Diego d'Ambra wrote:
Steve Brown wrote:
I've noticed that today's (maybe also recent versions) development
version of clam no longer detects W32/Mytob-BP (Sophos).
I have several samples which are declared fine by ClamAV
(devel-20050721/985/Thu Jul 21 13:14:39 2005), but correctly flagged as
infected by both another server not quite as current (ClamAV
devel-20050627/985/Thu Jul 21 13:14:39 2005; Worm.Mytob.FJ FOUND) and
also by the online scanner:
"Result:
This virus is already recognized by ClamAV 0.86.1/984/Tue Jul 19
11:16:09 2005 (timezone: +0200 ) as Worm.Mytob.FJ ."
Signature Worm.Mytob.FJ was updated in daily 985 (due to fp) - are you
sure that your samples are detected by 0.86.1/985?
I've reviewed sample submitted by Steve and can conclude the both CVS
and 0.86.1 doesn't detect this Mytob variant.
Previous signature matched the w32 packer, but unfortunately it also
matched non-virus binaries.
The new Worm.Mytob.FJ signature (only) matches a specific variant.
Signature to match variant reported by Steve will be include with next
db update.
Best regards,
Diego d'Ambra
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
