* Andrew Salway via clamav-users <clamav-users@lists.clamav.net>:
> Many thanks Ralf for the speedy reply.
>
> Is it then triggered if the three strings (urldecode, msbuild.exe, .xml) are all present anywhere in a normalised ASCII file?
Probably. As long as the file is smaller then 2097152 bytes.
> # sigtool --find="Vbs.Trojan.AsyncRAT-9889434-1" | sigtool --decode
>
> VIRUS NAME: Vbs.Trojan.AsyncRAT-9889434-1
> TDB: Engine:90-255,FileSize:0-2097152,Target:7
>
> LOGICAL EXPRESSION: 0&1&2
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> urldecode
>
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> msbuild.exe
>
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> .xml
>
> So it must be 0 AND 1 and 2.
>
> 0 is urldecode ANYWHERE
> 1 is msbuild.exe ANYWHERE
> 2 is .xml ANYWHERE
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebrandt@charite.de
https://www.charite.de
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
> Many thanks Ralf for the speedy reply.
>
> Is it then triggered if the three strings (urldecode, msbuild.exe, .xml) are all present anywhere in a normalised ASCII file?
Probably. As long as the file is smaller then 2097152 bytes.
> # sigtool --find="Vbs.Trojan.AsyncRAT-9889434-1" | sigtool --decode
>
> VIRUS NAME: Vbs.Trojan.AsyncRAT-9889434-1
> TDB: Engine:90-255,FileSize:0-2097152,Target:7
>
> LOGICAL EXPRESSION: 0&1&2
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> urldecode
>
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> msbuild.exe
>
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> .xml
>
> So it must be 0 AND 1 and 2.
>
> 0 is urldecode ANYWHERE
> 1 is msbuild.exe ANYWHERE
> 2 is .xml ANYWHERE
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebrandt@charite.de
https://www.charite.de
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat