On May 13, 2013, at 9:47 AM, Lee Graber <[email protected]> wrote:
> I am investigating a document which seems to be getting flagged by clamav
> as having a virus but I am not sure this is accurate. It is actually a
> document about a virus and I am wondering if there is something in it that
> perhaps describes the virus and so is getting flagged.
It wouldn't be the first time this has happened.
Here are some details on what's being found:
> VIRUS NAME: Exploit.IFrame.Gen (Clam)
> DECODED SIGNATURE:
> iframe
> src={WILDCARD_ANY_STRING(LENGTH<=4096)}cid:{WILDCARD_ANY_STRING(LENGTH<=8192)}height={WILDCARD_ANY_STRING(LENGTH<=4096)}
>
> width={WILDCARD_ANY_STRING(LENGTH<=1024)}/iframe{WILDCARD_ANY_STRING(LENGTH<=4096)}/BODY></HTML>{WILDCARD_ANY_STRING(LENGTH<=512)}Content-{WILDCARD_IGNORE}ype:
> a
which I see on page 5.
The definition has been in the database since 2003.
-Al-
--
Al Varnell
Mountain View, CA
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
