[Community-sigs] win.downloader javascript

Mariano Graziano magrazia at sourcefire.com
Tue Aug 2 06:11:06 EDT 2016 

Sorry guys,
I was testing a signature and accidentally sent this email.

On Tue, Aug 2, 2016 at 3:03 AM, Mariano Graziano <magrazia at sourcefire.com>
wrote:

> ./clamscan -d /home/emdel/cisco/bugs/162923/test2.ldb
> /home/emdel/cisco/bugs/162923/d77a79c843de999464f7f54b7c57f9407268d504177cec66f8c70d5c4e0ee5d5
> /home/emdel/cisco/bugs/162923/d77a79c843de999464f7f54b7c57f9407268d504177cec66f8c70d5c4e0ee5d5:
> Win.Trojan.Downloader.UNOFFICIAL FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 1
> Engine version: 0.99
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.78 MB
> Data read: 0.78 MB (ratio 1.00:1)
> Time: 0.022 sec (0 m 0 s)
>
>
> 03:02:44 emdel -> cat test2.ldb
>
> Win.Trojan.Downloader;Target:1;(0>2)&1;440065006c00700068006900;28900:85C0744785D2743653565789C689D78B4FFC578B56FC4A7820668B0683C60229D17E16F266AF751189CB565789D1F366A75F5E740C89D9EBEA5A31C0EB0A31C0C35A89F829D0D1E85F5E5BC3
>
> cat test2.ldb | sigtool --decode-sig
> VIRUS NAME: Win.Trojan.Downloader
> TDB: Target:1
> LOGICAL EXPRESSION: (0>2)&1
>  * SUBSIG ID 0
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> Delphi
>  * SUBSIG ID 1
>  +-> OFFSET: 28900
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> ��tG��t6SVW�Ɖ׋O�W�V�Jx f���)�~�f�u��VW��f�_^t
>                                              ���Z1�
> 1�Z��)��_^[�
>
>
> On Tue, Jul 5, 2016 at 9:03 AM, Ben Baker <bbaker at sourcefire.com> wrote:
>
>> Thanks for the submission Per-Erik. I tweaked your signature a bit to try
>> to reduce FPs. This signature looks for your date string, but also wscript
>> objects, and the string concatenation operator being used over 300 times.
>> I
>> used target type 7 (Normalized text) so variations in whitespace and
>> capitalization won't affect it.
>>
>>
>> Win.Downloader.Nemucod;Engine:51-255,Target:7;0&1&2&(3>300);696620286e6577206461746528292e6765747965617228293d3d323031;3d777363726970742e6372656174656f626a65637428;2e7370656369616c666f6c6465727328;2b3d27
>>
>> VIRUS NAME: Win.Downloader.Nemucod
>> TDB: Engine:51-255,Target:7
>> LOGICAL EXPRESSION: 0&1&2&(3>300)
>>  * SUBSIG ID 0
>>  +-> OFFSET: ANY
>>  +-> SIGMOD: NONE
>>  +-> DECODED SUBSIGNATURE:
>> if (new date().getyear()==201
>>  * SUBSIG ID 1
>>  +-> OFFSET: ANY
>>  +-> SIGMOD: NONE
>>  +-> DECODED SUBSIGNATURE:
>> =wscript.createobject(
>>  * SUBSIG ID 2
>>  +-> OFFSET: ANY
>>  +-> SIGMOD: NONE
>>  +-> DECODED SUBSIGNATURE:
>> .specialfolders(
>>  * SUBSIG ID 3
>>  +-> OFFSET: ANY
>>  +-> SIGMOD: NONE
>>  +-> DECODED SUBSIGNATURE:
>> +='
>>
>> I've queued the signature for FP testing and it should be published soon.
>>
>> On Tue, Jul 5, 2016 at 5:18 AM, Per-Erik Persson <pegpe at kth.se> wrote:
>>
>> > Hello sigmakers
>> >
>> > I might need some help with this signature since it seems to simple.
>> > The are loads of ugly javascripts that use this line of code to check
>> that
>> > it is 2016 and that the javascript is version 1.2 or earlier.
>> > I get couple of hundred hits per day on the mailservers on this one.
>> >
>> >
>> >
>> Win.Downloader.11:*:*:696620286e6577204461746528292e6765745965617228293d3d3230313629
>> >
>> >
>> > An example file can be found here:
>> >
>> >
>> >
>> https://virustotal.com/sv/file/3e0064837a32e5fda5000752ba79d80c22fd06bb55cc5d3daa306c7c28c563d3/analysis/
>> >
>> >
>> > _______________________________________________
>> > Community-sigs mailing list
>> > Community-sigs at lists.clamav.net
>> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>> >
>> > http://www.clamav.net/contact.html#ml
>> >
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>

More information about the Community-sigs mailing list