On 11/8/10 12:43 AM, "Al Varnell" <[email protected]> wrote:
> A ClamXav user asked if the detection of the Exploit.PDF.Gen in a couple of > his files was a False Positive. One of the files was the clamav 0.96.2 > engine installer that comes with the previous version of ClamXav. The other > was found in an admin php file in his MAMP installation (tcpdf.php). > > I pulled out my copy of the old installer and confirmed the finding. > > Here's an extract of the log from yesterday's cdiff update: > >> Author: Robert Scroggins >> Date: 2010-11-07 17:40 -800 >> To: clamav-virusdb >> Subject: [clamav-virusdb] Update (daily: 12214) >> ClamAV database updated (07 Nov 2010 20-39 -0500): daily.cvd >> Version: 12214 >> ... >> Submission-ID: 18136333 >> Sender: Virus Total >> Sender: Henry Hertz Hobbit >> Sender: ShadowServer >> Sender: Ken Dunham >> Added: Exploit.PDF.Gen >> Virus name alias: Exploit.JS.Pdfka.cuk (Kaspersky) > > The ASCII signature it's looking for is: >> %PDF-????f?67&???/JavaScript????f?67&??? > > Kind of a sneaky way to get folks to update there software ;-) > Never mind. Update 12215 apparently pulled it. -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
