[clamav-users] FN with unknown virus attachment

[Al Varnell]

On Sun, Jun 22, 2014 at 10:01 AM, Alex wrote:
> On Sat, Jun 21, 2014 at 2:43 PM, Steve Basford <steveb_clamav at sanesecurity.com> wrote:
>> On Sat, June 21, 2014 2:00 pm, Alex wrote:
>>> Hi,
>>> I'm using clamav-0.98.4 on fedora20 with the sanesecurity and
>>> safebrowsing
>>> sigs and still seeing an unknown virus pass through our systems. I've
>>> submitted it to the clamav false-negative upload, but haven't received a
>>> response, and 24hrs later it's still not being tagged. I was hoping
>>> someone could help me identify it and determine the risk.

>> Just seen the sample posted and it's an interesting one.
>> 
>> Detection added, in both rogue.hdb and also mainly, phish.ndb.

> Okay, great, thanks. Can you describe the risk for me? What does it do, and
> what's necessary for the user to do to become infected? It appears to be a
> rogue link phishing attack? So it requires the user to open the Word doc
> then click the link, correct?
> 
> Can it somehow infect the user's PC just by opening, or must they click the
> link and fall victim to the phishing attack to be affected?

Those are not questions this list would normally know much about.  I took the liberty of submitting your file to VirusTotal and see that 15 of the 53 scanners there identify it as malware: 
<https://www.virustotal.com/en/file/0526a70f51bfca0df9b01684fb5cb93519a784b0484283a1bec218279bc1b4ce/analysis/1403470020/>.

If you visit the site of some of those scanners with the infection name they use, you might find the information you are looking for.


-Al-
-- 
Al Varnell
Mountain View, CA