Erik Corry wrote:
On Thu, Jan 26, 2006 at 10:24:57AM +0100, Diego d'Ambra wrote:
> Erik Corry wrote:
> >On Wed, Jan 25, 2006 at 09:55:10PM +0100, Diego d'Ambra wrote:
> > > Erik Corry wrote:
> > > >
> > > >Suspicious.HTML.javascript2=756e6573636170652822253636
> > > >
> > > >Put it in a file called local.db in the same directory as your
main.cvd
> > > >and daily.cvd files. It searches for the string:
> > > >
> > > >unescape ("%66
> > > >
> > > >(only without the space) in a mail, so it will get some false
> > positives.
> > >
> > > Large number of Feebs-C variants isn't detected by that signature,
> > sorry.
> >
> >That's not a problem for me if those Feebs-C variants are already
> >detected by the official clamav database.
>
> Unfortunately that isn't the case, but I'm working on it :-)
How about:
JS.Feebs-C.variant-ec:3:*:756e6573636170652822(253636|66)(253735|75)(25363e|6e)(253633|63)*(253237|27)(253237|27)(25323c|2c)??(25323c|2c)??(25323c|2c)??(25323c|2c)
Matches
unescape("func
followed by
'',?,?,?,
Where the stuff after " can be hex escaped
Hmm - not a bad idea, thanks :-)
The signature above is still missing variants, but I think with some
minor adjustments it can match them all.
I just released new daily db with signatures that matches all currently
missed Feebs variants, but I think your approach is better.
If FP's are reported (or new samples missed), I definitely use your
suggestion.
Best regards,
Diego d'Ambra
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
