On Wed, 22 Mar 2017, Hajo Locke wrote:

> thank you steve. i could find the lines and removed them. How could you decode
> this signature?


~$ sigtool --find-sigs Html.Phishing.Auction-214 | sigtool --decode-sigs
VIRUS NAME: Html.Phishing.Auction-214
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
sein, weil sie [... snipped ...] aktualisiert wurde

> especially interesting is that virus was found in complete sql-file but not in
> splitted subfiles. May be target type is ignored at filesize x?
> complete sql file is 4.6mb

I guess that the string that was looked for spanned a subfile boundary
and was split over two subfiles.


Groeten,

Kees.

-- 
Kees Theunissen, Systeem- en netwerkbeheerder,   Tel: 040-3334724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mailadres:     c.j.theunis...@differ.nl
postadres:       Postbus 6336, 5600 HH, Eindhoven
bezoekersadres:  De Zaale 20, 5612 AJ, Eindhoven

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to