date:20161225

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

2016-12-25 Thread Al Varnell

Here’s another: 

sigtool --find Win.Trojan.Toa-5370297-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5370297-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: ^[a-z0-9\-_]{1,30}_[a-zA-Z0-9\-]{1,15}\.js$
COMPRESSED FILESIZE: ANY
UNCOMPRESSED FILESIZE: ANY
ENCRYPTION: IGNORED
FILE POSITION: ANY
CRC SUM: ANY

Found in this mac OS X application on https://www.sublimetext.com. 
Submitted as FP MD5=f62311d5e593183719cbb5a4264d2e4c:54433:Java.sublime-package

-Al-

On Dec 25, 2016, at 7:19 AM, Steve Basford  
wrote:

> 
> On Sun, December 25, 2016 10:40 am, Al Varnell wrote:
> 
>> A handful of ClamXav users can confirm the Firefox
>> omni.ja:Win.Trojan.Toa-5370234-0. It also identified some Adobe products
>> as infected when run through QA.
> 
> Firstly, Merry Christmas to all.
> 
> Onto the FP's... basically they are too generic... currently the
> reported FP's, when you decode them, are going to hit quite a few
> files.
> 
> sigtool --find-sigs Win.Trojan.Toa-5370234-0|sigtool --decode-sigs
> VIRUS NAME: Win.Trojan.Toa-5370234-0
> CONTAINER TYPE: CL_TYPE_ZIP
> CONTAINER SIZE: ANY
> FILENAME REGEX: [\W][a-z]{3,4}\.js$
> 
> sigtool --find-sigs Win.Trojan.Toa-5372190-0|sigtool --decode-sigs
> VIRUS NAME: Win.Trojan.Toa-5372190-0
> CONTAINER TYPE: CL_TYPE_ZIP
> CONTAINER SIZE: ANY
> FILENAME REGEX: [a-z]{8,30}\.exe$
> 
> sigtool --find-sigs Win.Trojan.Toa-5371146-0|sigtool --decode-sigs
> VIRUS NAME: Win.Trojan.Toa-5371146-0
> CONTAINER TYPE: CL_TYPE_ZIP
> CONTAINER SIZE: ANY
> FILENAME REGEX: ^[a-z]{3,7}\.exe$
> 
> sigtool --find-sigs Win.Trojan.Toa-5370085-0|sigtool --decode-sigs
> VIRUS NAME: Win.Trojan.Toa-5370085-0
> CONTAINER TYPE: CL_TYPE_ZIP
> CONTAINER SIZE: ANY
> FILENAME REGEX: ^[a-z]{2,12}\.exe$
> 
> They have hit a few in my ham folder too..
> 
> 
> eg:
> 
> sanesecurity\ham\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370297-0
> 
> 
> The good news is that the Toa-xxx sigs are hitting malware
> 
> eg:
> 
> 21_12_2016\IMG-20161221-WA9898.zip: Win.Trojan.Toa-5368799-0 FOUND
> 
> sigtool --find-sigs Win.Trojan.Toa-5368799-0|sigtool --decode-sigs
> VIRUS NAME: Win.Trojan.Toa-5368799-0
> CONTAINER TYPE: CL_TYPE_ZIP
> CONTAINER SIZE: ANY
> FILENAME REGEX: ^[A-Za-z0-9]{1,25}\.wsf$
> 
> Foxhole sigs are doing a similar thing but trying not to be too generic.
> 
> Right, off to carry on munching and playing with playdoh(tm) ;)
> 
> --
> Cheers,
> 
> Steve


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

2016-12-25 Thread Steve Basford


On Sun, December 25, 2016 10:40 am, Al Varnell wrote:

> A handful of ClamXav users can confirm the Firefox
> omni.ja:Win.Trojan.Toa-5370234-0. It also identified some Adobe products
> as infected when run through QA.

Firstly, Merry Christmas to all.

