On Thu, 2004-10-21 at 14:48, Bogusław Brandys wrote:
Hello,
Could someone explain why there are sometimes a few signatures for one malware ? Does it mean that malware has small change and that are MD5 signatures ?
Well, it depends what the signature is for.
Today was for example submission of
HTML.Phishing.Auction-1 HTML.Phishing.Auction-2 HTML.Phishing.Bank-5 HTML.Phishing.Bank-6
These are different signatures (non MD5 in this case) for different instances of phishing emails. So I wouldn't really call that malware.
So it is harmless ?
You'll see a lot of sigs like Dialer-135, just because there are a large number of these types of malware, and it's a pain to invent names for them all :-) Occasionally you'll see sigs like Worm.Bagle.AG.2, which may be a second signature to match a different instance of the same malware.
I was worrying about too many signatures ,and thought that for each small changes in malware body was the new signature created ;-)
Now I know.
Regards Boguslaw Brandys
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
