[Community-sigs] JS.Trojan.Nemucod variant signature
Angel Villegas
anvilleg at sourcefire.com
Wed Dec 14 09:26:17 EST 2016
Janos,
Thank you for your submission! I've updated the signature to prevent
possible FPs and narrow the scope to the files you are intending to match
on. Subsig 0 and 1 are used to prevent matching on HTML pages talking about
the Nemucod Javascript, since typically these pages only use a subset of
the javascript code. Subsig 2 has been changed slightly, mainly the base64
in the match has been converted to lowercase since clamav normalizes target
type 7 (ASCII text file).
Js.Trojan.Nemucod;Engine:55-255,Target:7;0>35&1>350&2;7661722077796c736f6e;77796c736f6e;7661722077796c736f6e{-100}69677a31626d6e3061773975
VIRUS NAME: Js.Trojan.Nemucod
TDB: Engine:55-255,Target:7
LOGICAL EXPRESSION: 0>35&1>350&2
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
var wylson
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
wylson
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
var wylson{WILDCARD_ANY_STRING(LENGTH<=100)}igz1bmn0aw9u
Thanks,
Angel M. Villegas
On Wed, Dec 14, 2016 at 8:36 AM, Christopher Marczewski <
cmarczewski at sourcefire.com> wrote:
> Janos,
>
> Thank you for your submission. We'll proceed with FP testing for your
> signature.
>
> On Wed, Dec 14, 2016 at 6:01 AM, Janos Cservenak <hawk at hwk.hu> wrote:
>
> > Hi,
> >
> > One of the last days trapped Nemucod trojan variants...
> > Received via email, all messages tried to disguise himself
> > as a scanned document attached as 2016-12-XXXX.ZIP file.
> > In the ZIP there was only a 2016-12-XXXX.jse file.
> >
> > -- Signature --
> > JS.Trojan.Nemucod.JSE.v03.20161213;
> > Target:0;0;7661722077796c736f6e*49475a31626d4e3061573975
> > -- /Signature --
> >
> > Decoded:
> > VIRUS NAME: JS.Trojan.Nemucod.JSE.v03.20161213
> > TDB: Target:0
> > LOGICAL EXPRESSION: 0
> > * SUBSIG ID 0
> > +-> OFFSET: ANY
> > +-> SIGMOD: NONE
> > +-> DECODED SUBSIGNATURE:
> > var wylson{WILDCARD_ANY_STRING}IGZ1bmN0aW9u
> >
> > MD5 sums for the JSE files:
> > 995d5852f720163112be6bb18dc45fea
> > df1e47f1394fb849b84a9b62ac2c5257
> > 3d93cabf4377ac59b6a8a578f28e0460
> > 3d93cabf4377ac59b6a8a578f28e0460
> > d6e9a17e0dd09384d328f110b29a0f55
> > d45a7e7650232738d3937c8434a49f0d
> > 6899c73d40a95442272f32f2aa1d7606
> > 6b5831cef9e705787a655bc66d832758
> > 31fea40298868ea7f43f0e07292153c7
> > d1b3b53fcb8b9604e596806851423996
> > f02379e533deee8bc814bf720ac8249e
> > 3b68fb002b17c7f9796f68240b55e1c5
> > 3d93cabf4377ac59b6a8a578f28e0460
> > ab4d4e0a53aa5deca221b8e0920a3fda
> > e1d99edc1efdccd136409e110ffda5df
> > 7e6c1715499fcce0c7dd0efdc8348175
> > df1e47f1394fb849b84a9b62ac2c5257
> > 05add189dcce665300f8b104c197b240
> > 31fea40298868ea7f43f0e07292153c7
> >
> > --
> > Best Regards,
> > Janos Cservenak
> >
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
>
>
>
>
> --
> Christopher Marczewski
> Research Engineer
> Talos Group
> cmarczewski at sourcefire.com
> Phone: 443.430.7118
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list