On Sep 13, 2010, at 1:58 PM, Alex wrote: > Hi, > >>> winnow.botnets.zu.zeus.4637.UNOFFICIAL, according to the logs. How can > >> That signature is not is our active database. When did you last update your >> files? zeus urls and IP come and go as machines are infected and cleaned so >> you must keep your rules current. > > # ls -l winnow_malware_links.ndb > -rw-r--r-- 1 vscan vscan 489480 Sep 12 19:47 winnow_malware_links.ndb > > The user also reported this on an email that was received on the 9th, I > believe. > > I'm also wondering how a domain name, which is what triggered this > rule, is found within this hash: > > # sigtool -fwinnow.botnets.zu.zeus.4637 > winnow.botnets.zu.zeus.4637:3:*:(2e|2f|40|20|3c)3230352e3137382e3138392e313239(27|22|20|2f|3d|3e|0a|0d) >
Wasn't a domain name but and IP _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml