[Community-sigs] Win.Downloader
Xabier Ugarte-Pedrero
xpedrero at sourcefire.com
Mon Jul 4 16:30:51 EDT 2016
Hello Arnaud,
Unfortunately the signature has not passed the FP test. It seems it is
matching the NSIS inetc plugin, which comes as a resource in files
generated by the NSIS (Nullsoft Scriptable Install System -
http://nsis.sourceforge.net/Main_Page), used by several legitimate
software.
Nevertheless, the binary seems to contain some characteristic VBScript code:
var fso = new ActiveXObject("Scripting.FileSystemObject");
var s3 = fso.GetSpecialFolder(2).Path; // s3 @02=> "C:\\WINDOWS\\TEMP"
var f2 = fso.OpenTextFile(s3+"\\add_js.js",1);
var source2 = f2.ReadAll();
f2.Close();
source2 = str_replace("\\", "\\\\", source2)
eval(source2);
var f = fso.OpenTextFile(file_path,1);
var source = f.ReadAll();
f.Close();
var already_boomarked = false;
var my_obj = JSON.parse(source, function (k, v) {
if (typeof v === "string" && k == "name" && v == name) {
already_boomarked = true;
return v;
if (add_dell == '1') {
if (!already_boomarked) {
var obj = {
date_added:time (),
id:"",
name:name,
type:"url",
url:url
my_obj.roots.bookmark_bar.children.push(obj);
var json_encoded = JSON.stringify(my_obj, function (key, value) {
return typeof value === "string" && key == "name" ?
string_encode(value) : value;
});
json_encoded = str_replace("\\\\u", "\\u", json_encoded);
var f = fso.OpenTextFile(file_path,2);
f.Write(json_encoded);
f.Close();
A google search of some those strings seems to point just to malware
reports (and not to any legitimate software). We have created a
signature that you can test over your dataset to check if it matches
your binaries:
Win.Downloader:1:*:66736F2E4F70656E5465787446696C652873332B225C5C6164645F6A732E6A73222C3129*76617220736F7572636532203D2066322E52656164416C6C2829*6576616C28736F7572636532293B*69662028747970656F662076203D3D3D2022737472696E6722202626206B203D3D20226E616D65222026262076203D3D206E616D6529207B*4A534F4E2E737472696E67696679286D795F6F626A2C2066756E6374696F6E20286B65792C2076616C756529207B*7661722066203D2066736F2E4F70656E5465787446696C652866696C655F706174682C32293B*662E5772697465286A736F6E5F656E636F646564293B*666F722028766172206B657920696E206D795F6F626A2E726F6F74732E626F6F6B6D61726B5F6261722E6368696C6472656E29207B0D0A2F2F09575363726970742E6563686F286B657929
In the mean time, we will enqueue the signature for FP test in our end.
Regards,
-- Xabier
On Mon, Jul 4, 2016 at 6:58 AM, Arnaud Jacques / SecuriteInfo.com
<webmaster at securiteinfo.com> wrote:
> Hello,
>
>> Thank you. This has been submitted for FP testing.
>
> Did it pass FP tests ?
>
> --
> Best regards,
>
> Arnaud Jacques
> SecuriteInfo.com
>
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list