Thank you all for your comments, very much appreciated Tony Date: Wed, 18 Feb 2015 12:28:11 -0700 From: ml-node+s1065346n114635...@n5.nabble.com To: tiar...@hotmail.com Subject: Re: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015 14:16:02 -0500 Joe Quinn <[hidden email]> wrote: > On 2/18/2015 2:10 PM, Reindl Harald wrote: > > the source contains at least socket:// and heavy pulsating disk-IO > > noticed from the RAID10 as long the process was active - will give > > it a try in a isolated VM to look what it does the next spare time > Or if there was an SA-style classifier for malware that scores files > in addition to "this is a keylogger". A lot of the samples we see heavily obfuscate the VB code. Example: Sub h() ds = 99 + Sgn(98) + Sgn(902) + Sgn(-5) USER = Module1.Travel("username") jks = ds PST2 = "" + "" & "" & "a" + "do" & "be" & "ac" & "d-u" & "pd" & "a" & "te" & "" VBT2 = "" & "a" + Chr(100) + "o" & "b" & "ea" & "cd-up" & "da" & "te" & "" VBTXP2 = "" & "a" & Chr(100) & "o" & "be" + "ac" & "d-u" + "pd" + "atex" + "p" & "" BART2 = "" & "a" + Chr(100) & "o" & "b" & "e" + "ac" & "d-up" + "date" & "" PST1 = PST2 + "." + Chr(Asc("p")) + Chr(ds + 15) + "1" + "" VBT1 = VBT2 + "." + Chr(118) + "b" + Chr(Asc("s")) + "" VBTXP = VBTXP2 + "." + Chr(Asc("v")) + Chr(Asc("b")) + "s" + "" ... more of the same This makes a simple-minded "strings" inadequate. :( I've also seen highly-obfuscated Javascript code that builds up strings and then evaluates them as Javascript. Regards, David. If you reply to this email, your message will be added to the discussion below: http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621p114635.html To unsubscribe from Recent spate of Malicious VB attachments II, click here. NAML -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621p114639.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.