On Wed, Jan 25, 2006 at 01:19:58PM -0500, Mike Robinson wrote:
> Erik Corry wrote:
> >
> > The following signature seems to detec the Mytob variants on my system:
> >
> > Suspicious.HTML.javascript2=756e6573636170652822253636
> >
> > Put it in a file called local.db in the same directory as your main.cvd
> > and daily.cvd files. It searches for the string:
> >
> > unescape ("%66
> >
> > (only without the space) in a mail, so it will get some false positives.
>
> Here is the rule that I have made for this new mytob variant.
>
> This needs to go into a .ndb file in the same directory. It actually
> detects a hex string from the included .pif file...no false positives
> from it...
>
> Worm.Mytob.ZZZ:0:*:1c4f74750d4ae0497e7f0f54f4537879115ef85d42435058cc274c4d5c22d0215657a32ca42b50518636a8355a5b1d:0
Sorry, the signature I posted above is for undetected Feebs variants. I
got my viruses mixed up.
I haven't actually seen any false positives for my pattern.
--
Erik Corry In this way the infinite-dimensional invariance group erodes
[EMAIL PROTECTED] the distinction between observer and observed; the pi of
Euclid
and the G of Newton, formerly thought to be constant and
universal, are now perceived in their ineluctable historicity;
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
