Have recently run in to a large number of emails getting past my
employers email filtering, all zip files, with executables inside, and
all malicious. We've submitted the samples to the ClamAV submission
form, and to virustotal.com, when first submitted to virustotal, very
few engines (as little as 2) detected these files.
It's been a few days now, and ClamAV still doesn't detect our first
submission. Does it simply take longer, or is something else going on?
None of the samples look similar to me, aside from the fact of how they
are transmitted, and they all seem to start sending emails once they
infect a machine. I would love to know how they are related.
md5sum:
2c93921e09438f60974e47747edd9ef1 5crispian.zip
f120b6aac5beed398c7452dac82d5aa4 Document(25).zip
9014b68b0b027ae6a34f087787997630 Docx.zip
dca1fd285e055431c55c63daf02165b6 Scan.zip
sha256sum:
059eb5cc0df8e99ffb968bf7ecaae117b4fc7a67f64083ad61650b0f458b08f5
5crispian.zip
acb67bc804a3fa962a630d16ca8be5b08719feb6d7273926ee4e5641b99998a3
Document(25).zip
446f7e7815a5d4ffceab589eb5868c7ab2b86aa42cb114288d57fa9e0fd3cad3 Docx.zip
ce8ae7909d82fd8cd5d88a3aa8e3f96ed85e53aabe9739cb9d30a2e72e013e3b Scan.zip
One of the samples was detected by 3rd party definitions:
5crispian.zip: Sanesecurity.Malware.8538.UNOFFICIAL FOUND
Thanks
Fred
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
