Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
On Tue, 08 Feb 2005 16:32:41 + Francis Stevens [EMAIL PROTECTED] wrote: Trog wrote: BTW, all the false positives I've seen so far are also reported as broken by the showriff utility, which was written specifically to check these files. For example: $ showriff virus-2005-02-08-n0009134 Contents of file virus-2005-02-08-n0009134 (18926/0x8926 bytes): All the problem files I've had are Powerpoint and Word files. For the Powerpoint files it was a common background image. P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND p900\Evanescence - Bring Me To Life - Daredevil 2 (2).wav: Exploit.W32.MS05-002 FOUND p900\robby-feel.wav: Exploit.W32.MS05-002 FOUND -- Maxim Britov GnuPG KeyID 0x4580A6D66F3DB1FB Keyserver hkp://keyserver.kjsl.com Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB GnuPG-ru Team; xmpp:[EMAIL PROTECTED] ICQ 198171258 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
On Wednesday 09 February 2005 15:56, Maxim Britov shaped the electrons to say: On Tue, 08 Feb 2005 16:32:41 + Francis Stevens [EMAIL PROTECTED] wrote: Trog wrote: BTW, all the false positives I've seen so far are also reported as broken by the showriff utility, which was written specifically to check these files. For example: $ showriff virus-2005-02-08-n0009134 Contents of file virus-2005-02-08-n0009134 (18926/0x8926 bytes): All the problem files I've had are Powerpoint and Word files. For the Powerpoint files it was a common background image. P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND p900\Evanescence - Bring Me To Life - Daredevil 2 (2).wav: Exploit.W32.MS05-002 FOUND p900\robby-feel.wav: Exploit.W32.MS05-002 FOUND 'Stealing Music?' tut tut ;) -- Scott Ryan Telkom Internet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
BTW, all the false positives I've seen so far are also reported as broken by the showriff utility, which was written specifically to check these files. For example: $ showriff virus-2005-02-08-n0009134 Contents of file virus-2005-02-08-n0009134 (18926/0x8926 bytes): All the problem files I've had are Powerpoint and Word files. For the Powerpoint files it was a common background image. P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND p900\Evanescence - Bring Me To Life - Daredevil 2 (2).wav: Exploit.W32.MS05-002 FOUND p900\robby-feel.wav: Exploit.W32.MS05-002 FOUND 'Stealing Music?' tut tut ;) I don't know, but size is ~50-100KB. -- Maxim Britov GnuPG KeyID 0x4580A6D66F3DB1FB Keyserver hkp://keyserver.kjsl.com Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB GnuPG-ru Team; xmpp:[EMAIL PROTECTED] ICQ 198171258 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND p900\Evanescence - Bring Me To Life - Daredevil 2 (2).wav: Exploit.W32.MS05-002 FOUND p900\robby-feel.wav: Exploit.W32.MS05-002 FOUND Hello, I don't suppose these files were submitted for analysis by the clamav developers? Chris ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
On Wed, 9 Feb 2005, Maxim Britov wrote: P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND I don't know, but size is ~50-100KB. If they're tiny files, are you sure they're actually wavs? Maybe someone downloaded these things and instead of funky beats, they're full of Greek soldiers? Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
On Wed, 2005-02-09 at 11:51 -0500, jef moskot wrote: On Wed, 9 Feb 2005, Maxim Britov wrote: P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND I don't know, but size is ~50-100KB. If they're tiny files, are you sure they're actually wavs? Maybe someone downloaded these things and instead of funky beats, they're full of Greek soldiers? WAV files don't just have to be PCM audio. I've seen (from the I Love Bees site) MPEG Audio Layer-III data inside a WAV RIFF wrapper. Since these files were triggering the malformed RIFF scanner, this could very well be the case. -- Chris ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
jef moskot wrote: On Wed, 9 Feb 2005, Maxim Britov wrote: P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND I don't know, but size is ~50-100KB. If they're tiny files, are you sure they're actually wavs? My guess is they are ring signals for the Sony Ericsson P900 mobile phone. -- /Peter Bonivart --Unix lovers do it in the Sun ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Exploit.W32.MS05-002 False Positives
Francis Stevens wrote: I'm seeing several false positives for Exploit.W32.MS05-002 since I upgraded to 0.82 yesterday. I've posted samples to the submission website but would like to do something about this. Using sigtool -l doesn't list Exploit.W32.MS05-002 as a signature in the database, is there any way I can disable this check? I tried reverting to 0.81 but that didn't help. FAS Seen it here too. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
