I just reported sample as false-positive, which is detected as Exploit.MS04_028-4. This picture is generated by web-camera with SHA1 d7ad16339fbf5d2b193bb4df7299c6f3da20c0b8 and I do have another file, which were detected with same malware name at 2012-01-25 with SHA1 cb446b3002f39b250abb5a3eaec8e59e46b4b9e2, but it is not detected anymore by ClamAV. This web-camera is used in Tampere Finland to record city and our shell-user is using crontab to create a videos like this: http://vimeo.com/35187490
Please notify me as soon as possible if you think this is malicious file and I can try to contact web-camera owner and/or vendor. Related to this: http://technet.microsoft.com/en-us/security/bulletin/ms04-028 If you know similar cases, have/need more information about this or want the samples please contact me. I am happy to help! Using ClamAV 0.97.3/14426/Fri Feb 10 07:15:20 2012 with signatures: ClamAV update process started at Fri Feb 10 12:57:10 2012 main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) daily.cld is up to date (version: 14426, sigs: 91708, f-level: 63, builder: guitar) bytecode.cld is up to date (version: 167, sigs: 40, f-level: 63, builder: edwin) - Henri Salo _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
