The file is the classic "FilesMan" backdoor. It's been around for a while. I always look at VT for anything suspicious, but I just re-ran it through. 15 out of 54 AV's surveyed find it stinky. Here's the link:
https://www.virustotal.com/en/file/6e709d5679eac7c8d844f849b0c6e95f4b3f8b716fbae4c27037b760754152bf/analysis/1450059899/ Interestingly, whatever version of ClamAV they use also detects it. I suspect they are using Windows since most of the other engines they use are also Windows. I'm interested enough now to compile ClamAV in Cygwin for myself and see what's going on. Kurt. On 2015-12-13 22:22, Al Varnell wrote: > I didn't expect the test signature to be successful as my understanding of > the way the scanner works requires an exact match to the ASCII string. My > familiarity is with ClamXav for OS X which uses an unmatched version of the > UNIX ClamAV engine and have no idea what ClamWin uses that might cause > different results. Certainly appears that a bug report is in order for either > ClamAV or Perhaps ClamWin. I understand you are certain that what you have is > malware, but there is no guarantee that ClamAV signatures detect it, so this > could currently be a false positive of that specific infection name. Try > submitting it to http://www.virustotal.com [1] to see what other scanners > have to say. Let us know what the analysis link is. > > As far as submitting to Cisco/ClamAV I think you should wait until we hear > from them. They can always get it from VirusTotal, but they may have > provisions to allow attachment to a bug report. > > Sent from Janet's iPad > > -Al- > > On Dec 13, 2015, at 4:27 PM, Kurt Fitzner wrote: Just got home ans was able > to test. Test signature from Steve fails to > detect on both Linux and Windows. Tested on Linux with 0.98.7 supplied > Debian binaries, and 0.99 binary compiled by myself. Tested in Windows > with ClamWin supplied binary. > > Should I submit my copy of the malware somewhere to aid with testing? > > Kurt > > On 2015-12-13 20:00, Al Varnell wrote: > > I would want to know the results of using the test signature on both systems > first, and file a bug report if it turns out to be a ClamAV problem. > > Sent from Janet's iPad > > -Al- > > On Dec 13, 2015, at 11:49 AM, Kurt Fitzner wrote: > > The question remains as to why the signature correctly leads to a match in > Windows but not Linux. If carriage return linefeed handling differences > between the two OSes are to blame, then I suggest a two pronged approach. > Correct the signatures, AND patch clamav so that the signatures as written > are processed the same way. Even if they are suboptimal signatures, I'd > suggest they should be processed the same way on all platforms. > > That's a lot of signatures that may not be working. Perhaps I'm stating the > obvious, but if CR/LF are involved, it means these are likely scripts and > such... just the kind of signatures that would be important to catch in Linux. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq [2] http://www.clamav.net/contact.html#ml [3] -- YOU DON'T KNOW THE QSO OF THE DARK SIDE! Links: ------ [1] http://www.virustotal.com [2] https://github.com/vrtadmin/clamav-faq [3] http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