Onto the FP's... basically they are too generic... currently the
reported FP's, when you decode them, are going to hit quite a few
files.

sigtool --find-sigs Win.Trojan.Toa-5370234-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5370234-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: [\W][a-z]{3,4}\.js$

sigtool --find-sigs Win.Trojan.Toa-5372190-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5372190-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: [a-z]{8,30}\.exe$

sigtool --find-sigs Win.Trojan.Toa-5371146-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5371146-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: ^[a-z]{3,7}\.exe$

sigtool --find-sigs Win.Trojan.Toa-5370085-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5370085-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: ^[a-z]{2,12}\.exe$

They have hit a few in my ham folder too..


eg:

sanesecurity\ham\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370297-0


The good news is that the Toa-xxx sigs are hitting malware

eg:

21_12_2016\IMG-20161221-WA9898.zip: Win.Trojan.Toa-5368799-0 FOUND

sigtool --find-sigs Win.Trojan.Toa-5368799-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5368799-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: ^[A-Za-z0-9]{1,25}\.wsf$

Foxhole sigs are doing a similar thing but trying not to be too generic.

Right, off to carry on munching and playing with playdoh(tm) ;)

--
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

2016-12-25 Thread Al Varnell

A handful of ClamXav users can confirm the Firefox 
omni.ja:Win.Trojan.Toa-5370234-0. It also identified some Adobe products as 
infected when run through QA.

Reported as FP.

-Al-

On Dec 24, 2016, at 9:08 PM, Gene Heskett  wrote:

> Hi all. I am drowning in these for a couple days now.
> 
> /home/gene/Download/firefox/omni.ja: Win.Trojan.Toa-5370234-0 FOUND
> /home/gene/Download/7i43.zip: Win.Trojan.Toa-5372190-0 FOUND
> /home/gene/Download/5i25.zip: Win.Trojan.Toa-5372190-0 FOUND
> /home/gene/firefox/omni.ja: Win.Trojan.Toa-5370234-0 FOUND
> /home/gene/Public/7i92.zip: Win.Trojan.Toa-5372190-0 FOUND
> /home/gene/Public/5i25.zip: Win.Trojan.Toa-5372190-0 FOUND
> /home/gene/.mozilla/firefox/2fv0cbez.default/extensions/fire...@software.joehewitt.com.xpi:
>  
> Win.Trojan.Toa-5366523-0 FOUND
> /home/gene/.mozilla/Default User/zm63kxty.slt/Cache/61E7CF65d01: 
> Win.Trojan.Toa-5370234-0 FOUND
> /home/gene/Mail/inbox/cur/1458140602.5547.Pz3b3:2,S: 
> Win.Trojan.Toa-5370439-0 FOUND
> /home/gene/Mail/coco/cur/1423220414.32681.j29Bg:2,S: 
> Win.Trojan.Toa-5372190-0 FOUND
> /home/gene/Mail/coco/cur/1423220351.32681.5q7Ex:2,S: 
> Win.Trojan.Toa-5370085-0 FOUND
> /home/gene/Mail/sent-mail/cur/1464364674.1042.tmhLu:2,S: 
> Win.Trojan.Toa-5372190-0 FOUND
> /home/gene/bin/firefox/omni.ja: Win.Trojan.Toa-5370234-0 FOUND
> /home/gene/Downloads/Download/opti_8_1_08_2209.zip: 
> Win.Trojan.Toa-5371146-0 FOUND
> /home/gene/Downloads/5i25(1).zip: Win.Trojan.Toa-5372190-0 FOUND
> /home/gene/Downloads/5i25.zip: Win.Trojan.Toa-5372190-0 FOUND
> /home/gene/Downloads/SeaToolsDOS223ALL.ISO: Win.Trojan.Toa-5371146-0 
> FOUND
> 
> Cheers, Gene Heskett
> -- 
> "There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> Genes Web page 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

3 matches

Site Navigation

Mail list logo

Footer information