Mailing List Archive: ClamAV: users

signature W95/Elkern

Index | Next | Previous | View Threaded

frost at rzw

Aug 14, 2003, 7:05 AM

Post #1 of 6 (384 views)
Permalink

signature W95/Elkern

Hi,
are there anyone who are able to check signature in a windows-exe-file.
ClamAV reject mails because finding W95/Elkern, CAI, trend-micro don't
find anything. And now? ...

TNX!

regards

Juergen Frost

--
r.z.w. cimdata AG
Zum Hospitalgraben 2
99425 Weimar
Tel: +49 (0) 3643 8640 0
Fax: +49 (0) 3643 8640 99
Web: http://www.rzw.de

tomek-clam-users at lodz

Aug 14, 2003, 7:18 AM

Post #2 of 6 (377 views)
Permalink

Re: signature W95/Elkern [In reply to]

On Thu, 14 Aug 2003 at 15:45:28 +0200, frost [at] rzw wrote:
> Hi,
> are there anyone who are able to check signature in a windows-exe-file.
> ClamAV reject mails because finding W95/Elkern, CAI, trend-micro don't
> find anything. And now? ...
>
> TNX!
> regards
> Juergen Frost

You can send this .exe to me (zipped with password "virus"). I'll check
it with other scanners.

--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek [at] lodz http://www.lodz.tpsa.pl/ | ones and zeros.

tomek-clam-users at lodz

Aug 14, 2003, 8:46 AM

Post #3 of 6 (371 views)
Permalink

Re: signature W95/Elkern [In reply to]

On Thu, 14 Aug 2003 at 16:12:39 +0200, Tomasz Papszun wrote:
> On Thu, 14 Aug 2003 at 15:45:28 +0200, frost [at] rzw wrote:
> > Hi,
> > are there anyone who are able to check signature in a windows-exe-file.
> > ClamAV reject mails because finding W95/Elkern, CAI, trend-micro don't
> > find anything. And now? ...
> >
> > TNX!
> > regards
> > Juergen Frost
>
> You can send this .exe to me (zipped with password "virus"). I'll check
> it with other scanners.
>

I'm confirming it.
I've just checked the file kindly sent to me by Juergen Frost.

3 other scanners (sophos, drweb, mks_vir) do _not_ detect a virus in
this .exe. Only clamav does detect infection.
So, these 3 with previous 2 (CAI, trend-micro) give 5:1 votes versus
clamav ;-) . Probably we've got unprecise signature.

I'll forward this "false-positive" .exe to Tomasz Kojm.

Thank you for letting us know, Juergen!

--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek [at] lodz http://www.lodz.tpsa.pl/ | ones and zeros.

da at softcom

Aug 14, 2003, 10:03 AM

Post #4 of 6 (373 views)
Permalink

RE: signature W95/Elkern [In reply to]

I have checked the sample with Trend, Kasperksy and McAfee. They all
report "no virus found". ClamAV finds W95/Elkern

When executing the binary I get a dialog telling of missing a DLL. The
binary does nothing harmfull to the PC as I see it (it drops no files
and dosn't alter the registry).

This looks like a false positive. If someone has a copy of the real
Elkern virus new signature could be created.

This mail covers submission 197.

Best regards,
Diego d'Ambra

-----Original Message-----
From: frost [at] rzw [mailto:frost [at] rzw]
Sent: 14. august 2003 15:45
To: clamav-users [at] lists
Subject: [Clamav-users] signature W95/Elkern

Hi,
are there anyone who are able to check signature in a windows-exe-file.
ClamAV reject mails because finding W95/Elkern, CAI, trend-micro don't
find anything. And now? ...

TNX!

regards

Juergen Frost

--
r.z.w. cimdata AG
Zum Hospitalgraben 2
99425 Weimar
Tel: +49 (0) 3643 8640 0
Fax: +49 (0) 3643 8640 99
Web: http://www.rzw.de

-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01
/01
_______________________________________________
Clamav-users mailing list
Clamav-users [at] lists
https://lists.sourceforge.net/lists/listinfo/clamav-users

tk at mat

Aug 14, 2003, 10:24 AM

Post #5 of 6 (370 views)
Permalink

Re: signature W95/Elkern [In reply to]

On Thu, 14 Aug 2003 18:21:50 +0200
"Diego d'Ambra" <da [at] softcom> wrote:

> I have checked the sample with Trend, Kasperksy and McAfee. They all
> report "no virus found". ClamAV finds W95/Elkern

I don't now who has submitted the signature (ufortunately I don't have
this virus in my archives), but it cames from the File::Scan database,
which also detects the virus. File::Scan signatures in most cases only
use plain text identities thus cause false positive alerts. Maybe
somebody can submit the Elkern virus ?

Best regards,
Tomasz Kojm
--
oo ..... zolw [at] konarski
(\/)\......... http://www.konarski.edu.pl/~zolw
\..........._ I nie zapomnij kliknac w brzuszek...
//\ /\\ <- C. Amboinensis www.pajacyk.pl

stephen-clamav at earth

Aug 15, 2003, 12:32 AM

Post #6 of 6 (370 views)
Permalink

Re: signature W95/Elkern [In reply to]

---- Original Message ----
> From Tomasz Kojm <tk [at] mat>
> Date: Thursday, 14 Aug 2003, 18:23
>
> I don't now who has submitted the signature (ufortunately I don't have
> this virus in my archives), but it cames from the File::Scan database,
> which also detects the virus. File::Scan signatures in most cases only
> use plain text identities thus cause false positive alerts. Maybe
> somebody can submit the Elkern virus ?

I'm rather busy, but I've put a copy of the virus at
http://trillian.earth.li/Elkern.C for the benefit of anybody that wants
to have a go at creating a new signature for this.

--
Stephen White \ Oxford University Computing Society
System Administrator \ http://ox.compsoc.net/~swhite/
PGP Key ID: 0xC79E5B6A \ <swhite [at] ox>

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads