Erik Corry wrote:
On Wed, Jan 25, 2006 at 09:55:10PM +0100, Diego d'Ambra wrote:
> Erik Corry wrote:
> >
> >Suspicious.HTML.javascript2=756e6573636170652822253636
> >
> >Put it in a file called local.db in the same directory as your main.cvd
> >and daily.cvd files. It searches for the string:
> >
> >unescape ("%66
> >
> >(only without the space) in a mail, so it will get some false positives.
>
> Large number of Feebs-C variants isn't detected by that signature, sorry.
That's not a problem for me if those Feebs-C variants are already
detected by the official clamav database.
Unfortunately that isn't the case, but I'm working on it :-)
> This pattern detects the
Feebs variants that I have seen that clamav doesn't already cover.
If you try to "breed" a Feebs sample you'll see that it's able to mutate
- creating emails with (almost) unique .hta files.
Anyway you may want to improve your signature by changing it to the
newer .ndb format - e.g.:
Suspicious.HTML.javascript2:3:*:756e6573636170652822253636
This ensures that the signature is only tried against files identified
as HTML.
Best regards,
Diego d'Ambra
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
