Oh! I missed my actual question! :-) Is this expected behavior. i.e. a limitation with making your own simple MD5-based sigs.
Jason Haar wrote: > Hi there > > The new W32/Nyxem-D virus seems to escape clamav fairly well. > > It comes in as a .HQX or .MIM attachment - which is base64 encoded. > However, the resultant HQX/MIM file is actually an UUENCODED file (that > WinXP at least auto-supports). > > I uudecoded it and wrote my own signature for the resulting executable > using "sigtool --md5" (you have to do it against the exe - it's always > the same size, whereas the uuencoded files have different sizes based on > what random filename they chose when generated). After than Clamav > detects the virus in the executable just fine - but can't catch it > within either the uuencoded attachment, or the raw email itself. > > "clamscan --verbose --debug file.eml" shows it loading the homemade > signature, but shows no reference to uudecoding. > > I have just uploaded it via the submission form. > > Thanks! > > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ http://lurker.clamav.net/list/clamav-users.html