[Community-sigs] win.downloader javascript

Mariano Graziano magrazia at sourcefire.com
Tue Aug 2 06:03:40 EDT 2016 

./clamscan -d /home/emdel/cisco/bugs/162923/test2.ldb
/home/emdel/cisco/bugs/162923/d77a79c843de999464f7f54b7c57f9407268d504177cec66f8c70d5c4e0ee5d5
/home/emdel/cisco/bugs/162923/d77a79c843de999464f7f54b7c57f9407268d504177cec66f8c70d5c4e0ee5d5:
Win.Trojan.Downloader.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.99
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.78 MB
Data read: 0.78 MB (ratio 1.00:1)
Time: 0.022 sec (0 m 0 s)


03:02:44 emdel -> cat test2.ldb
Win.Trojan.Downloader;Target:1;(0>2)&1;440065006c00700068006900;28900:85C0744785D2743653565789C689D78B4FFC578B56FC4A7820668B0683C60229D17E16F266AF751189CB565789D1F366A75F5E740C89D9EBEA5A31C0EB0A31C0C35A89F829D0D1E85F5E5BC3

cat test2.ldb | sigtool --decode-sig
VIRUS NAME: Win.Trojan.Downloader
TDB: Target:1
LOGICAL EXPRESSION: (0>2)&1
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
Delphi
 * SUBSIG ID 1
 +-> OFFSET: 28900
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
��tG��t6SVW�Ɖ׋O�W�V�Jx f���)�~�f�u��VW��f�_^t
                                             ���Z1�
1�Z��)��_^[�


On Tue, Jul 5, 2016 at 9:03 AM, Ben Baker <bbaker at sourcefire.com> wrote:

> Thanks for the submission Per-Erik. I tweaked your signature a bit to try
> to reduce FPs. This signature looks for your date string, but also wscript
> objects, and the string concatenation operator being used over 300 times. I
> used target type 7 (Normalized text) so variations in whitespace and
> capitalization won't affect it.
>
>
> Win.Downloader.Nemucod;Engine:51-255,Target:7;0&1&2&(3>300);696620286e6577206461746528292e6765747965617228293d3d323031;3d777363726970742e6372656174656f626a65637428;2e7370656369616c666f6c6465727328;2b3d27
>
> VIRUS NAME: Win.Downloader.Nemucod
> TDB: Engine:51-255,Target:7
> LOGICAL EXPRESSION: 0&1&2&(3>300)
>  * SUBSIG ID 0
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> if (new date().getyear()==201
>  * SUBSIG ID 1
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> =wscript.createobject(
>  * SUBSIG ID 2
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> .specialfolders(
>  * SUBSIG ID 3
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> +='
>
> I've queued the signature for FP testing and it should be published soon.
>
> On Tue, Jul 5, 2016 at 5:18 AM, Per-Erik Persson <pegpe at kth.se> wrote:
>
> > Hello sigmakers
> >
> > I might need some help with this signature since it seems to simple.
> > The are loads of ugly javascripts that use this line of code to check
> that
> > it is 2016 and that the javascript is version 1.2 or earlier.
> > I get couple of hundred hits per day on the mailservers on this one.
> >
> >
> >
> Win.Downloader.11:*:*:696620286e6577204461746528292e6765745965617228293d3d3230313629
> >
> >
> > An example file can be found here:
> >
> >
> >
> https://virustotal.com/sv/file/3e0064837a32e5fda5000752ba79d80c22fd06bb55cc5d3daa306c7c28c563d3/analysis/
> >
> >
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>

More information about the Community-sigs mailing list