Re: [clamav-users] Ios.Trojan.FakeTelegram-6736161-0 FOUND

2018-12-06 Thread Eric Tykwinski 
Al,

I think you are probably right looking at it.

> What kind of suggestion are you looking for?
>
> They appear to be three different iPhone/iPad/iPod applications.
> 
> The signatures were added to the ClamAV database on 1 Nov 2018.
> 
> I would have to guess it has something to do with this Talos article:
> 
> 
>  
> -Al-
> ClamXAV User

I would just add a way to find the decoded sig like last time this was asked.

~# sigtool --find-sigs Ios.Trojan.FakeTelegram-6736161-0 daily.cld | sigtool 
--decode-sigs
VIRUS NAME: Ios.Trojan.FakeTelegram-6736161-0
TDB: Engine:81-255,Target:0
LOGICAL EXPRESSION: 0&1&2
 * SUBSIG ID 0
 +-> OFFSET: 0
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
PK
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
begir
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
Info.plist

Eric Tykwinski


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Ios.Trojan.FakeTelegram-6736161-0 FOUND

2018-12-06 Thread Al Varnell 
What kind of suggestion are you looking for?

They appear to be three different iPhone/iPad/iPod applications.

The signatures were added to the ClamAV database on 1 Nov 2018.

I would have to guess it has something to do with this Talos article:

>

-Al-
ClamXAV User

On Thu, Dec 06, 2018 at 11:08 AM, David Laxer wrote:
> Hi,
> 
> I am running clamav-0.100.beta on OS X 10.11.6 and got the following messages
> Ios.Trojan.FakeTelegram-6736161-0 FOUND
> 
> Here’s my clamscan invocation:
> 
> $  clamscan/clamscan -i -r --exclude-dir=/Volumes --exclude-dir=/dev 
> --exclude-dir=/Users/davidlaxer/clamav-0.100.0-beta/test --max-filesize=100M /
> 
> I received the following three alerts:
> 
> /Users/davidlaxer/iTunes Media/Mobile Applications/7notesHD Prem 3.2.2.ipa: 
> Ios.Trojan.FakeTelegram-6736161-0 FOUND
> /Users/davidlaxer/iTunes Media/Mobile Applications/JapanGoggles 2.6.ipa: 
> Ios.Trojan.FakeTelegram-6736161-0 FOUND
> /Users/davidlaxer/iTunes Media/Mobile Applications/Memo 3.0.0.ipa: 
> Ios.Trojan.FakeTelegram-6736161-0 FOUND
> 
> Any suggestions?
> 
> Thanks in advance!
> 
> Best,
> -Dave
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Ios.Trojan.FakeTelegram-6736161-0 FOUND

2018-12-06 Thread David Laxer 
Hi,

I am running clamav-0.100.beta on OS X 10.11.6 and got the following messages
Ios.Trojan.FakeTelegram-6736161-0 FOUND

Here’s my clamscan invocation:

$  clamscan/clamscan -i -r --exclude-dir=/Volumes --exclude-dir=/dev 
--exclude-dir=/Users/davidlaxer/clamav-0.100.0-beta/test --max-filesize=100M /

I received the following three alerts:

/Users/davidlaxer/iTunes Media/Mobile Applications/7notesHD Prem 3.2.2.ipa: 
Ios.Trojan.FakeTelegram-6736161-0 FOUND
/Users/davidlaxer/iTunes Media/Mobile Applications/JapanGoggles 2.6.ipa: 
Ios.Trojan.FakeTelegram-6736161-0 FOUND
/Users/davidlaxer/iTunes Media/Mobile Applications/Memo 3.0.0.ipa: 
Ios.Trojan.FakeTelegram-6736161-0 FOUND

Any suggestions?

Thanks in advance!

Best,
-Dave

smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml