Hi there,
On Mon, 6 Jul 2020, Michel GALLE wrote:
it's my first post here.
Welcome. :)
I try to get information about "Xls.Malware.Madeba-8019734-0".
Clamav informed me a previously clean (or supposedly to be clean) xls file is
in fact infected by Xls.Malware.Madeba-8019734-0.
The file was not modified or edited.
I found that Malware.Madeba-8019734-0 definition was added to Clamav the 13
june 2020 or so, in Version 25842 of clamav signatures.
The detection is likely a false positive. They are not uncommon, and
they most often occur when a new signature is not sufficiently specific.
My question is : where I can find more information about
Malware.Madeba-8019734-0 ? Is there a better website/service referencing all
malwares known ?
You can look for the plain text in the signature databases, for example
8<----------------------------------------------------------------------
$ grep -a Madeba-8019734-0 /var/lib/clamav/databases/daily.cld
Xls.Malware.Madeba-8019734-0;Engine:51-255,Target:2;0&1&2&3&4&5;2d2d204c696d69747320696e20706c61636520323030342d30392d3233202e2e2e;44696d205241424a49312020417320537472696e67;44696d20776f726473283130302920417320537472696e67;464c4954494553203d20776f72647328444f5a414c;4966205041535434203e2030205468656e;776f726473283835
8<----------------------------------------------------------------------
You can use 'sigtool' to extract information about signatures, for example
8<----------------------------------------------------------------------
$ sigtool --datadir=/var/lib/clamav/databases/ -fXls.Malware.Madeba-8019734-0 |
sigtool --decode-sigs
VIRUS NAME: Xls.Malware.Madeba-8019734-0
TDB: Engine:51-255,Target:2
LOGICAL EXPRESSION: 0&1&2&3&4&5
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
-- Limits in place 2004-09-23 ...
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Dim RABJI1 As String
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Dim words(100) As String
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
FLITIES = words(DOZAL
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
If PAST4 > 0 Then
* SUBSIG ID 5
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
words(85
8<----------------------------------------------------------------------
This will make more sense to people who create signatures than to
those who have never done that. The ClamAV documentation and Website
have more information about the signature formats; every ClamAV utility
has a 'man' page, for example try typing
man sigtool
at a shell prompt.
I can't find in Microsoft, Kaspersky, Trendmicro...
There is no universally agreed naming system for malware, so it can be
difficult to compare the signatures for different scanners.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
