Hi,
I just made some expermients with ClamAv (0.80 and CVS) and the recent
Worm.Sober.I on my NetBSD/amd64 workstation, and noticed strange
results about UPX support.
[EMAIL PROTECTED] [virus/xx]> clamscan -V
ClamAV devel-20041119/594/Fri Nov 19 11:06:44 2004
[EMAIL PROTECTED] [virus/xx]> clamscan --no-summary spidernet.scr
spidernet.scr: Worm.Sober.I FOUND
But when i try to unpack the worm with `upx', clamscan de not report
an infected file anymore :
[EMAIL PROTECTED] [virus/xx]> upx -d spidernet.scr
Ultimate Packer for eXecutables
Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24 Markus F.X.J. Oberhumer & Laszlo Molnar Nov
7th 2002
File size Ratio Format Name
-------------------- ------ ----------- -----------
87016 <- 56808 65.28% win32/pe spidernet.scr
Unpacked 1 file.
[EMAIL PROTECTED] [virus/xx]> clamscan --no-summary spidernet.scr
spidernet.scr: OK
Likewise if try to compress it again with upx :
[EMAIL PROTECTED] [virus/xx]> upx spidernet.scr
Ultimate Packer for eXecutables
Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24 Markus F.X.J. Oberhumer & Laszlo Molnar Nov
7th 2002
File size Ratio Format Name
-------------------- ------ ----------- -----------
87016 -> 57832 66.46% win32/pe spidernet.scr
Packed 1 file.
[EMAIL PROTECTED] [virus/xx]> clamscan --no-summary spidernet.scr
spidernet.scr: OK
In the mean time, the 3 versions are successfully detected by NAV as
[EMAIL PROTECTED]
Thanks in advance,
Regards.
--
Nicolas Joly
Biological Software and Databanks.
Institut Pasteur, Paris.
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
