That signature has been in the ClamAV daily.ldb database since Jan 15 and appears to be looking for some relatively unique strings:
% sigtool -fWin.Malware.Generic-9819492-0|sigtool --decode-sigs VIRUS NAME: Win.Malware.Generic-9819492-0 TDB: Engine:81-255,Target:1 LOGICAL EXPRESSION: 0&1&2&3&4 * SUBSIG ID 0 +-> OFFSET: ANY +-> SIGMOD: WIDE +-> DECODED SUBSIGNATURE: *Unable to get a list of running processes. * SUBSIG ID 1 +-> OFFSET: ANY +-> SIGMOD: WIDE +-> DECODED SUBSIGNATURE: 0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line. * SUBSIG ID 2 +-> OFFSET: ANY +-> SIGMOD: WIDE +-> DECODED SUBSIGNATURE: api-ms-win-core-synch-l1-2-0.dll * SUBSIG ID 3 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: internal error: invalid forward reference offset * SUBSIG ID 4 +-> OFFSET: ANY +-> SIGMOD: WIDE +-> DECODED SUBSIGNATURE: Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.> -Al- On Apr 8, 2021, at 03:24, Arnaud Jacques <webmas...@securiteinfo.com> wrote: > > Hello, > > At first look, ClamAV is not the only one that flags it as malware : > > https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection > > <https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection> > > > Le 08/04/2021 à 11:41, Eero Volotinen a écrit : >> Thanks. I submitted files via that url. >> clamscan Vistumbler_v1* >> / >> root/Vistumbler_v10-7.exe: OK >> /root/Vistumbler_v10-7_Portable.zip: Win.Malware.Generic-9819492-0 FOUND >> /root/Vistumbler_v10-7.zip: Win.Malware.Generic-9819492-0 FOUND >> So. looks like this is false positive on vistumbler.. >> Eero >> On Thu, Apr 8, 2021 at 5:03 AM Al Varnell via clamav-users >> <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> >> <mailto:clamav-users@lists.clamav.net >> <mailto:clamav-users@lists.clamav.net>>> wrote: >> Without knowing the name of the infection I can't provide even a >> guess as to whether it is or not, but the exact answer to your >> question is for you to report it by filling out the form found >> @https://www.clamav.net/reports/fp <https://www.clamav.net/reports/fp> >> <https://www.clamav.net/reports/fp <https://www.clamav.net/reports/fp>> >> including the file itself. >> Sent from my iPad >> -Al- >> On Apr 7, 2021, at 18:03, Eero Volotinen <eero.voloti...@iki.fi >> <mailto:eero.voloti...@iki.fi> >> <mailto:eero.voloti...@iki.fi <mailto:eero.voloti...@iki.fi>>> wrote: >>> >>> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe >>> >>> <https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe> >>> >>> <https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe >>> >>> <https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe>> >>> >>> Looks like this is (vistumbler) detected as false positive. >>> >>> How to fix this? >>> >>> Eero
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
