[Community-sigs] JS.Trojan.Nemucod variant signature

Christopher Marczewski cmarczewski at sourcefire.com
Wed Dec 14 15:15:39 EST 2016 

Janos,

The modified signature has been accepted for publication. Thanks again for
your submission.

On Wed, Dec 14, 2016 at 9:26 AM, Angel Villegas <anvilleg at sourcefire.com>
wrote:

> Janos,
>
> Thank you for your submission! I've updated the signature to prevent
> possible FPs and narrow the scope to the files you are intending to match
> on. Subsig 0 and 1 are used to prevent matching on HTML pages talking about
> the Nemucod Javascript, since typically these pages only use a subset of
> the javascript code. Subsig 2 has been changed slightly, mainly the base64
> in the match has been converted to lowercase since clamav normalizes target
> type 7 (ASCII text file).
>
> Js.Trojan.Nemucod;Engine:55-255,Target:7;0>35&1>350&2;
> 7661722077796c736f6e;77796c736f6e;7661722077796c736f6e{-100}
> 69677a31626d6e3061773975
>
> VIRUS NAME: Js.Trojan.Nemucod
> TDB: Engine:55-255,Target:7
> LOGICAL EXPRESSION: 0>35&1>350&2
>  * SUBSIG ID 0
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> var wylson
>  * SUBSIG ID 1
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> wylson
>  * SUBSIG ID 2
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> var wylson{WILDCARD_ANY_STRING(LENGTH<=100)}igz1bmn0aw9u
>
>
>
> Thanks,
> Angel M. Villegas
>
> On Wed, Dec 14, 2016 at 8:36 AM, Christopher Marczewski <
> cmarczewski at sourcefire.com> wrote:
>
> > Janos,
> >
> > Thank you for your submission. We'll proceed with FP testing for your
> > signature.
> >
> > On Wed, Dec 14, 2016 at 6:01 AM, Janos Cservenak <hawk at hwk.hu> wrote:
> >
> > > Hi,
> > >
> > > One of the last days trapped Nemucod trojan variants...
> > > Received via email, all messages tried to disguise himself
> > > as a scanned document attached as 2016-12-XXXX.ZIP file.
> > > In the ZIP there was only a 2016-12-XXXX.jse file.
> > >
> > > -- Signature --
> > > JS.Trojan.Nemucod.JSE.v03.20161213;
> > > Target:0;0;7661722077796c736f6e*49475a31626d4e3061573975
> > > -- /Signature --
> > >
> > > Decoded:
> > > VIRUS NAME: JS.Trojan.Nemucod.JSE.v03.20161213
> > > TDB: Target:0
> > > LOGICAL EXPRESSION: 0
> > >  * SUBSIG ID 0
> > >  +-> OFFSET: ANY
> > >  +-> SIGMOD: NONE
> > >  +-> DECODED SUBSIGNATURE:
> > > var wylson{WILDCARD_ANY_STRING}IGZ1bmN0aW9u
> > >
> > > MD5 sums for the JSE files:
> > > 995d5852f720163112be6bb18dc45fea
> > > df1e47f1394fb849b84a9b62ac2c5257
> > > 3d93cabf4377ac59b6a8a578f28e0460
> > > 3d93cabf4377ac59b6a8a578f28e0460
> > > d6e9a17e0dd09384d328f110b29a0f55
> > > d45a7e7650232738d3937c8434a49f0d
> > > 6899c73d40a95442272f32f2aa1d7606
> > > 6b5831cef9e705787a655bc66d832758
> > > 31fea40298868ea7f43f0e07292153c7
> > > d1b3b53fcb8b9604e596806851423996
> > > f02379e533deee8bc814bf720ac8249e
> > > 3b68fb002b17c7f9796f68240b55e1c5
> > > 3d93cabf4377ac59b6a8a578f28e0460
> > > ab4d4e0a53aa5deca221b8e0920a3fda
> > > e1d99edc1efdccd136409e110ffda5df
> > > 7e6c1715499fcce0c7dd0efdc8348175
> > > df1e47f1394fb849b84a9b62ac2c5257
> > > 05add189dcce665300f8b104c197b240
> > > 31fea40298868ea7f43f0e07292153c7
> > >
> > > --
> > > Best Regards,
> > > Janos Cservenak
> > >
> > > _______________________________________________
> > > Community-sigs mailing list
> > > Community-sigs at lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > >
> > > http://www.clamav.net/contact.html#ml
> >
> >
> >
> >
> > --
> > Christopher Marczewski
> > Research Engineer
> > Talos Group
> > cmarczewski at sourcefire.com
> > Phone: 443.430.7118
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>



-- 
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.430.7118

More information about the Community-sigs mailing list