Francis Stevens wrote: I'm seeing several false positives for Exploit.W32.MS05-002 since I upgraded to 0.82 yesterday. I've posted samples to the submission website but would like to do something about this. Using sigtool -l doesn't list Exploit.W32.MS05-002 as a signature in the database, is there any way I can disable this check? I tried reverting to 0.81 but that didn't help. Finally worked out how to (correctly) revert to 0.81, had to remove the libraries in /usr/local/lib before doing the make install for 0.81. I'm no longer getting the false positives, just the WARNING message from freshclam - which I'm happy to ignore until the other issue is dealt with. Am I right that the MS05-002 check is built into the clamscan executable (libclamav) an is not a true signature? FAS FAS ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
* Francis Stevens [EMAIL PROTECTED]: Finally worked out how to (correctly) revert to 0.81, had to remove the libraries in /usr/local/lib before doing the make install for 0.81. I'm no longer getting the false positives, just the WARNING message from freshclam - which I'm happy to ignore until the other issue is dealt with. Am I right that the MS05-002 check is built into the clamscan executable (libclamav) an is not a true signature? Same here, what is the fix? -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
Ralf Hildebrandt wrote: * Francis Stevens [EMAIL PROTECTED]: Finally worked out how to (correctly) revert to 0.81, had to remove the libraries in /usr/local/lib before doing the make install for 0.81. I'm no longer getting the false positives, just the WARNING message from freshclam - which I'm happy to ignore until the other issue is dealt with. Am I right that the MS05-002 check is built into the clamscan executable (libclamav) an is not a true signature? Same here, what is the fix? My fix was to go back to 0.81. Hopefully the ClamAV team will be able to suggest a better one FAS ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
* Francis Stevens [EMAIL PROTECTED]: My fix was to go back to 0.81. Hopefully the ClamAV team will be able to suggest a better one My point exactly. -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
On Tue, 2005-02-08 at 15:31 +, Francis Stevens wrote: Same here, what is the fix? My fix was to go back to 0.81. Hopefully the ClamAV team will be able to suggest a better one You can apply the enclosed patch if you want less stringent checking. -trog --- libclamav/special.c 5 Feb 2005 15:50:18 - 1.8 +++ libclamav/special.c 8 Feb 2005 14:47:06 - 1.9 @@ -224,6 +224,12 @@ return 0; } + if (memcmp(form_type, ACON, 4) != 0) { + /* Only scan MS animated icon files */ + /* There is a *lot* of broken software out there that produces bad RIFF files */ + return 0; + } + chunk_size = riff_endian_convert_32(chunk_size, big_endian); do { @@ -234,6 +240,6 @@ if (offset chunk_size) { retval = 2; - }; + } return retval; } signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
* Trog [EMAIL PROTECTED]: You can apply the enclosed patch if you want less stringent checking. Is that in the CVS as well? -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
Trog wrote: You can apply the enclosed patch if you want less stringent checking. Tried the patch and it fixes the problem for all the false positives I've seen so far, so it looks good to me. Will this make it into 0.83? Thanks for the rapid response. FAS ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
On Tue, 2005-02-08 at 16:11 +, Francis Stevens wrote: Tried the patch and it fixes the problem for all the false positives I've seen so far, so it looks good to me. Will this make it into 0.83? Thanks for the rapid response. Yes, I would expect so. BTW, all the false positives I've seen so far are also reported as broken by the showriff utility, which was written specifically to check these files. For example: $ showriff virus-2005-02-08-n0009134 Contents of file virus-2005-02-08-n0009134 (18926/0x8926 bytes): (0x) ID:RIFF Size: 0x49e6 Form Type = CDR8 (0x000c) ID:vrsn Size: 0x0002 (0x0016) ID:DISP Size: 0x282c (0x284a) ID:LIST Size: 0x0114 List Type = INFO (0x2856) ID:IKEY Size: 0x0080 (0x28de) ID:ICMT Size: 0x0080 (0x2966) ID:LIST Size: 0x046c List Type = cmpr (0x2972) ID: Size: 0x0f6c (0x2dda) ID:LIST Size: 0x1bd7 List Type = cmpr (0x2de6) ID:t Size: 0x53dc * Error: Chunk exceeds file -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
Trog wrote: BTW, all the false positives I've seen so far are also reported as broken by the showriff utility, which was written specifically to check these files. For example: $ showriff virus-2005-02-08-n0009134 Contents of file virus-2005-02-08-n0009134 (18926/0x8926 bytes): All the problem files I've had are Powerpoint and Word files. For the Powerpoint files it was a common background image. FAS ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
On Tue, 2005-02-08 at 16:32 +, Francis Stevens wrote: All the problem files I've had are Powerpoint and Word files. For the Powerpoint files it was a common background image. Is it wise to update to clamav 0.82 given the large number of false positives been reported? Regards, - Sean ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
* Francis Stevens [EMAIL PROTECTED]: All the problem files I've had are Powerpoint and Word files. For the Powerpoint files it was a common background image. Same here! -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users