Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

Sun, 25 Dec 2016 07:21:01 -0800 

On Sun, December 25, 2016 10:40 am, Al Varnell wrote:

> A handful of ClamXav users can confirm the Firefox
> omni.ja:Win.Trojan.Toa-5370234-0. It also identified some Adobe products
> as infected when run through QA.

Firstly, Merry Christmas to all.

Onto the FP's... basically they are too generic... currently the
reported FP's, when you decode them, are going to hit quite a few
files.

sigtool --find-sigs Win.Trojan.Toa-5370234-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5370234-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: [\W][a-z]{3,4}\.js$

sigtool --find-sigs Win.Trojan.Toa-5372190-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5372190-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: [a-z]{8,30}\.exe$

sigtool --find-sigs Win.Trojan.Toa-5371146-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5371146-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: ^[a-z]{3,7}\.exe$

sigtool --find-sigs Win.Trojan.Toa-5370085-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5370085-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: ^[a-z]{2,12}\.exe$

They have hit a few in my ham folder too..


eg:

sanesecurity\ham\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370297-0


The good news is that the Toa-xxxxxxx sigs are hitting malware....

eg:

21_12_2016\IMG-20161221-WA9898.zip: Win.Trojan.Toa-5368799-0 FOUND

sigtool --find-sigs Win.Trojan.Toa-5368799-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5368799-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: ^[A-Za-z0-9]{1,25}\.wsf$

Foxhole sigs are doing a similar thing but trying not to be too generic.

Right, off to carry on munching and playing with playdoh(tm) ;)

--
Cheers,

Steve
Twitter: @sanesecurity

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to