d.shrimpton at its
May 2, 2008, 4:12 AM
Post #3 of 5
(53 views)
Permalink
|
|
Re: viruses in comments in scripts not detected by 0.93
[In reply to]
|
|
A signature that detects WScr.Unsafe.D under 0.93 is below
HTML.WScr.Unsafe.D:3:*:22293b7362663d666c2e737562666f6c646572733b666f72287661726d79653d6e6577656e756d657261746f7228736266293b216d79652e6174656e6428293b6d79652e6d6f76656e6578742829296964643d6d79652e6974656d28293b6964733d6e65
create by:
0. Get main.db from main.cvd with sigtool --unpack
grep WScr.Unsafe.D in main.db
remove the label leaving only the hex
1. reverse the hex to get the partial script text eg
cat the hex | perl -ne 'chomp;print pack("H*",$_)'
2. wrap the script text with <HTML><SCRIPT><!-- --></SCRIPT></HTML>
to convince sigtool it is html
(should also work without the SCRIPT or comment)
3. normalize the html with
sigtool --html-normalise
4. remove tags (ie <html><script><!-- --></script></html>
from nocomment.html
5. create a hex signature from the result
eg sigtool --hex-dump
6. create a .ndb database file by adding a name, type and offset
(use sigtool --list to make sure the name you choose doesn't clash
with an existing one. Also choose a name you think won't clash with
a future clamav signature name )
On Fri, 2 May 2008, David Shrimpton wrote:
> Thanks,
>
> This quote from the bugzilla posts is quite amusing:
>
> "As for the official clamav signatures, please stand assured that when the new
> code will be in the stable release, all the broken signatures will be properly
> fixed."
>
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
|
