On Tue, 12 Jul 2005 [EMAIL PROTECTED] wrote:
I'm searching Worm.Zafi.D virus signature at
http://clamav-du.securesites.net/cgi-bin/clamgrok
and the result is :
3cd737e20dbe4c89e12971cabe630cbfa20bbb20b55db63445b2b80a2009c8f0b6a0939053458122fb228252a38d14a1920a4155231dc4ef0f64308d6a19e82f0310e7f6148bc5c251e829d6d48a0a68763e35dc6321a375469430ac0c04663df92a8107e2d9f998a01ddc4c8196cc23
When i save the result to a text file and scan it with another virus
scanner it say no virus found but if i download a text file containing
Eicar, my scanner detect it as Eicar.
Is Worm.Zafi.D signature is not the same like eicar ???
Hint: What happens when you extract the signature for eicar?
The signatures aren't stored in binary form, but rather as the hex
encodings of the binary. This way, the signature database doesn't set
off lots of alarms with AV software. If you want to construct a file
to detect that signature, do this:
echo
3cd737e20dbe4c89e12971cabe630cbfa20bbb20b55db63445b2b80a2009c8f0b6a0939053458122fb228252a38d14a1920a4155231dc4ef0f64308d6a19e82f0310e7f6148bc5c251e829d6d48a0a68763e35dc6321a375469430ac0c04663df92a8107e2d9f998a01ddc4c8196cc23
| xxd -r -p > infected.bin
(all as one line, of course)
Damian Menscher
--
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
