On Sun, December 25, 2016 10:40 am, Al Varnell wrote: > A handful of ClamXav users can confirm the Firefox > omni.ja:Win.Trojan.Toa-5370234-0. It also identified some Adobe products > as infected when run through QA.
Firstly, Merry Christmas to all. Onto the FP's... basically they are too generic... currently the reported FP's, when you decode them, are going to hit quite a few files. sigtool --find-sigs Win.Trojan.Toa-5370234-0|sigtool --decode-sigs VIRUS NAME: Win.Trojan.Toa-5370234-0 CONTAINER TYPE: CL_TYPE_ZIP CONTAINER SIZE: ANY FILENAME REGEX: [\W][a-z]{3,4}\.js$ sigtool --find-sigs Win.Trojan.Toa-5372190-0|sigtool --decode-sigs VIRUS NAME: Win.Trojan.Toa-5372190-0 CONTAINER TYPE: CL_TYPE_ZIP CONTAINER SIZE: ANY FILENAME REGEX: [a-z]{8,30}\.exe$ sigtool --find-sigs Win.Trojan.Toa-5371146-0|sigtool --decode-sigs VIRUS NAME: Win.Trojan.Toa-5371146-0 CONTAINER TYPE: CL_TYPE_ZIP CONTAINER SIZE: ANY FILENAME REGEX: ^[a-z]{3,7}\.exe$ sigtool --find-sigs Win.Trojan.Toa-5370085-0|sigtool --decode-sigs VIRUS NAME: Win.Trojan.Toa-5370085-0 CONTAINER TYPE: CL_TYPE_ZIP CONTAINER SIZE: ANY FILENAME REGEX: ^[a-z]{2,12}\.exe$ They have hit a few in my ham folder too.. eg: sanesecurity\ham\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370297-0 The good news is that the Toa-xxxxxxx sigs are hitting malware.... eg: 21_12_2016\IMG-20161221-WA9898.zip: Win.Trojan.Toa-5368799-0 FOUND sigtool --find-sigs Win.Trojan.Toa-5368799-0|sigtool --decode-sigs VIRUS NAME: Win.Trojan.Toa-5368799-0 CONTAINER TYPE: CL_TYPE_ZIP CONTAINER SIZE: ANY FILENAME REGEX: ^[A-Za-z0-9]{1,25}\.wsf$ Foxhole sigs are doing a similar thing but trying not to be too generic. Right, off to carry on munching and playing with playdoh(tm) ;) -- Cheers, Steve Twitter: @sanesecurity _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml