Erik Corry wrote:
On Wed, Jan 25, 2006 at 01:19:58PM -0500, Mike Robinson wrote:
> Erik Corry wrote:
> >
> > The following signature seems to detec the Mytob variants on my system:
> >
> > Suspicious.HTML.javascript2=756e6573636170652822253636
> >
> > Put it in a file called local.db in the same directory as your main.cvd
> > and daily.cvd files. It searches for the string:
> >
> > unescape ("%66
> >
> > (only without the space) in a mail, so it will get some false
positives.
>
> Here is the rule that I have made for this new mytob variant.
>
> This needs to go into a .ndb file in the same directory. It actually
> detects a hex string from the included .pif file...no false positives
> from it...
>
I haven't seen any Feebs variants using a .pif file - only emails with a
zip archive containing a .hta file.
>
Worm.Mytob.ZZZ:0:*:1c4f74750d4ae0497e7f0f54f4537879115ef85d42435058cc274c4d5c22d0215657a32ca42b50518636a8355a5b1d:0
From the samples (feebs-a, feebs-b, feebs-c) I've access to, that
signature unfortunately isn't detecting any.
Could you explain what you're matching, thanks.
Sorry, the signature I posted above is for undetected Feebs variants. I
got my viruses mixed up.
Best regards,
Diego d'Ambra
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
