[clamav-users] several malware samples, clamav doesn't detect

Walter H. Walter.H at mathemainzel.info
Fri Dec 25 08:12:53 UTC 2015 

Just submitted two new samples, as I received them today;

SHA1(28.zip)= d0f18efb2d92c0528fab3736b134d5ad13d23be3
SHA1(29.zip)= b399b5c9e6e4567740825ac85754191a7648dfaa

On 25.12.2015 02:05, Al Varnell wrote:
> Surely you cannot mean that all of those represent critical threats that require immediate attention from the already overworked ClamAV signature team?
what do you really think are these?

just as an expanded sample the complete E-mail, where I removed the 
malware content;
I get these regularily, and for this another way of submission -> just 
an E-mail-Address, where to forward these ...

-----[ 28.eml ]-----

Return-Path: <bozdogand at bozdogandagitim.com>
Received: from storage.mail ([unix socket])
      by storage.mail (Cyrus v2.3.16-Fedora-RPM-2.3.16-13.el6_6) with LMTPA;
      Fri, 25 Dec 2015 03:01:35 +0100
X-Sieve: CMU Sieve 2.3
Received: from filter.mail by storage.mail (Postfix) with ESMTP id 
CE10B62834
Received: by filter.mail (Postfix) id C38334905
X-From-noReply-Box: yes
Delivered-To: walter+noreply at filter.mail
Received: by filter.mail (Postfix, userid 500) id BE1B84913
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on filter.mail
X-Spam-Status: No, score=2.1 required=4.0 tests=HELO_LH_HOME,XPRIO
     autolearn=no version=3.3.1
Received: from filter.mail by filter.mail (Postfix) with ESMTP id 6774F4905
Envelope-to: 8000804 at mathemainzel.info
Delivery-date: Fri, 25 Dec 2015 02:03:37 +0100
Received: from [w4y-pop-server] by filter.mail with POP3 (fetchmail-6.3.17)
Received: from [81.19.149.129] (helo=mx19lb.world4you.com)
     by mail12.world4you.com with esmtp (Exim 4.76)
     (envelope-from <bozdogand at bozdogandagitim.com>)
     id 1aCGnA-0001D7-Uf
     for 8000804 at mathemainzel.info; Fri, 25 Dec 2015 02:03:36 +0100
Received: from [188.132.250.211] (helo=ns1.adanabook.com)
     by mx19lb.world4you.com with esmtps (TLSv1:AES256-SHA:256)
     (Exim 4.77)
     (envelope-from <bozdogand at bozdogandagitim.com>)
     id 1aCGnA-0003qG-Hu
     for 8000804 at mathemainzel.info; Fri, 25 Dec 2015 02:03:36 +0100
Received: by ns1.adanabook.com (Postfix, from userid 10006)
     id 1B3ED10EE07; Fri, 25 Dec 2015 04:08:11 +0200 (EET)
To: 8000804 at mathemainzel.info
X-PHP-Originating-Script: 10006:post.php(5) : regexp code(1) : eval()'d 
code(17) : eval()'d code
Date: Fri, 25 Dec 2015 04:08:11 +0200
From: "Interfax Online" <incoming at interfax.net>
Reply-To: "Interfax Online" <incoming at interfax.net>
Message-ID: <a1948b492afbeeab345181e8084c7ccc at bozdogandagitim.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/mixed;
     boundary="b1_9d092492ac2cddaeaa628f93cbfb66a1"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 188.132.250.211
X-SA-Exim-Mail-From: bozdogand at bozdogandagitim.com
Subject: [SPAM] You have received a new fax, document 0000471075
X-Spam-Prev-Subject: You have received a new fax, document 0000471075
X-SA-Exim-Version: 4.2.1 (built Sat, 28 Apr 2007 14:02:57 +0200)
X-SA-Exim-Scanned: Yes (on mx19lb.world4you.com)

--b1_9d092492ac2cddaeaa628f93cbfb66a1
Content-Type: text/plain; charset=us-ascii

A new fax document for you.



Please, download fax document attached to this email.



Filesize:              150 Kb

File name:             scan-0000471075.doc

Scanned in:            9 seconds

Scanned at:            Thu, 24 Dec 2015 17:05:33 +0300

From:                  Gerald Calhoun

Number of pages:       5

Quality:               300 DPI



Thank you for using Interfax!


--b1_9d092492ac2cddaeaa628f93cbfb66a1
Content-Type: application/zip; name="scan-0000471075.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=scan-0000471075.zip

