Hello !
I've submitted on monday a false-positive on that both form, but I didn't get
any answer from now, and this false-positive is still in databases.
http://www.clamav.net/lang/en/sendvirus/submit-fp/
http://cgi.clamav.net/sendfp.cgi
False positive is "PHP.Shell-51", in main.cvd (now) :
# sigtool --find-sigs=PHP.Shell-51 | sigtool --decode-sigs
VIRUS NAME: PHP.Shell-51
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
jf9ypwjhc2u2nf9kzwnvzguojf9yktskx1g9c3rydhiojf9ylccxmjm0ntzhb3vpzscsj2fvdwllmtizndu2jyk7jf9spwvyzwdfcmvwbgfjzsgnx19gsuxfx18nlcinii4kx0yuiicilcrfwck7zxzhbcgkx1ipoyrfuj0woyrfwd0wow==
This signature match base64 code
'JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==',
which seems to be a generic encryption function :
# ../b64z.py -de
'JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='
$_X=base64_decode($_X);$_X=strtr($_X,'123456aouie','aouie123456');$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);$_R=0;$_X=0;
And that code is used by regular php tools, like one named "Picasa Virtual
Album" http://virtualdesigners.co.uk/projects/wb-extensions/@picasa-album/
Could you please remove that false-positive, and send me the right url to
submit false-positive a next time :) ?
Best regards,
--
Siméon Gourlin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
