On Thu, Jan 26, 2006 at 10:24:57AM +0100, Diego d'Ambra wrote:
> Erik Corry wrote:
> >On Wed, Jan 25, 2006 at 09:55:10PM +0100, Diego d'Ambra wrote:
> > > Erik Corry wrote:
> > > >
> > > >Suspicious.HTML.javascript2=756e6573636170652822253636
> > > >
> > > >Put it in a file called local.db in the same directory as your main.cvd
> > > >and daily.cvd files. It searches for the string:
> > > >
> > > >unescape ("%66
> > > >
> > > >(only without the space) in a mail, so it will get some false
> > positives.
> > >
> > > Large number of Feebs-C variants isn't detected by that signature,
> > sorry.
> >
> >That's not a problem for me if those Feebs-C variants are already
> >detected by the official clamav database.
>
> Unfortunately that isn't the case, but I'm working on it :-)
How about:
JS.Feebs-C.variant-ec:3:*:756e6573636170652822(253636|66)(253735|75)(25363e|6e)(253633|63)*(253237|27)(253237|27)(25323c|2c)??(25323c|2c)??(25323c|2c)??(25323c|2c)
Matches
unescape("func
followed by
'',?,?,?,
Where the stuff after " can be hex escaped
--
Erik Corry In this way the infinite-dimensional invariance group erodes
[EMAIL PROTECTED] the distinction between observer and observed; the pi of
Euclid
and the G of Newton, formerly thought to be constant and
universal, are now perceived in their ineluctable historicity;
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
