Erik Corry wrote:
> On Tue, Jan 24, 2006 at 06:40:12PM -0500, Mike Robinson wrote:
>
>> I've tried submitting a new Mytob variant over the last 2 days (still
>> not being detected by ClamAV) and I've still not got a response....I
>>
>
> The following signature seems to detec the Mytob variants on my system:
>
> Suspicious.HTML.javascript2=756e6573636170652822253636
>
> Put it in a file called local.db in the same directory as your main.cvd
> and daily.cvd files. It searches for the string:
>
> unescape ("%66
>
> (only without the space) in a mail, so it will get some false positives.
>
>
Here is the rule that I have made for this new mytob variant.
This needs to go into a .ndb file in the same directory. It actually
detects a hex string from the included .pif file...no false positives
from it...
Worm.Mytob.ZZZ:0:*:1c4f74750d4ae0497e7f0f54f4537879115ef85d42435058cc274c4d5c22d0215657a32ca42b50518636a8355a5b1d:0
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
