Al, I think you are probably right looking at it.
> What kind of suggestion are you looking for? > > They appear to be three different iPhone/iPad/iPod applications. > > The signatures were added to the ClamAV database on 1 Nov 2018. > > I would have to guess it has something to do with this Talos article: > > <https://blog.talosintelligence.com/2018/11/persian-stalker.html?utm_source=mosaicsecurity> > > -Al- > ClamXAV User I would just add a way to find the decoded sig like last time this was asked. ~# sigtool --find-sigs Ios.Trojan.FakeTelegram-6736161-0 daily.cld | sigtool --decode-sigs VIRUS NAME: Ios.Trojan.FakeTelegram-6736161-0 TDB: Engine:81-255,Target:0 LOGICAL EXPRESSION: 0&1&2 * SUBSIG ID 0 +-> OFFSET: 0 +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: PK * SUBSIG ID 1 +-> OFFSET: ANY +-> SIGMOD: NOCASE +-> DECODED SUBSIGNATURE: begir * SUBSIG ID 2 +-> OFFSET: ANY +-> SIGMOD: NOCASE +-> DECODED SUBSIGNATURE: Info.plist Eric Tykwinski _______________________________________________ clamav-users mailing list firstname.lastname@example.org http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml