On Sun, Jun 22, 2014 at 10:01 AM, Alex wrote: > On Sat, Jun 21, 2014 at 2:43 PM, Steve Basford > <steveb_cla...@sanesecurity.com> wrote: >> On Sat, June 21, 2014 2:00 pm, Alex wrote: >>> Hi, >>> I'm using clamav-0.98.4 on fedora20 with the sanesecurity and >>> safebrowsing >>> sigs and still seeing an unknown virus pass through our systems. I've >>> submitted it to the clamav false-negative upload, but haven't received a >>> response, and 24hrs later it's still not being tagged. I was hoping >>> someone could help me identify it and determine the risk.
>> Just seen the sample posted and it's an interesting one. >> >> Detection added, in both rogue.hdb and also mainly, phish.ndb. > Okay, great, thanks. Can you describe the risk for me? What does it do, and > what's necessary for the user to do to become infected? It appears to be a > rogue link phishing attack? So it requires the user to open the Word doc > then click the link, correct? > > Can it somehow infect the user's PC just by opening, or must they click the > link and fall victim to the phishing attack to be affected? Those are not questions this list would normally know much about. I took the liberty of submitting your file to VirusTotal and see that 15 of the 53 scanners there identify it as malware: <https://www.virustotal.com/en/file/0526a70f51bfca0df9b01684fb5cb93519a784b0484283a1bec218279bc1b4ce/analysis/1403470020/>. If you visit the site of some of those scanners with the infection name they use, you might find the information you are looking for. -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
