[Community-sigs] Fwd: Win.Worm.Jenxcus

Andrea Allievi aallievi at sourcefire.com
Sat Oct 31 14:26:08 EDT 2015 

Sorry Arnaud, I totally forgot to say that I have included the LNK file
header in the signature.
In this way we can detect the string you have used in the signature ONLY
for real Windows LNK files (and not for other file types).

I have translated your extended signature in a logical signature. Here is
the result:
Win.Worm.Jenxcus;Engine:73-255,Target:0;0&1;0:4C00000001140200;7300740061007200740020003400380038003900310053004b005900500045002e007600620065002600730074006100720074

If you check at one of the LNK file format specs (
http://forensicswiki.org/wiki/LNK) you will find:
Offset 0 - 0x4C (DWORD)
Offset 4 - 00021401-0000-0000-c000-000000000046 GUID

I have inserted 8 bytes (one DWORD marker and one DWORD belongs to the
GUID) in the subsignature 0.

Again, thanks for your precious help.
Andrea

---------- Forwarded message ----------
From: Andrea Allievi <aallievi at sourcefire.com>
Date: Sat, Oct 31, 2015 at 7:06 PM
Subject: Re: [Community-sigs] Win.Worm.Jenxcus
To: webmaster at securiteinfo.com, ClamAV Community Signatures Submission List
<community-sigs at lists.clamav.net>


Hi Arnaud!
Thanks very much for your signature.
It looks good. I have put it in the FP testing queue.
We will let you know when the test is done.

Again, thanks very much, We have really appreciated your contribution.

Andrea Allievi
aallievi at sourcefire.com
Security Research Engineer
TALOS Security Intelligence and Research Group
Cisco Systems Inc.



On Fri, Oct 30, 2015 at 4:51 PM, Arnaud Jacques / SecuriteInfo.com <
webmaster at securiteinfo.com> wrote:

> Hello sigmakers,
>
>
> Win.Worm.Jenxcus:0:*:7300740061007200740020003400380038003900310053004b005900500045002e007600620065002600730074006100720074
>
> Number of samples detected by the signature : 57
>
> MD5 of detected samples :
> 9d59a7cb738a8796956a1ac088a39dda
> 5d1fd8eb4950309243350a393b72b8bc
> f346b0da8932ec09d6cfc438c246bb6c
> 109f6ef97a4c304c204fcde380a0018b
> c3df2c38e32e2187af01d1fec3b79eed
> 1ce4f4f12f3711bc8016be525ffabfa0
> a3862353e9636c7663018607d49414e8
> 40aea0e8d294d2a5116d643adb58cde9
> e35a8b524190ab8611b1221a7cbdb277
> 22fac7bbaa1424d97c72632b0ab5f4a5
> 99c5fd2ce5b3b96e1c7970e05b1ec78e
> 7dfa40df310e78afff3f38c3799f1f5d
> 5e792cc6fa650606558dd71a6cf119be
> a44c7bf081d0e4067ad093af3f966f29
> 13844ff3d274a6be74a9b302ee5f4cdc
> b64cf84f50ba1f415505a2df53bc793e
> 54d59533ccccd4a24ca6b82b9c734e1c
> 213ef28f73f2575616b47f3e51bbbc85
> cdff0141582937c0185935396e9efd99
> 16a4a2f647ce9e25a317e35d90f17122
> 5f15781eafc814c16e643e964a4d9a88
> 68e5c80ae4c43b00758187af14f8620b
> cb6612ef5f94ed9e7cf65c9a9fe34faa
> 5da5c4ed7b80b2b2eb95f3f65be1104d
> 0fa22bb0300a3d20ce27296f5eb1a636
> 4eb14fe43c875f32cea6805a8914fad5
> 32a34e9e50caba3b305e898555b5fd8c
> 2a19b498a4dad4d10172ec1e29cf5da5
> 7e2277a5745db48b8542bc3577968a8f
> 3dca5323ca93c8ad0c0cf654356d66d6
> 3d014d38fd158789372a3ecf7f6c6140
> 8a6202ca2cd68e358d2961578d23a4ae
> b9f9a669107ce1f66fdee7d8b3275521
> a46225e23f967d2e4247ee877c29a034
> d749a067ed4f989983b84eeb0a676073
> 979f46c9eee85efe3bb618ff00ddb1d4
> fa7a661da5dc13c834ca2f11a1e8f88f
> 6c3bde01c5f1c0f833e0a675863dd343
> 6f0f8172393d8e67f95426d4efa60bfe
> 0d3757c4585dcbefb23ae339e6720efc
> 0c4f46ac098b3b15a75c83c06bbe5539
> 730bce6a9ab5f87a4a08ba9beafe9f93
> 6afd60429806ef1159003cc37c5a6f11
> 39bdb91d2826d1e395006b9fe8284dc4
> bb1b078c8c30718723a5a37d4047a029
> 6ff8ae4ae2904181eb8cca9c6f3f69b2
> d36e8b147f864c35bc622ac33e5d65d6
> 98fc828950d836a1cbcbdd0f1dbe97e1
> 387db435a67fa55443284010982fd1bd
> 82ce957731bb0140f1beedc8424154f2
> 9e3c137c018aea3105949abedd54496b
> af1ae7c7dcf9ee46c9f915560e52ed43
> 6e4139e98488c856dfbcbd9112a07691
> c8b064786d47e5ca8d4c3a9a5f1007eb
> 6f1a046629de20524ad5fa1d89d44115
> 26d4becc95c837438bb471d6f1cae820
> 818599006ca32781c001e6e07c7f37d9
>
> --
> Best regards,
>
> Arnaud Jacques
> SecuriteInfo.com
>
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : https://twitter.com/SecuriteInfoCom
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>






-- 
Andrea Allievi
aallievi at sourcefire.com
Security Research Engineer
TALOS Security Intelligence and Research Group
Cisco Systems Inc.

More information about the Community-sigs mailing list