On 02/24/2015 10:32 PM, Kris Deugau wrote:
Yves Goergen wrote:
Hello,
for a few months I'm getting lots of Polish spam to one of my e-mail
addresses, sometimes a dozen per day. I have no idea what it's telling
me, I don't understand a single word. I just recognise characteristic
characters to know the language. Some messages have a .pl domain as
sender address, others not. The sending hosts have all kinds of TLDs.
Most messages have only a very short or empty body (a few words at
maximum). Almost all messages contain a .zip attachment, often named
like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught
by clamav, but I haven't looked into any of these archives yet.
These are almost certainly viruses. Upload one or two of the .zip files
to virustotal.com to check against a long list of AV scanners.
Any Windows executable that I find in a .zip file attached to a random
message I automatically consider very suspect at best. I don't waste
time trying to find out what the executable actually does, I just add a
basic hash signature to ClamAV and move on. I've nearly given up on
reporting these upstream to the ClamAV maintainers as well; I've got
samples closing on two years old that still aren't flagged by stock
signatures. :/
ClamAV has become a framework... and atm, you can open a a bottle of
bubbly if the official sigs actually detect anything.
Take a look at the Sanesecurity's FoxHole sigs
http://sanesecurity.com/foxhole-databases/
foxhole_generic.cdb
foxhole_filename.cdb
have been very reliable, in all ways.
Axb
