Here’s another: sigtool --find Win.Trojan.Toa-5370297-0|sigtool --decode-sigs VIRUS NAME: Win.Trojan.Toa-5370297-0 CONTAINER TYPE: CL_TYPE_ZIP CONTAINER SIZE: ANY FILENAME REGEX: ^[a-z0-9\-_]{1,30}_[a-zA-Z0-9\-]{1,15}\.js$ COMPRESSED FILESIZE: ANY UNCOMPRESSED FILESIZE: ANY ENCRYPTION: IGNORED FILE POSITION: ANY CRC SUM: ANY
Found in this mac OS X application on https://www.sublimetext.com. Submitted as FP MD5=f62311d5e593183719cbb5a4264d2e4c:54433:Java.sublime-package -Al- On Dec 25, 2016, at 7:19 AM, Steve Basford <steveb_cla...@sanesecurity.com> wrote: > > On Sun, December 25, 2016 10:40 am, Al Varnell wrote: > >> A handful of ClamXav users can confirm the Firefox >> omni.ja:Win.Trojan.Toa-5370234-0. It also identified some Adobe products >> as infected when run through QA. > > Firstly, Merry Christmas to all. > > Onto the FP's... basically they are too generic... currently the > reported FP's, when you decode them, are going to hit quite a few > files. > > sigtool --find-sigs Win.Trojan.Toa-5370234-0|sigtool --decode-sigs > VIRUS NAME: Win.Trojan.Toa-5370234-0 > CONTAINER TYPE: CL_TYPE_ZIP > CONTAINER SIZE: ANY > FILENAME REGEX: [\W][a-z]{3,4}\.js$ > > sigtool --find-sigs Win.Trojan.Toa-5372190-0|sigtool --decode-sigs > VIRUS NAME: Win.Trojan.Toa-5372190-0 > CONTAINER TYPE: CL_TYPE_ZIP > CONTAINER SIZE: ANY > FILENAME REGEX: [a-z]{8,30}\.exe$ > > sigtool --find-sigs Win.Trojan.Toa-5371146-0|sigtool --decode-sigs > VIRUS NAME: Win.Trojan.Toa-5371146-0 > CONTAINER TYPE: CL_TYPE_ZIP > CONTAINER SIZE: ANY > FILENAME REGEX: ^[a-z]{3,7}\.exe$ > > sigtool --find-sigs Win.Trojan.Toa-5370085-0|sigtool --decode-sigs > VIRUS NAME: Win.Trojan.Toa-5370085-0 > CONTAINER TYPE: CL_TYPE_ZIP > CONTAINER SIZE: ANY > FILENAME REGEX: ^[a-z]{2,12}\.exe$ > > They have hit a few in my ham folder too.. > > > eg: > > sanesecurity\ham\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370297-0 > > > The good news is that the Toa-xxxxxxx sigs are hitting malware.... > > eg: > > 21_12_2016\IMG-20161221-WA9898.zip: Win.Trojan.Toa-5368799-0 FOUND > > sigtool --find-sigs Win.Trojan.Toa-5368799-0|sigtool --decode-sigs > VIRUS NAME: Win.Trojan.Toa-5368799-0 > CONTAINER TYPE: CL_TYPE_ZIP > CONTAINER SIZE: ANY > FILENAME REGEX: ^[A-Za-z0-9]{1,25}\.wsf$ > > Foxhole sigs are doing a similar thing but trying not to be too generic. > > Right, off to carry on munching and playing with playdoh(tm) ;) > > -- > Cheers, > > Steve
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml