s: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> I/O buffer size: 131072 bytes
> Time: 30.744 sec (0 m 30 s)
>
> Please run freshclam and try again.
>
Please note that your clamscan only knows 9902 viruses (I guess it
should be you how upgrade the DB).
vd is up to date (version: 72, sigs: 146, f-level: 1, builder:
ddm)
Any DB maintainers that want to take a look at the original this is
submission 412.
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
virus: Worm.Mimail.J
The virus Mimail.P looks and behaves almost as Worm.Mimail.J. When we
received the first copy of Worm.Mimail.P, we actually named it
Worm.Mimail.J thinking it was some sort of variant. Later when other
av-scanners started to detect it the name for this variant was changed
to Worm.M
.Mydoom.a
Dr. Web - 27.01. 03:40 - Win32.HLLM.Foo.32768
Panda (BETA) - 27.01. 04:10 - W32/Mydoom.A.worm
McAfee - 27.01. 05:00 - W32/[EMAIL PROTECTED]
Quickheal - 27.01. 05:00 - W32.Novarg
Bitdefender - 27.01. 05:00 - [EMAIL PROTECTED]
Panda - 27.01. 05:10 - W32/Mydoom.A.worm
Ikarus - 27.01.
a
> signing server, since I presumably don't have access to one?
>
You don't need to sign your DB (and convert it to CVD). Just drop your
.db file in the directory where you normally store the CVD files and
reload clamd if used.
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
e already in contact with Andreas Marx from AV-Test.org. They're
tracking ClamAVs response time, but currently I'm not allowed to publish
their results :-(
You can read their first test result at
http://www.pcwelt.de/news/viren_bugs/37827/2.html (or
http://www.av-test.org).
Bes
le-F or Bagle-H zip attachment (Worm.Bagle.F-zippwd).
So you should allow ClamAV also to scan the e-mail.
BTW: I'm currently working on adding a second signature that will detect
a variant of these e-mails.
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
really easy ways for the virus writer to
> circumvent this type of check but until they start utilizing such
> strategies, is it possible to include the zip's crc into ClamAV's
sigs?
>
>From the (unzipped) samples I've access to they differ in size, so MD5
or other
Hello Community,
We suspect that ClamAV is missing a signature against Welchia.B
(Nachi.B). If someone has a sample please submit it through
http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi
Thanks in advance...
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptogr
ttp://clamav.sourceforge.net/cgi-bin/sendvirus.cgi
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
crack, so it is doable (although it takes time)...
>
Since you know what the extracted content would be, you should be able
to "cut some BIG corners" instead of a full brute-force-crack.
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
e.F-zippwd-x detects e-mails infected with password
protected zip files and it also detects some of the later variants.
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
be doing wrong, or are you simply using the msg
text
> contents?
>
The signature matches text found in the body of the e-mail and the first
and last part of the zip attachment (so you can say it's a combination).
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
2004, Tomasz Kojm wrote:
>
> > Also I think, the real ClamAV hero is Diego d'Ambra who spent the
whole
> > day yesterday providing an instant protection against the latest
> > threats.
>
> Indeed. Diego, thank you very much.
>
You're welcome :-)
I don'
ble to tell why the --mbox option didn't detect the virus. Your
sample has been forwarded to Nigel, so I expect he will have more
details.
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
x27;t
detected with the --mbox option I suggest that you contact Nigel and let
him have a look at them.
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
ou should go after:
---snip---
http://IP_ADDR:81/NUMBERS.php";>
---snip---
IP_ADDR = an IP address
NUMBERS = variable length of numbers from 0-9
Line breaks = CR/LF (hex: 0xOD 0x0A)
And there will probably also be some HTML tags around this.
Last resort would be to prevent users a
up with the idea for a general tag added to the clamav
> virus names for viruses that fake the sender?
>
Actually we agreed on adding @smm (Spoofed Mass Mailer) to virus names,
but unfortunately we haven't started to use it (yet).
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
netsky is Worm.SomeFool, then why is it not labeled as
Worm.SomeFool?
>
> But when something is this much of a phenomenon, why not just change
the
> name? I know it's been done for other worms in the past.
>
And that is what we'll (try to) do in the future (if a comm
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:clamav-users-
> [EMAIL PROTECTED] On Behalf Of Peter Bonivart
> Sent: 6. april 2004 22:12
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Virus Names
>
> Diego d'Ambra wrote:
> > And that is w
the
naming of new viruses. ClamAV calls this family Nyxem (the name used by
Kaspersky).
Signature added through daily.cvd version 264 (ref. update announcement
for further details).
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
this is not the case...
But if you (or anyone else) has a sample please submit them (for variant
B, C & D).
Thanks in advance.
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
ot;copy to clipboard" function then paste the text to
a Notepad file.
(otherwise you're welcome to submit this .msg sample directly to me).
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
ever recognize those ?
> Do I need to write a program to fix headers and/or parse the mbox
files
> myself
> before passing them to clam ?
>
There are many ways to do this - using the --mbox option should detect
the virus if the _full_ e-mail is scanned by ClamAV.
Otherwise I sugg
files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 1.358 sec (0 m 1 s)
---snip---
>
> Honest: I am convinced we face a bug here.
>
I'm not, but you're welcome to submit the _full_ e-mail (I suspect the
sample I'm looking at is only a partial bounced sample) :-)
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
ly" 566 copies (I live in UTC
+0200) - used to be around 100K per day.
I can confirm that ClamAV still contains signature matching Sober-G.
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
obody can answer unless you submit the file.
> >
> > http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi
> >
>
> The page didn't work : my browser says "Document contains no data"
> The other problem is that file size is 2M
>
You're welcome
ly
variants (and dropped files).
Daily 560 contained Worm.Bagle.AT
Daily 561 contained Worm.Bagle.AX (will be renamed to Worm.Balge.AU).
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
ed on a file system (M drive on Exchange 2K, must be
enabled on Exchange 2003 http://support.microsoft.com/?id=821836).
The downside is that the message would be delivered to the mailbox
before you get a chance to scan it, so the right way to do this is
through VSAPI.
Best regards,
Diego d'
want it to detect, but I believe that categorizing samples beyond what
ClamAV offers today is too time consuming.
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
w message
(download from http://www.olspamcop.org).
This utility is normally used to extract emails for spam reporting, but
can similar be used with virus samples. Use the copy function and paste
the content to example notepad or other text editor - then submit the
saved file to ClamAV.
was online (at least none
of the onces I tried).
Thanks in advance...
Best regards,
Diego d'Ambra
___
http://lurker.clamav.net/list/clamav-users.html
call it or simply by
observing the behavior (with example ethereal).
Please note that IRC malware isn't virus, but often used to "remote
control" the infected machine.
See http://www.clamav.net/cvdinfo.html
Best regards,
Diego d'Ambra
There are many versions of FortNight (IFrame exploits). The one you
mention is version JS.FortNight.E - this was added to the signature
database yesterday (04-june-2003 20:45).
Best regards,
Diego d'Ambra
-Original Message-
From: Fajar Arief Nugraha [mailto:[EMAIL PROTECTED]
Se
eight=3D0>
If you already reported this, I'm it will be added.
Best regards,
Diego d'Ambra
-Original Message-
From: Fajar Arief Nugraha [mailto:[EMAIL PROTECTED]
Sent: 5. juni 2003 11:55
To: [EMAIL PROTECTED]
Subject: Re: [clamav-users] FortNight virus
I sent it to [EMAIL PR
You must be doing something wrong. The viruses.db of june 2nd contains
signature for "Worm.Sobig.C".
Info about your setup is needed, if more help is required.
Best regards,
Diego d'Ambra
-Original Message-
From: Ed Greenberg [mailto:[EMAIL PROTECTED]
Sent: 3. jun
Could you drop me a mail sample - I will then take a look at it. Please
upload the sample to a web-site to prevent other scanners from stopping
your mail.
Best regards,
Diego d'Ambra ([EMAIL PROTECTED])
-Original Message-
From: Fajar Arief Nugraha [mailto:[EMAIL PROTECTED]
Sent: 5.
implement this.
If this seems too difficult, I suggest you go with clamdscan.
Best regards,
Diego d'Ambra
-Original
Message-
From: Daniel Arjona
[mailto:[EMAIL PROTECTED]
Sent: 10. juni 2003 22:20
To: [EMAIL PROTECTED]
Subject: [clamav-users] clamav
install
Hi,
I didn't even know that you could download Clam there. Try this instead
http://clamav.elektrapro.com
Best regards,
Diego d'Ambra
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 10. juni 2003 23:30
To: [EMAIL PROTECTED]
Subject: [clamav-users] Wh
Yes, Clam detects Palyh (Sobig.b) and have been doing so aprox 24 hours
after outbreak.
It also detects the latest version of Sobig now called Sobig.C.
