On Wed, Jun 01, 2016 at 09:41 PM, Raphaël wrote: > > Hi, > > One of my teammate recently got notified about (more) trojans since the 21640 > update > http://lists.clamav.net/pipermail/clamav-virusdb/2016-May/002964.html > > A derivated version of jquery-1.2.6.pack.js now matches a known signature: > > # download original JQ > $ wget http://code.jquery.com/jquery-1.2.6.pack.js > > # play with whitespace to match SVN raw file > $ sed -r -e 1i$'\x0a' -e '/Date:|Rev:/s/ \$$//' -e '/Date:|Rev:/s/\$//' > jquery-1.2.6.pack.js > jquery-1.2.6.pack.mod.js > > $ clamscan jquery-1.2.6.pack.mod.js >> Win.Trojan.Agent-1430626 FOUND
The signature is an MD-5 hash value, so not necessarily associated with javascript, but see VT reference below. > Given the importance of today (closed-source) javascript in computing > tasks that makes sense. But I fear this wasn't not expected. > > Out of curiosity, how/who/why does it comes from? Where does what come from, the signature? If so, the clamav signature writing team who may have gotten it from VirusTotal here: <https://www.virustotal.com/en/file/b715dac714bcd5d1e989f4cc3621b8274b3a8fdebb52fc70e07ba91072bcef59/analysis/>. Appears to have been submitted multiple times since Nov 2011. One comment indicates that it might be PUA and "the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat.” Votes are 3 to 1 malicious, but I’m not sure why. > How many such false positive does the DB possibly contains already? Probably a lot, but we’ll never no unless users like your you and I submit them as a False Positive Report: <http://www.clamav.net/reports/fp> -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
