Al,

I think you are probably right looking at it.

> What kind of suggestion are you looking for?
>
> They appear to be three different iPhone/iPad/iPod applications.
> 
> The signatures were added to the ClamAV database on 1 Nov 2018.
> 
> I would have to guess it has something to do with this Talos article:
> 
> <https://blog.talosintelligence.com/2018/11/persian-stalker.html?utm_source=mosaicsecurity>
>  
> -Al-
> ClamXAV User

I would just add a way to find the decoded sig like last time this was asked.

~# sigtool --find-sigs Ios.Trojan.FakeTelegram-6736161-0 daily.cld | sigtool 
--decode-sigs
VIRUS NAME: Ios.Trojan.FakeTelegram-6736161-0
TDB: Engine:81-255,Target:0
LOGICAL EXPRESSION: 0&1&2
 * SUBSIG ID 0
 +-> OFFSET: 0
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
PK
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
begir
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
Info.plist

Eric Tykwinski


_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to