[Community-sigs] signature of JS downloader

Thu Dec 1 10:23:06 EST 2016

Hello Jean-Baptiste,

Thank you for your submissions. We'll be proceeding with signature reviews
and will get back to you as soon as possible.

On Wed, Nov 30, 2016 at 9:37 AM, Jean-Baptiste Lanel <jb at lanel.eu> wrote:

> Hello,
>
> An other one that caught 10 emails since yesterday :
>
>  echo "JS.ActiveX.Downloader:7:*:6e657720616374697665786f626a65637
> 4282261646f64622e73747265616d22293b*6e657720616374697665786f
> 626a6563742822777363726970742e7368656c6c22293b*6e65772061637
> 4697665786f626a656374282261646f64622e73747265616d22293b" |sigtool
> --decode-sigs
> VIRUS NAME: JS.ActiveX.Downloader
> TARGET TYPE: NORMALIZED ASCII TEXT
> OFFSET: *
> DECODED SIGNATURE:
> new activexobject("adodb.stream"){WILDCARD_ANY_STRING}new
> activexobject("wscript.shell");{WILDCARD_ANY_STRING}new
> activexobject("adodb.stream");
>
> (I'm not really confident with the naming convention)
>
> Regards,
>
> JB
>
>
> Le 2016-11-24 22:27, Jean-Baptiste Lanel a écrit :
>
>> Hello sigmakers,
>>
>> In case it may help, just received 3 mails caught by this :
>>
>> jb at newaude:~$ echo
>>
>> "JS.HILLARY.Downloader:7:*:28295d2822722c752c6e2c642c6c2c6c2c332c3222"
>> |sigtool --decode-sigs
>> VIRUS NAME: JS.HILLARY.Downloader
>> TARGET TYPE: NORMALIZED ASCII TEXT
>> OFFSET: *
>> DECODED SIGNATURE:
>> ()]("r,u,n,d,l,l,3,2."
>>
>> Regards,
>>
>> JB
>>
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>>
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>

-- 
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.430.7118