[Community-sigs] signature of JS downloader
Jean-Baptiste Lanel
jb at lanel.eu
Wed Nov 30 09:37:32 EST 2016
Hello,
An other one that caught 10 emails since yesterday :
echo
"JS.ActiveX.Downloader:7:*:6e657720616374697665786f626a656374282261646f64622e73747265616d22293b*6e657720616374697665786f626a6563742822777363726970742e7368656c6c22293b*6e657720616374697665786f626a656374282261646f64622e73747265616d22293b"
|sigtool --decode-sigs
VIRUS NAME: JS.ActiveX.Downloader
TARGET TYPE: NORMALIZED ASCII TEXT
OFFSET: *
DECODED SIGNATURE:
new activexobject("adodb.stream"){WILDCARD_ANY_STRING}new
activexobject("wscript.shell");{WILDCARD_ANY_STRING}new
activexobject("adodb.stream");
(I'm not really confident with the naming convention)
Regards,
JB
Le 2016-11-24 22:27, Jean-Baptiste Lanel a écrit :
> Hello sigmakers,
>
> In case it may help, just received 3 mails caught by this :
>
> jb at newaude:~$ echo
>
> "JS.HILLARY.Downloader:7:*:28295d2822722c752c6e2c642c6c2c6c2c332c3222"
> |sigtool --decode-sigs
> VIRUS NAME: JS.HILLARY.Downloader
> TARGET TYPE: NORMALIZED ASCII TEXT
> OFFSET: *
> DECODED SIGNATURE:
> ()]("r,u,n,d,l,l,3,2."
>
> Regards,
>
> JB
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list