Best regards,
Diego d'Ambra
-Original Message-
From: Ed Greenberg [mailto:[EMAIL PROTECTED]
Sent: 3. juni 2003 02:41
To: [
not
intentionally - the test was repeated after 30 minutes.
Best regards,
Diego d'Ambra
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
You will find it in the same dir as the virus database
(/usr/local/share/clamav/)
Best regards,
Diego d'Ambra
-Original Message-
From: Ed Greenberg [mailto:[EMAIL PROTECTED]
Sent: 10. juni 2003 18:07
To: [EMAIL PROTECTED]
Subject: [clamav-users] mirrors.txt
Where does mirrors.txt
Hmm, here Clam has detected several JS.FortNight.E, the mentioned IFRAME
tag looks same as mine.
Are you sure you let Clam have "a go" on the e-mail? JS.FortNight.E is
not an attachment, just an IFRAME HTML tag.
Best regards,
Diego d'Ambra
-Original Message-
From: Faja
It seems that you tried to download new db while I was uploading new
database.
Just run fresclam again.
Best regards,
Diego d'Ambra
-Original Message-
From: Brian Read [mailto:[EMAIL PROTECTED]
Sent: 1. juli 2003 13:19
To: [EMAIL PROTECTED]
Subject: [clamav-users] checksum fa
I've not tested this yet...
Best regards,
Diego d'Ambra
-Original Message-
From: Thomas Lamy [mailto:[EMAIL PROTECTED]
Sent: 14. juli 2003 10:26
To: [EMAIL PROTECTED]
Subject: Re: [clamav-users] CAN DETECT THIS VIRUS???
Antony Stone wrote:
> On Monday 14 July 2003 8:44 am, Jord
egistry).
This looks like a false positive. If someone has a copy of the real
Elkern virus new signature could be created.
This mail covers submission 197.
Best regards,
Diego d'Ambra
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 14. august 2003 15:45
L PROTECTED]
Reply-To: [EMAIL PROTECTED]
X-Mailer: Sylpheed version 0.8.9
Subject: Batabo, Family sex alboum collection
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--EE1672F1842553B"
X-SoftScan-Message-ID: <[EMAIL PROTECTED]>
--- end, sample from virus.eml ---
The log you're showing is from qmail-scanner with the debug option set.
Qmail-scanner supports "silent" notifications if the virus is known to
spoof the sender address.
Best regards,
Diego d'Ambra
-Original Message-
From: Ted Fines [mailto:[EMAIL PROTECTED]
Sent: 2
my opinion - I'll have no problem in creating a
signature that stops a large part of the damaged Sobig.F.
Best regards,
Diego d'Ambra
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> Sent: 26. august 2003 05:13
> To: [EMAIL PROTECTED]
&
> -Original Message-
> From: Mark [mailto:[EMAIL PROTECTED]
> Sent: 27. august 2003 01:21
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] Proxy and Scanning?
>
>
> Is it possible to scan the traffic (via plug in or so) with
> SQUID or an SOCKS-Proxy (like Dante)? If not: Feature Reque
/cgi-bin/sendvirus.cgi - don't worry about
extracting the attachment. It will then be reviewed by the signature
maintainers. Once the DB is updated you can read what happened with your
submission.
Best regards,
Diego d'Ambra
---
Thi
r a virus scanner that is
"stripping" the offending part in an infected e-mail passing through it.
Since the binary is completely missing it's difficult to create a
signature that will catch the "damaged" versions of Gibe.F.
Best regards,
Diego d'Ambra
gt; --
> Noel Jones
>
A signature that detects damaged e-mails containing only a part of the
Worm.Gibe.F has now been added to the DB. The signature is matching a
part of the text and multiple parts of the images imbedded in e-mails
sent by Gibe.F.
Best regards,
Diego d'Ambra
-
the case of Gibe.F it was necessary to collect enough samples to
understand what was common between them. Because it is uncertain if the
person behind Gibe.F copied the embedded images from Microsoft, it
wasn't an option only to use these.
Best regards,
Diego d'Ambra
--
ce Squid alone isn't enough.
There might be other solutions that are better, but I'ven't tried them -
example DansGuardian (http://www.pcxperience.org/dgvirus)
Please note that scanning a proxy session is quite different that
scanning an e-mail.
Best regards,
Diego d'Ambra
ote:
> >> Report: ClamAV: 21c6fdc8.su2 contains Exploit.IFrame.Gen
> > clamav.net -> database link
>
> my virus scanner did not save virus :/, should i try to make a redo ?
>
It would be very useful to have a sample of
e DB files you don't
like ClamAV to detect.
Best regards,
Diego d'Ambra
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:clamav-users-
> [EMAIL PROTECTED] On Behalf Of lists
> Sent: 22. oktober 2003 09:52
> To: [EMAIL PROTECTED]
> Subject: [Clamav-user
x27;yaha','b
raid','nimda','tanatos','sobig','winevar','IFRMEXP','ganda','fizzer
','palyh','trojan.win32.dia','dumaru','gibe','swen');
Once your server find a virus run
at
http://clamav.sourceforge.net/doc/clamd_supervised/clamd-daemontools-gui
de.txt
This will allow you to "monitor" the clamd daemon and restart it if it
hangs.
Best regards,
Diego d'Ambra
---
This SF.net email is sponsored by: SF.net Gi
out of this would be you.
I'm unaware of the effort needed to develop a cleaning option, but I'm
sure that a batch of virus samples isn't the way to ask for this.
> Old school virus-coding rocks couse the old "school boys" (which codes
for
> C64, Apple2 and so o
rame.Gen
(Clam)=696672616d65207372633d*6369643a*6865696768743d*2077696474683d*2f696672616d65*2f424f44593e3c2f48544d4c3e
696672616d65207372633d
[EMAIL PROTECTED] src=
6369643a
cid:
6865696768743d
height=
2077696474683d
width=
2f696672616d65
/[EMAIL PROTECTED]
2f424f44593e3c2f48544d4c3e
/BODY><-HTML>
B
d machines, not replicating itself, but waiting for an
update.
The Sober-Q varianter was downloaded this way and it's currently
responsible for a serie of "rightwing propaganda" spam messages.
Best regards,
Diego d'Ambra
___
h
gards,
Diego d'Ambra
___
http://lurker.clamav.net/list/clamav-users.html
onnections)
- Ensure you've access to a fast DNS server (if spamd is doing RBL
checks)
- Use badmailfrom/badmailto - it may help you filter unneeded smtp
connections
(Optionally renice the qmail-send/qmail-remote user to ensure that email
queued for remote delivery gets enough cpu)
Be
mav configuration -
check that clamd is running as the user advised by qmail-scanner.
Best regards,
Diego d'Ambra
___
http://lurker.clamav.net/list/clamav-users.html
don't know the details of qmail, but you need a
user either the same as the qmail scanner, or in the same group if you
add "allowsupplementarygroups" in clamd.conf
That problem is due to spamd (not clamd) - but yes it's advised to run
spamd as an user different than root.
[EMAIL PROTECTED] wrote:
I have submit this file to clamav research two times, but is yet not
included.
I've looked through our submissions and I can't find any from you.
If possible could you inform submission number or email address used
when you submitted samples.
Best rega
ld be available with
.
Thanks for the heads up...
Best regards,
Diego d'Ambra
___
http://lurker.clamav.net/list/clamav-users.html
re Worm.Mytob.FJ was updated in daily 985 (due to fp) - are you
sure that your samples are detected by 0.86.1/985?
Could you mail me a sample (in a password protected zip archive) that
isn't detected by current CVS?
TIA.
Best regards,
Diego d'Ambra
__
Diego d'Ambra wrote:
Steve Brown wrote:
I've noticed that today's (maybe also recent versions) development
version of clam no longer detects W32/Mytob-BP (Sophos).
I have several samples which are declared fine by ClamAV
(devel-20050721/985/Thu Jul 21 13:14:39 2005), but corre
Steven Spence wrote:
Or you can just edit /var/spool/qmailscan/qmail-scanner-queue-version.txt
with the correct version. I am not quite sure why qmail-scanner just
doesn't pull the version from the clamd binary instead of a text file.
Performance?
Best regards,
Diego d&
Steven Spence wrote:
Diego d'Ambra wrote:
Steven Spence wrote:
Or you can just edit
/var/spool/qmailscan/qmail-scanner-queue-version.txt
with the correct version. I am not quite sure why qmail-scanner just
doesn't pull the version from the clamd binary instead of a
ive either way...
Zotob-A, see
http://lurker.clamav.net/message/20050814.215255.66cd6ac2.en.html
Zotob-B is detected as .
I've not studied Zotob-C, so I can't say if or maybe what this variant
is detected as.
Best regards,
Diego d'Ambra
___
protected malware archive (zip or rar)
instead of the content inside it.
Searching for signatures that has "pwd" as a part of their name, gives
you an impression of the kind of malware that uses this technique.
