[Community-sigs] win.downloader javascript

[Ben Baker]

Thanks for the submission Per-Erik. I tweaked your signature a bit to try
to reduce FPs. This signature looks for your date string, but also wscript
objects, and the string concatenation operator being used over 300 times. I
used target type 7 (Normalized text) so variations in whitespace and
capitalization won't affect it.

Win.Downloader.Nemucod;Engine:51-255,Target:7;0&1&2&(3>300);696620286e6577206461746528292e6765747965617228293d3d323031;3d777363726970742e6372656174656f626a65637428;2e7370656369616c666f6c6465727328;2b3d27

VIRUS NAME: Win.Downloader.Nemucod
TDB: Engine:51-255,Target:7
LOGICAL EXPRESSION: 0&1&2&(3>300)
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
if (new date().getyear()==201
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
=wscript.createobject(
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
.specialfolders(
 * SUBSIG ID 3
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
+='

I've queued the signature for FP testing and it should be published soon.

On Tue, Jul 5, 2016 at 5:18 AM, Per-Erik Persson <pegpe at kth.se> wrote:

> Hello sigmakers
>
> I might need some help with this signature since it seems to simple.
> The are loads of ugly javascripts that use this line of code to check that
> it is 2016 and that the javascript is version 1.2 or earlier.
> I get couple of hundred hits per day on the mailservers on this one.
>
>
> Win.Downloader.11:*:*:696620286e6577204461746528292e6765745965617228293d3d3230313629
>
>
> An example file can be found here:
>
>
> https://virustotal.com/sv/file/3e0064837a32e5fda5000752ba79d80c22fd06bb55cc5d3daa306c7c28c563d3/analysis/
>
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>