Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

WinREG.Lowzones.A from Daily upd. 756

  

 
ClamAV users RSS feed   Index | Next | Previous | View Threaded


clamav at siimnet

Mar 10, 2005, 10:40 AM

Post #1 of 2 (744 views)
Permalink
WinREG.Lowzones.A from Daily upd. 756
Hi


I'm using clamav with a messagewall MTA and run freshclam 0.83 to get
updates of main.cvd & daily.cvd, to convert to messagewall format I run
a perl script buildpattern.pl, which uses sigtool 0.83 to unpack the
.cvd files and merge them.

I started seen this in the daily.db since the Daily update 756:

mh4:/tmp> grep == daily.db
WinREG.Lowzones.A
(Clam)==530065007400740069006e00670073005c005a006f006e00650073005c0034005d000d000a002200310030003000310022003d00640077006f00720064003a00300030003000300030003000300033000d000a002200310030003000340022003d00640077006f00720064003a00300030003000300030003000300033000d000a00220031003200

Is this consider a true valid signature, since I've always for the past
+2 years only seen signatures made of hex digits or my buildpattern.pl
only filters out such?

Having the signature starting with a '=' sign coursed my buildpattern.pl
to give a empty signature in the merged output making messagewall match
30-40% of all messages like a WinREG.Lowzones.A false positive virus :(

/Steffen

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


tkojm at clamav

Mar 10, 2005, 10:54 AM

Post #2 of 2 (688 views)
Permalink
Re: WinREG.Lowzones.A from Daily upd. 756 [In reply to]
On Thu, 10 Mar 2005 19:40:54 +0100
Steffen Winther Soerensen <clamav [at] siimnet> wrote:

> I'm using clamav with a messagewall MTA and run freshclam 0.83 to get
> updates of main.cvd & daily.cvd, to convert to messagewall format I

If that software only supports old *.db ClamAV signatures you will miss
recent malware. Also many of the old format signatures will not be
usable since they have been created only against unpacked (de{UPX, FSG,
Petite}ed) data and require libclamav's internal decompressors.

> run a perl script buildpattern.pl, which uses sigtool 0.83 to unpack
> the .cvd files and merge them.
>
> I started seen this in the daily.db since the Daily update 756:
>
> mh4:/tmp> grep == daily.db
> WinREG.Lowzones.A
> (Clam)==530065007400740069006e00670073005c005a006f006e00650073005c003
> 4005d000d000a002200310030003000310022003d00640077006f00720064003a0030
> 0030003000300030003000300033000d000a002200310030003000340022003d00640
> 077006f00720064003a00300030003000300030003000300033000d000a0022003100
> 3200

That's a typo and will be fixed in one of the next updates.

--
oo ..... Tomasz Kojm <tkojm [at] clamav>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Thu Mar 10 19:49:49 CET 2005

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.