Diego d'Ambra wrote:
> Erik Corry wrote:
>> On Wed, Jan 25, 2006 at 01:19:58PM -0500, Mike Robinson wrote:
>> > Erik Corry wrote:
>> > >
>> > > The following signature seems to detec the Mytob variants on my
>> system:
>> > >
>> > > Suspicious.HTML.javascript2=756e6573636170652822253636
>> > >
>> > > Put it in a file called local.db in the same directory as your
>> main.cvd
>> > > and daily.cvd files. It searches for the string:
>> > >
>> > > unescape ("%66
>> > >
>> > > (only without the space) in a mail, so it will get some false
>> positives.
>> > > Here is the rule that I have made for this new mytob variant.
>> >
>> > This needs to go into a .ndb file in the same directory. It actually
>> > detects a hex string from the included .pif file...no false positives
>> > from it...
>> >
>
> I haven't seen any Feebs variants using a .pif file - only emails with
> a zip archive containing a .hta file.
>
>> >
>> Worm.Mytob.ZZZ:0:*:1c4f74750d4ae0497e7f0f54f4537879115ef85d42435058cc274c4d5c22d0215657a32ca42b50518636a8355a5b1d:0
>>
>>
>
> From the samples (feebs-a, feebs-b, feebs-c) I've access to, that
> signature unfortunately isn't detecting any.
>
> Could you explain what you're matching, thanks.
I'm not matching feebs...I'm matching a Mytob variant...I'm matching the
.pif in the zip files...the trailing hex from that...
>
>> Sorry, the signature I posted above is for undetected Feebs variants. I
>> got my viruses mixed up.
>>
>
> Best regards,
> Diego d'Ambra
> ------------------------------------------------------------------------
>
> _______________________________________________
> http://lurker.clamav.net/list/clamav-users.html
>
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
