[Community-sigs] signature of JS downloader

Christopher Marczewski cmarczewski at sourcefire.com
Wed Dec 7 12:57:55 EST 2016 

Jean-Baptiste,

Any chance we can get the e-mail samples, or do these messages contain
sensitive information not suitable for disclosure?

On Thu, Dec 1, 2016 at 10:23 AM, Christopher Marczewski <
cmarczewski at sourcefire.com> wrote:

> Hello Jean-Baptiste,
>
> Thank you for your submissions. We'll be proceeding with signature reviews
> and will get back to you as soon as possible.
>
> On Wed, Nov 30, 2016 at 9:37 AM, Jean-Baptiste Lanel <jb at lanel.eu> wrote:
>
>> Hello,
>>
>> An other one that caught 10 emails since yesterday :
>>
>>  echo "JS.ActiveX.Downloader:7:*:6e657720616374697665786f626a65637
>> 4282261646f64622e73747265616d22293b*6e657720616374697665786f
>> 626a6563742822777363726970742e7368656c6c22293b*6e65772061637
>> 4697665786f626a656374282261646f64622e73747265616d22293b" |sigtool
>> --decode-sigs
>> VIRUS NAME: JS.ActiveX.Downloader
>> TARGET TYPE: NORMALIZED ASCII TEXT
>> OFFSET: *
>> DECODED SIGNATURE:
>> new activexobject("adodb.stream"){WILDCARD_ANY_STRING}new
>> activexobject("wscript.shell");{WILDCARD_ANY_STRING}new
>> activexobject("adodb.stream");
>>
>> (I'm not really confident with the naming convention)
>>
>> Regards,
>>
>> JB
>>
>>
>> Le 2016-11-24 22:27, Jean-Baptiste Lanel a écrit :
>>
>>> Hello sigmakers,
>>>
>>> In case it may help, just received 3 mails caught by this :
>>>
>>> jb at newaude:~$ echo
>>>
>>> "JS.HILLARY.Downloader:7:*:28295d2822722c752c6e2c642c6c2c6c2c332c3222"
>>> |sigtool --decode-sigs
>>> VIRUS NAME: JS.HILLARY.Downloader
>>> TARGET TYPE: NORMALIZED ASCII TEXT
>>> OFFSET: *
>>> DECODED SIGNATURE:
>>> ()]("r,u,n,d,l,l,3,2."
>>>
>>> Regards,
>>>
>>> JB
>>>
>>> _______________________________________________
>>> Community-sigs mailing list
>>> Community-sigs at lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
>
> --
> Christopher Marczewski
> Research Engineer
> Talos Group
> cmarczewski at sourcefire.com
> Phone: 443.430.7118
>



-- 
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.430.7118

More information about the Community-sigs mailing list