On Wed, 09 Sep 2015 09:23:44 +0200 Benny Pedersen <m...@junc.eu> wrote:
i would run "strings vbaProject.bin" and make clamav signature based
on it
On 09.09.15 10:44, Dianne Skoll wrote:
ClamAV is totally useless.
Do you mean generally, or in this case?
Here's a trick: Macro viruses must define a subroutine called "Document_Open"
So finding the string "Document_Open" case-insensitively in an MS
Office file is a red flag. If you don't find it directly, use
unzip -p (the so called "pipe mode") to look for that same string
case-insensitively in the more modern MS Office files, which are really
just zip files in disguise.
There will be some false-positives because some legitimate MS Office files
(boooo....) auto-execute macros on document open, but IMO the danger posed
by macro viruses makes the tradeoff worth it.
i believe some people will argument against this ;-)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
