Hajo, > Hello list, > > Pattern is always the same, including the 5-char comments. In my case the > include string decodes to a path and includes an .ico file. > I dont understand this code to obfuscate the path. I saw some samples and all > of the lines look a different way in encoded case. When decoded the strings > show some similarities. But unfortunately i can just create a signature to > raw text, not the decoded, human readable text. > What would be best way to create a signature in this way? Currently this is a > puzzler for me and i dont find a way to create a clever for most cases > fitting signature. > May be this would be a case for the pros?
If you’ve got the full files, than you can create some yara rules. Samples for webshells are located here: https://github.com/Yara-Rules/rules/tree/master/Webshells <https://github.com/Yara-Rules/rules/tree/master/Webshells> I’d be cautious at first and not use move or delete, at least until you’ve got the script down pat. I’ve learned the hard way from my own false positives ;) Eric _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml