains the same.
Submission notes: 	-The output string starts with "U2FsdGVkX1" (which is a
Submission notes: Base64-encoding of the string 'Salted').
Submission notes: 	-The output string ends with the "=" character as a 
Submission notes: result
Submission notes: of Base64-encoding.
Submission notes: 
Submission notes: The file also registers scrrun.dll and uses that to run the
Submission notes: .js file.
Submission notes: 
Submission notes: [FIREAMP]
Submission notes:  
Submission notes: Looking up SHA256:
Submission notes: 6a075743df879bed39f330d11704fa9d3f1baa97e8a5b109e650
Submission notes: 8b0aeef3e150
Submission notes: Disposition: MALICIOUS
Submission notes: 
Submission notes: No IPs to blacklist.
Submission notes:  
Submission notes:  
Submission notes: [NEW SIG]
Submission notes: 
Submission notes: [NDB]
Submission notes: 
Submission notes: Win.Trojan.Dashikut:7:*:72656773767233322532302f732532
Submission notes: 3073637272756e2e646c6c
Submission notes:  
Submission notes: [ALERTS]
Submission notes: 
Submission notes: ceebf623fcb191ae1e0ad1433de8864d.js:
Submission notes: Win.Trojan.Dashikut.UNOFFICIAL FOUND
Submission notes: 
Submission notes: ----------- SCAN SUMMARY -----------
Submission notes: Known viruses: 1
Submission notes: Engine version: 0.99
Submission notes: Scanned directories: 0
Submission notes: Scanned files: 1
Submission notes: Infected files: 1
Submission notes: Data scanned: 0.02 MB
Submission notes: Data read: 0.02 MB (ratio 1.00:1)
Submission notes: Time: 0.011 sec (0 m 0 s)
Submission notes:  
Submission notes: [DETECTION BREAKDOWN]
Submission notes: 
Submission notes: #Used to detect where changes the following registry value:
Submission notes: #Key: HKLM\SOFTWARE\Classes\CLSID\
Submission notes: {<CLASSID>}\InprocServer32
Submission notes: #Value: "%WinDir%\System32\scrrun.dll
Submission notes: regsvr32%20/s%20scrrun.dll
Submission notes: 
Submission notes: [Decoded Signature]
Submission notes: VIRUS NAME: Win.Trojan.Dashikut
Submission notes: TARGET TYPE: NORMALIZED ASCII TEXT
Submission notes: OFFSET: *
Submission notes: DECODED SIGNATURE:
Submission notes: regsvr32%20/s%20scrrun.dll
Added: Win.Trojan.Dashikut

Submission-ID: 1244510900
Sender: SonicWALL
Sender: VRT Sandbox
Sender: Jotti
Added: Win.Trojan.Dynamer-105

Submission-ID: n/a
Sender: n/a
Added: Html.Exploit.CVE_2015_6143
Added: Swf.Exploit.CVE_2015_8448
Added: Swf.Exploit.CVE_2015_8635
Added: Swf.Exploit.CVE_2015_8640
Added: Swf.Exploit.CVE_2015_8634
Added: Swf.Exploit.CVE_2015_8648-1
Added: Swf.Exploit.CVE_2015_8649
Added: Xls.Exploit.CVE_2016_0035
Added: Pdf.Exploit.CVE_2016_0937
Added: Swf.Exploit.CVE_2015_8636
Added: Swf.Exploit.CVE_2015_8639
Added: Swf.Exploit.CVE_2015_8459
Added: Swf.Exploit.CVE_2015_8638
Added: Html.Exploit.CVE_2016_0003
Added: Win.Exploit.CVE_2015_6109
Added: Html.Exploit.CVE_2016_0012
Added: Html.Exploit.CVE_2015_6160
Added: Win.Exploit.CVE_2015_6102
Added: Win.Exploit.CVE_2015_2463

-- 
Best regards,
  Christopher McBee

More information about the clamav-virusdb mailing list