Hi there,
On Mon, 21 Feb 2022, Eliya Voldman via clamav-users wrote:
... found this line in the log:
C:\Windows\SysWOW64\sechost.dll: Win.Trojan.Pemalform-9786579-0 FOUND
You should take positive action to investigate anything which gives a
result like this. It may mean that the computer has been compromised,
or it could be a false positive. I did a quick search and I didn't
find very much but I don't have all day to spend on it. Be aware that
different suppliers of threat information may call the *same* threats
by different names.
As this seems to be a fairly old signature, if it really is a false
positive, I'd almost have expected that it would have been mentioned
on this list by now. AFAICT it hasn't.
Here's the decoded signature:
8<----------------------------------------------------------------------
$ time sigtool --datadir=/EXPORTS/clamav/databases --find-sigs
'Win.Trojan.Pemalform-9786579-0' | sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Pemalform-9786579-0
TDB: Engine:81-255,Target:1
LOGICAL EXPRESSION: 0&1&2&3&4
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
!"&)(<>=|%5C%5C.%5CMutex%5C
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
LastRunPercentFragmentation
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
\Registry\Machine\Software\Microsoft\SQMClient
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
ARSDS{Z,
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
)^72>x
real 2m16.854s
user 0m7.074s
sys 0m6.778s
8<----------------------------------------------------------------------
To me, because of all those 'ANY' offsets, it looks possible that this
*could* generate false positives - but I certainly wouldn't claim to be
an expert on the assessment of signature performance and I haven't even
looked at the content of the genuine file nor any malicious versions.
There's a lot of advice Out There. You could for example calculate
the MD5 digest of the file content and search for that (this is one of
the more efficient ways of looking for indicators) or you could submit
the file to the ClamAV team, and to any of a number of Websites which
collect malware, for analysis. You might want to install yet another
scanning tool on the computer to see if it agrees with ClamAV, but if
the threat is real, and the malicious actor is competent, the results
are likely to be unreliable. It might be better to take the file from
the affected computer and scan it elsewhere. There might be readers
on this mailing list who can provide the MD5 of the same file for you
to compare it with that for your file.
The main things to consider are that
(1) all this might be a storm in a teacup if it's a false positive
(2) this computer, apparently on a connection which does not permit
traffic from the Internet, might possibly be compromised
(3) if this computer is on the same firewalled network as other
computers, it might present a threat to those other computers - I'd
advise disconnecting it until you're sure one way or another
(4) if the computer is in fact compromised, my advice would be to wipe
it thoroughly, reinstall all software and data from known good sources
and then monitor it carefully in controlled conditions until it can be
confidently called 'clean' (given the prevalence of Windows malware,
that's quite a tall order for a Windows box at the best of times)
(5) if it's a real compromise you'll want to know how it got there,
and take steps to prevent it from happening again
(6) there are many Websites out there which will lie to you about
things like this, for example they will tell you that absolutely
anything you submit to them is a danger and that you need to pay them
money in order to fix the problem, or perhaps you should download the
version of the file that they provide; be careful what you believe.
Does it mean that I could/should rely on 'FOUND' or it should be something
'more specific'?
A ClamAV scan normally gives the word 'FOUND' in the output which it
produces when something it scans matches a signature or a heuristic.
If that's enough for you to decide on what's been found depends on you
and to some extent on what you're looking at. For example if you have
files which contain the word 'FOUND' in their names, or in the names
of the directories which contain them, then yes, you might need to be
more specific. But we can't really tell you because we don't know
exactly what you're looking at. ClamAV is primarily a toolkit, and
how you use it is primarily up to you.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