Best regards,
Diego d'Ambra
_
ld be able to
verify this by comparing db update notifications and your installation
time).
Best regards,
Diego d'Ambra
___
http://lurker.clamav.net/list/clamav-users.html
m - had it been "useful" binaries I would
gladly have added them :-)
BTW: You may encounter same problem with other av-scanners.
Best regards,
Diego d'Ambra
___
http://lurker.clamav.net/list/clamav-users.html
't cover
every possible variant.
Best regards,
Diego d'Ambra
___
http://lurker.clamav.net/list/clamav-users.html
.
Currently ClamAV has received 93 malware variants, all detected as
Exploit.WMF.A or Exploit.WMF.Gen-3.
For those who wish to test their ClamAV installation see:
http://isc.sans.org/diary.php?rss&storyid=1006
Best regards,
Diego d'Ambra
___
Filbert wrote:
On Tuesday 03 January 2006 10:39, Diego d'Ambra wrote:
Abdul Rehman Gani wrote:
Hi,
Clamscan currently detects Exploit.WMF.A, but F-Secure are reporting 57
different varieties. How many does this signature detect?
Just an update:
I believe that with daily.cvd version
like SpamGrabber to do it (http:/spamgrabber.org).
Best regards,
Diego d'Ambra
___
http://lurker.clamav.net/list/clamav-users.html
.
Could you explain what you're matching, thanks.
Sorry, the signature I posted above is for undetected Feebs variants. I
got my viruses mixed up.
Best regards,
Diego d'Ambra
___
http://lurker.clamav.net/list/clamav-users.html
rge number of Feebs-C variants isn't detected by that signature, sorry.
Best regards,
Diego d'Ambra
___
http://lurker.clamav.net/list/clamav-users.html
Erik Corry wrote:
On Wed, Jan 25, 2006 at 09:55:10PM +0100, Diego d'Ambra wrote:
> Erik Corry wrote:
> >
> >Suspicious.HTML.javascript2=756e6573636170652822253636
> >
> >Put it in a file called local.db in the same directory as your main.cvd
> >and
Erik Corry wrote:
On Thu, Jan 26, 2006 at 10:24:57AM +0100, Diego d'Ambra wrote:
> Erik Corry wrote:
> >On Wed, Jan 25, 2006 at 09:55:10PM +0100, Diego d'Ambra wrote:
> > > Erik Corry wrote:
> > > >
> > > >Suspicious.HTML.javascript2=756
d >) would make it more FP safe.
Works for all variants that I have seen, but also catches any html file with
unescape ("func
without the space. Right now I think I can live with that.
Does the * wildcard have a limit to how many characters it will look
ahead?
N
Erik Corry wrote:
On Thu, Jan 26, 2006 at 01:09:28PM +0100, Diego d'Ambra wrote:
> Erik Corry wrote:
> >On Thu, Jan 26, 2006 at 11:50:00AM +0100, Erik Corry wrote:
> > >
> > > How about:
> > >
> > >
>
>JS.Feebs-C.variant-ec:
rrect.
Is there no interest in supporting this, or am I just blind? (the latter
is quite possible ;-)
I don't know if ClamAV meets "membership" requirements, since AFAIK
nobody from ClamAV has been contacted or tried to contact CME (yet).
Best regards,
Diego d'Ambra
unrelated malware.
Best regards,
Diego d'Ambra
___
http://lurker.clamav.net/list/clamav-users.html
Christopher X. Candreva wrote:
On Fri, 3 Feb 2006, Diego d'Ambra wrote:
I'm investigating this.
I believe that signature small-1004 is matching some sort of PE
packer/obfuscater and must be updated to avoid detecting unrelated malware.
Personally, I'm not as interested in nam
possible yet,
since information about the vulnerability hasn't been disseminated.
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5994
http://secunia.com/advisories/23232/
Best regards,
Diego d'Ambra
___
Help us build a comprehe
John Wilcock wrote:
http://www.microsoft.com/technet/security/advisory/929433.mspx
It's not clear from MS or news sources whether any exploits are actively
spreading...
Does ClamAV have any signatures yet?
Signature Exploit.MSWord.CVE_2006_6561 added with daily 2352.
Best regards,
with the signature added in
daily 2352 http://lurker.clamav.net/message/20061217.202336.754898f1.en.html
Please send the samples in a password protected zip archive.
Thanks in advance.
Best regards,
Diego d'Ambra
___
Help us build a comprehens
92 matches
Mail list logo