#content#removed#

--b1_9d092492ac2cddaeaa628f93cbfb66a1--


-----[ 29.eml ]-----

Return-Path: <www at host3.webhostingservers.net>
Received: from storage.mail ([unix socket])
      by storage.mail (Cyrus v2.3.16-Fedora-RPM-2.3.16-13.el6_6) with LMTPA;
      Fri, 25 Dec 2015 08:50:07 +0100
X-Sieve: CMU Sieve 2.3
Received: from filter.mail by storage.mail (Postfix) with ESMTP id 
4E24D635DA
Received: by filter.mail (Postfix) id 3799C491C
X-From-noReply-Box: yes
Delivered-To: walter+noreply at filter.mail
Received: by filter.mail (Postfix, userid 500) id 2E66A4948
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on filter.mail
X-Spam-Status: No, score=2.1 required=4.0 tests=HELO_LH_HOME,XPRIO
     autolearn=no version=3.3.1
Received: from filter.mail by filter.mail (Postfix) with ESMTP id 045E84905
Envelope-to: 9050903 at mathemainzel.info
Delivery-date: Fri, 25 Dec 2015 07:21:09 +0100
Received: from [w4y-pop-server] by filter.mail with POP3 (fetchmail-6.3.17)
Received: from [81.19.149.133] (helo=mx23lb.world4you.com)
     by mail12.world4you.com with esmtp (Exim 4.76)
     (envelope-from <www at host3.webhostingservers.net>)
     id 1aCLkT-0002YU-M4
     for 9050903 at mathemainzel.info; Fri, 25 Dec 2015 07:21:09 +0100
Received: from [209.239.57.35] (helo=host3.webhostingservers.net)
     by mx23lb.world4you.com with esmtp (Exim 4.77)
     (envelope-from <www at host3.webhostingservers.net>)
     id 1aCLkS-0000UT-Sq
     for 9050903 at mathemainzel.info; Fri, 25 Dec 2015 07:21:09 +0100
Received: (from www at localhost)
     by host3.webhostingservers.net (8.14.3/8.12.10) id tBP5RTEW028021;
     Fri, 25 Dec 2015 00:27:29 -0500
To: 9050903 at mathemainzel.info
Date: Fri, 25 Dec 2015 00:27:29 -0500
From: "Interfax Online" <incoming at interfax.net>
Reply-To: "Interfax Online" <incoming at interfax.net>
Message-ID: <95b13738ef4dbec76bba040b833250a3 at bibleinsight.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/mixed;
     boundary="b1_65c1451b368193580c19c5cf984dd73f"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 209.239.57.35
X-SA-Exim-Mail-From: www at host3.webhostingservers.net
Subject: [SPAM] You have received a new fax, document 00845094
X-Spam-Prev-Subject: You have received a new fax, document 00845094
X-SA-Exim-Version: 4.2.1 (built Sat, 22 Jan 2011 20:12:41 -0500)
X-SA-Exim-Scanned: Yes (on mx23lb.world4you.com)


--b1_65c1451b368193580c19c5cf984dd73f
Content-Type: text/plain; charset=us-ascii

You have received a new fax.

Please check your fax document in the attachment to this e-mail.

File name:          scan-00845094.doc
Sender:             Manuel Hooper
File size:          102 Kb
Resolution:         400 DPI
Scan date:          Thu, 24 Dec 2015 10:20:07 +0300
Pages scanned:      6
Scan duration:      21 seconds

Thanks for using Interfax service!


--b1_65c1451b368193580c19c5cf984dd73f
Content-Type: application/zip; name="scan-00845094.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=scan-00845094.zip

#content#removed#

--b1_65c1451b368193580c19c5cf984dd73f--

> Sent from Janet's iPad
>
> -Al-
>
> On Dec 24, 2015, at 4:03 PM, "Walter H." wrote:
>
>> these were my submissions
>>
>> for file in *; do openssl dgst -hex -sha1 $file; done
>>
>> SHA1(10.zip)= 2c7d87bbd9aeeae639214c133145b5bdb8c719bb
>> SHA1(11.zip)= 0e82eb5d1531b74a6caa1d2fb2bba13da79e2350
>> SHA1(12.zip)= ea4ac41e53eb70d3b9bbbc3dde3ecac8b6682d17
>> SHA1(13.zip)= 80fbe131689950c038b8b48ee8a7deee2e06045b
>> SHA1(14.zip)= 53ac263e6b355b3efb48ce45b7e843bbeeb2f249
>> SHA1(15.zip)= 96aea47723c3ea3c233ec9bd7883e6bda8144c6c
>> SHA1(16.zip)= 2ecdccd3579575218deadeedabbe1748606059fd
>> SHA1(17.zip)= 39186baa3ab826ebd21a9077fc80abdfa843534f
>> SHA1(18.zip)= 54cce491ec4a22a9c863fc41c1ba0a703e29e0c2
>> SHA1(19.zip)= 87d134b5690b5f5790c2f95dabc897d199d6736c
>> SHA1(1.zip)= 6545894fdd07d2d2d6028863115ccd075cfb6f5c
>> SHA1(20.zip)= 8a2524427ca7391b7055c70ad62806cd9eaa51cd
>> SHA1(21.zip)= 5c15419eff4cd9b388e5a35bdfbc426995f968e1
>> SHA1(22.zip)= 232b431ca4e479dcf8ab790f5335c362f1fa9adb
>> SHA1(23.zip)= 94cfcc924b1d0f24bbabeff209e90b8ced1d44ff
>> SHA1(24.zip)= 3b989cb4166d393e1ea6a6c993342abc9825c496
>> SHA1(25.zip)= ab5c9980bd14654ddb6dbbc76ba2199cc1052584
>> SHA1(26.html.zip)= 5a8b01f1a3f1381bed9abd7502dec80dc6b6bec0
>> SHA1(27.zip)= 11bf007b15d624b40da6818393c5eb173110cf1f
>> SHA1(2.html)= b2387db0fa718da3aaa5f00d4ce2d68048e96d73
>> SHA1(3.zip)= c66d681323f169b38b57bb8af215fa1f4434b3c7
>> SHA1(4.html)= 3e6e688d4780c1ebc4cf0d2f5caedaae531f08bf
>> SHA1(5.zip)= a5b5a277eddae25f8d947622d6ddec4b38c5f494
>> SHA1(6.zip)= 6e59c943545977f58f87b49724bbac2eb31afe02
>> SHA1(7.zip)= a8821aeae2ab15640a0647c5842162a2074ed7e3
>> SHA1(8.zip)= 7239a63577aabd46069636aacb85b1ca725a11d0
>> SHA1(9.zip)= 298aa02cf43c1fa961117b2f7c5838c04a28df9a


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20151225/cf559b7f/attachment.bin>

More information about the clamav-users mailing list