[Community-sigs] Virus.Win32.Enerlam
Christopher Marczewski
cmarczewski at sourcefire.com
Thu Sep 15 14:12:55 EDT 2016
Komal,
We didn't end up publishing the signature since it only alerted on one of
the six provided samples, and the signature was also targeting PE header
content (although this did encompass the strange section names 'Virus' &
'Host').
However, there were a good number of suspicious strings to alert on in
these samples, and I ended up writing four signatures to cover these
samples, as shown below:
Win.Virus.Enerlam-4;Engine:51-255,Target:1;(0&1);605669727573;60486f7374
Win.Virus.Enerlam-5;Engine:51-255,Target:1;(0&1);454e45524759;456e6572677920617265204d617272696564
Win.Virus.Enerlam-2:1:*:56697275732077696c6c206265207769746820594f5521
Win.Virus.Enerlam-3:1:*:56697220624F4479206C656E6774683D2564200D0A412076697220686173206265656E2073746172746564210D0A446F6E2774204265206166726169642C6E6F2064616D61676520636F646520616E6420696E66656374206F6E6C7920637572204469722E00736572206F6E65206469736B204F4B210048756D652050726F64756374696F6E2032303032
VIRUS NAME: Win.Virus.Enerlam-4
TDB: Engine:51-255,Target:1
LOGICAL EXPRESSION: (0&1)
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
`Virus
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
`Host
VIRUS NAME: Win.Virus.Enerlam-5
TDB: Engine:51-255,Target:1
LOGICAL EXPRESSION: (0&1)
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
ENERGY
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Energy are Married
VIRUS NAME: Win.Virus.Enerlam-2
TARGET TYPE: PE
OFFSET: *
DECODED SIGNATURE:
Virus will be with YOU!
VIRUS NAME: Win.Virus.Enerlam-3
TARGET TYPE: PE
OFFSET: *
DECODED SIGNATURE:
Vir bODy length=%d
A vir has been started!
Don't Be afraid,no damage code and infect only cur Dir.ser one disk OK!Hume
Production 2002
Thanks again for the contribution!
On Mon, Sep 12, 2016 at 9:35 AM, Christopher Marczewski <
cmarczewski at sourcefire.com> wrote:
> Hello Komal,
>
> Thank you for your submission. Your signature has been queued for FP
> testing.
>
> On Sat, Sep 10, 2016 at 9:27 AM, komal raskar <komal.raskar496 at gmail.com>
> wrote:
>
>> Virus.Win32.Enerlam.c:1:*:4d5a90000300000004000000ffff00
>> 00b800000000000000400000000000000000000000000000000000000000
>> 000000000000000000000000000000b00000000e1fba0e00b409cd21b801
>> 4ccd21546869732070726f6772616d2063616e6e6f742062652072756e20
>> 696e20444f53206d6f64652e0d0d0a24000000000000005d171ddb197673
>> 8819767388197673881976738810767388e5566188187673885269636819
>> 7673880000000000000000504500004c010400826dc93d00000000000000
>> 00e0000f010b01050c001200000002000000000000503300000010000000
>> 400000000040000010000000020000040000000000000004000000000000
>> 000050000000040000000000000200000000001000001000000000100000
>> 100000000000001000000000000000000000001c40000028000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 0000000000000000000000000000000000004000001c0000000000000000
>> 000000000000000000000000000000000000002e74657874000000240000
>> 000010000000020000000400000000000000000000000000002000006048
>> 6f7374000000004a00000000200000000200000006000000000000000000
>> 00000000002000006056697275730000008c0c000000300000000e000000
>> 080000000000000000000000000000200000602e72646174610000ca0000
>> 000040000000020000001600000000000000000000000000004000004000
>> 000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000
>> 00000000000000000000000000000000000000
>>
>> signature looks for specific block of code:
>>
>> detection:
>>
>> 720937f20ce0b2de51e208cc261c41f3
>> f8c5ea49a9394e15f152c6fa84d60eeb
>> e47b34be148398aeeae09c2042fe0a85
>> 8bafa619ddfe0cef0f49b1f3f169478c
>> 9defb3347cf7385f4704eaa841179b81
>> be926175be6111b3f8c9a9ff3e7fce58
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
>
> --
> Christopher Marczewski
> Research Engineer
> Talos Group
> cmarczewski at sourcefire.com
> Phone: 443.430.7118
>
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.430.7118
More information about the Community-sigs
mailing list