* Michel GALLE <michel.ga...@6wind.com>: > Hi Everyone, > > it's my first post here. > > I try to get information about "Xls.Malware.Madeba-8019734-0". > > Clamav informed me a previously clean (or supposedly to be clean) xls file > is in fact infected by Xls.Malware.Madeba-8019734-0. > > The file was not modified or edited. > > I found that Malware.Madeba-8019734-0 definition was added to Clamav the 13 > june 2020 or so, in Version 25842 of clamav signatures. > > My question is : where I can find more information about > Malware.Madeba-8019734-0 ? Is there a better website/service referencing all > malwares known ?
# sigtool --find-sigs Xls.Malware.Madeba-8019734-0 | sigtool --decode-sigs VIRUS NAME: Xls.Malware.Madeba-8019734-0 TDB: Engine:51-255,Target:2 LOGICAL EXPRESSION: 0&1&2&3&4&5 * SUBSIG ID 0 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: -- Limits in place 2004-09-23 ... * SUBSIG ID 1 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: Dim RABJI1 As String * SUBSIG ID 2 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: Dim words(100) As String * SUBSIG ID 3 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: FLITIES = words(DOZAL * SUBSIG ID 4 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: If PAST4 > 0 Then * SUBSIG ID 5 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: words(85 So, as you can see the signature consists of 6 subsignatures numbered 0-5, ll of which must match. It sort-of looks highly specific to me. Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml