[clamav-users] Hint for creating signatures

Hello, from time to time i create some signatures from what i found in php-code of my users. Now i found some malware that worries me. Its obfuscated

Re: [clamav-users] Hint for creating signatures

Hello, sorry for links to my translator. I thought thunderbird is removing this when choosing pure-text-format. now it is readable: Am 08.09.2014 um 16:04 schrieb Hajo Locke: Hello, from time to time i create some signatures from what i found in php-code of my users. Now i found some

Re: [clamav-users] Hint for creating signatures

Hello, Am 08.09.2014 um 16:58 schrieb Steve Basford: Hi, Tricky :( Copy this into@ not_tested.ndb test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024 test.cryptbot:7:*:3D22{12}225E22{40}3B2024 Thanks, this seems to work. I will try it. Hopefully only a few FP. Tha

[clamav-users] need help creating signatures

Hello, these days we see new type of php-malware. Malware occurs in many different files, but all expand to same php-malware. for examle here i have 4 files i have found: http://pastebin.com/TzudTPPt All files expand to something like this and are used to send spam: http://pastebin.com/jhVRM

Re: [clamav-users] need help creating signatures

thought creating signatures by my own is faster. I think in this moment this malware is used to send spam on one of our servers. <http://www.clamav.net/report/report-malware.html> -Al- On Thu, Sep 24, 2015 at 11:27 PM, Hajo Locke wrote: Hello, these days we see new type of php-malware. M

Re: [clamav-users] need help creating signatures

tabase list. complete lists.clamav.net seems working only for seconds. most of the time i got request-timeouts. i think 10th attempt was successful. Hopefully someone will come along and give you something to work with while you are waiting. -Al- On Thu, Sep 24, 2015 at 11:56 PM, Hajo Locke

[clamav-users] Difficult malwarefiles - signature too short

Hello, again i have to create signatures for some difficult short files. Using this files hacked CMS do what you want. Examples are here: http://pastebin.com/ruxdmpNz Number of files seems infinite, there always are different names of variables. Also length of variables and spaces between text

Re: [clamav-users] Difficult malwarefiles - signature too short

mer to generate infinite number of malwarefiles and so hard to create fitting signature. testing_01:0:*:737472746f6c6f776572*5d2e{-11}5d2e{-11}5d2e{-11}5d2e{-11}5d2e*6973736574{-35}6576616c{-10}28247b -Alain On Nov 2, 2015, at 5:24 AM, Hajo Locke wrote: 5d2e{-11

Re: [clamav-users] Difficult malwarefiles - signature too short

Hello, Am 02.11.2015 um 19:08 schrieb Kris Deugau: G.W. Haywood wrote: Hi there, On Mon, 2 Nov 2015, Hajo Locke wrote: ... It seems to be so easy for a php-programmer to generate infinite number of malwarefiles ... That's correct. Any .php file sent here goes straight to /dev/null wi

Re: [clamav-users] Swf.Exploit.CVE_2015_5548 giving FP's

Hello, Am 17.11.2015 um 07:33 schrieb Al Varnell: Swf.Exploit.CVE_2015_5548 was added to the database today: ClamAV database updated (16 Nov 2015 07-00 -0500): daily.cvd Version: 21062 and has resulted in three OS X users, so far, reporting various Adobe files as infected, in addition to even

[clamav-users] FP Win.Trojan.Agent-1395367

Hello, there seems to be a new FP within a Wordpress Plugin. Download ist here: https://jetpack.com/install/?from=wporg http://downloads.wordpress.org/plugin/jetpack.latest-stable.zip File jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js is reported as Win.Trojan.Agent-13

Re: [clamav-users] FP Win.Trojan.Agent-1395367

2016 at 12:02 AM, Hajo Locke wrote: Hello, there seems to be a new FP within a Wordpress Plugin. Download ist here: https://jetpack.com/install/?from=wporg http://downloads.wordpress.org/plugin/jetpack.latest-stable.zip File jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js

Re: [clamav-users] FP Win.Trojan.Agent-1395367

Hello, Am 20.04.2016 um 09:31 schrieb Hajo Locke: Hello, Am 20.04.2016 um 09:20 schrieb Al Varnell: The signature was just added yesterday in daily:21498 and yes it is an MD5 of size 892 bytes, so it could well be an FP. Not sure what you mean by “automatic created md5 Signature” and given

Re: [clamav-users] FP Win.Trojan.Agent-1395367

Hello, Am 20.04.2016 um 16:01 schrieb Alain Zidouemba: Confirming the FP on MD5: 585005690e530e8047374cf14e479281. The signature Win.Trojan.Agent-1395367 has been removed. Thanks to all. Hajo ___ Help us build a comprehensive ClamAV guide: https://g

[clamav-users] FP Win.Trojan.Agent-1395362

Hello, i think i have a FP to report. Virus Name is Win.Trojan.Agent-1395362, md5 is da295e46049561433ec860a92fb3b8de This is a javascript File which is included in Siquando Shopsystem. File can be viewed here: http://pastebin.com/raw/34fjq6bV I already reported this as FP at http://www.cla

[clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Hello, unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2 Customer was testing at virustotal and only clamav is finding a virus. Unfortunately i can not do a FP-Report. All PDFs are property of costumers and not public. I hope there are some additional FP-Reports from other

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Hello, Am 23.11.2016 um 16:10 schrieb Ralf Hildebrandt: * Hajo Locke : Hello, unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2 Customer was testing at virustotal and only clamav is finding a virus. Unfortunately i can not do a FP-Report. All PDFs are property of

[clamav-users] how to find Html.Phishing.Auction-214

Hello, have an issue here with this signature. Html.Phishing.Auction-214 is found within an small sql-file. i try to find corresponding text to remove it, but iam not successful. If i split my sqlfile in parts with 1000 lines and scan that parts, so every part is clean, virus is only detected i

Re: [clamav-users] how to find Html.Phishing.Auction-214

Hello, Am 22.03.2017 um 14:01 schrieb Steve Basford: On Wed, March 22, 2017 12:52 pm, Hajo Locke wrote: Hello, have an issue here with this signature. Html.Phishing.Auction-214 is found VIRUS NAME: Html.Phishing.Auction-214 Here you go... TARGET TYPE: HTML OFFSET: * DECODED SIGNATURE

Re: [clamav-users] how to find Html.Phishing.Auction-214

Hallo, Am 22.03.2017 um 15:12 schrieb Kees Theunissen: On Wed, 22 Mar 2017, Hajo Locke wrote: thank you steve. i could find the lines and removed them. How could you decode this signature? ~$ sigtool --find-sigs Html.Phishing.Auction-214 | sigtool --decode-sigs VIRUS NAME

[clamav-users] Ppt.Exploit.CVE_2017_0199-6336815-1 FP?

Hello List, since yesterday we found a lot of malware called Ppt.Exploit.CVE_2017_0199-6336815-1 Hitrate is extremly increasing. Currently i believe this is a FP. Signature looks short: Ppt.Exploit.CVE_2017_0199-6336815-1:0:*:736368656d61732e6f70656e786d6c666f726d6174732e6f72672f6f696365646

[clamav-users] LibClamAV Warning

Hello, today i see a warning when starting a manuell clamscan: # clamscan -ir LibClamAV Warning: Don't know how to create filter for: Win.Trojan.Dovs-6343034-0 LibClamAV Warning: cli_ac_addpatt: cannot use filter for trie Version is 0.99.2  included in Ubuntu 16.04 Thanks, Hajo

[clamav-users] Signatur help - php injection

Hello list, currently i found sometimes hexed php-code like this in hacked cms. https://www.unphp.net/decode/9343fc7753f51080ad5d7817720956f0/ http://ddecode.com/hexdecoder/?results=9c4971e2e8f3cc6e00865e3a1dfd20bc https://www.unphp.net/decode/18679f0e27962531abffc36b8c869ce0/ Not my domains, jus

[clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

Hello List, i think i found an fp in incoming mail.  I cant submit mail as FP on website, because it contains private data. I can provide debug output which leads to match: LibClamAV debug: Phishcheck:URL after cleanup: https://sellercentral-europe.amazon.com->http://www.amazon.de LibClamAV d

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

located? -Al- On Tue, Nov 14, 2017 at 01:19 AM, Hajo Locke wrote: Hello List, i think i found an fp in incoming mail. I cant submit mail as FP on website, because it contains private data. I can provide debug output which leads to match: LibClamAV debug: Phishcheck:URL after cleanup: https:

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

. May be more extensions are needed on right side, dependent on amazon changes/uses on different domains. Thanks, Hajo Am 14.11.2017 um 10:50 schrieb Al Varnell: On Tue, Nov 14, 2017 at 01:48 AM, Hajo Locke wrote: Hello, Am 14.11.2017 um 10:44 schrieb Al Varnell: I'm not very good at

[clamav-users] clamdscan and TCPAddr

Hello List, have an odd behaviour of clamav. Version is 0.100.1+dfsg-1ubuntu0.16.04.2 Short: clamscan is able to find a virus in file, clamdscan not. 1st i thought about deprecation of AllowSupplementaryGroups, but was not confirmed. clamdscan -v tells only about an error, but no detailed info

Re: [clamav-users] Help With clamscan vs clamdscan

Hello, Am 20.08.2018 um 13:05 schrieb Matus UHLAR - fantomas: On 20.08.18 17:55, Michael Newman wrote: clamd is running: MrMuscle:~ mnewman$ ps -A | grep -m1 clamd 31610 ?? 0:10.14 clamd When I run clamscan it works and detects a known problem. But, when I run clamdscan on the same d

[clamav-users] endless cpu-usage since yesterday

Hello list, since yesterday we see a odd behaviour of clamd of some of our ubuntu16.04 servers (0.100.2+dfsg-1ubuntu0.16.04.1). clamd is not really starting up, it stays in top with 100% cpu usage for infinite time and opens no socket. signatur-files conf etc. is all ok, i compared with working s