On Thu, 26 Aug 2004 23:32:56 +0200 Daniel Lord <[EMAIL PROTECTED]> wrote:
> Hi List, > > just put something together to aid me in generating signatures > for my database. Perhaps someone likes it. Just use your favorit > hex editor (vim :%!xxd) and get a good offset value. > > ./siggen virus.exe 0FF337 > > you get a 300 character signature which you (probably) have to cut a > bit and give it an appropriate name. Such a method may lead to false positives. The CVS version of ClamAV allows users to create their own signatures for a static malware in a very simple manner - by using MD5 hashes. The format is MD5:Size:MalwareName[:Alias1,Alias2,Alias3,...,AliasN] Example: [EMAIL PROTECTED]:/tmp/malware$ ls -l total 969 -rw-r--r-- 1 zolw zolw 990208 Aug 27 00:43 test.exe [EMAIL PROTECTED]:/tmp/malware$ md5sum test.exe dfcd1da74cd5ec997f5f311800919e29 test.exe The signature is dfcd1da74cd5ec997f5f311800919e29:990208:Test-Signature Save it in a *.hdb file and install in your clamav-db directory. -- oo ..... Tomasz Kojm <[EMAIL PROTECTED]> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Aug 27 00:40:29 CEST 2004
pgpfXBQqh01Qh.pgp
Description: PGP signature
