Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Probably false-positive Exploit.MS04_028-4 reported

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


henri at nerv

Feb 10, 2012, 3:53 AM

Post #1 of 2 (411 views)
Permalink
Probably false-positive Exploit.MS04_028-4 reported

I just reported sample as false-positive, which is detected as Exploit.MS04_028-4. This picture is generated by web-camera with SHA1 d7ad16339fbf5d2b193bb4df7299c6f3da20c0b8 and I do have another file, which were detected with same malware name at 2012-01-25 with SHA1 cb446b3002f39b250abb5a3eaec8e59e46b4b9e2, but it is not detected anymore by ClamAV. This web-camera is used in Tampere Finland to record city and our shell-user is using crontab to create a videos like this: http://vimeo.com/35187490

Please notify me as soon as possible if you think this is malicious file and I can try to contact web-camera owner and/or vendor. Related to this: http://technet.microsoft.com/en-us/security/bulletin/ms04-028

If you know similar cases, have/need more information about this or want the samples please contact me. I am happy to help!

Using ClamAV 0.97.3/14426/Fri Feb 10 07:15:20 2012 with signatures:
ClamAV update process started at Fri Feb 10 12:57:10 2012
main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
daily.cld is up to date (version: 14426, sigs: 91708, f-level: 63, builder: guitar)
bytecode.cld is up to date (version: 167, sigs: 40, f-level: 63, builder: edwin)

- Henri Salo
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


henri at nerv

Mar 16, 2012, 12:22 AM

Post #2 of 2 (353 views)
Permalink
Re: Probably false-positive Exploit.MS04_028-4 reported [In reply to]

On Fri, Feb 10, 2012 at 01:53:26PM +0200, Henri Salo wrote:
> I just reported sample as false-positive, which is detected as Exploit.MS04_028-4. This picture is generated by web-camera with SHA1 d7ad16339fbf5d2b193bb4df7299c6f3da20c0b8 and I do have another file, which were detected with same malware name at 2012-01-25 with SHA1 cb446b3002f39b250abb5a3eaec8e59e46b4b9e2, but it is not detected anymore by ClamAV. This web-camera is used in Tampere Finland to record city and our shell-user is using crontab to create a videos like this: http://vimeo.com/35187490

Just a follow-up that this has been changed in fingerprints to be false-positive detection. Please do contact me and send a submission if you see similar files as infected.

- Henri Salo
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.