[clamav-users] several malware samples, clamav doesn't detect

Al Varnell alvarnell at mac.com
Fri Dec 25 08:23:58 UTC 2015 

I’m a novice at signature writing, but those e-mails don’t seem to have sufficient unique content to warrant a signature based on the text.  They look like simple Spam to me.  Since you removed the actual malware, I have no clue what they are and how critical of a threat they might be.  

As Joel said, what you need to post here is the hash for the file before you zipped it.

-Al-

On Fri, Dec 25, 2015 at 12:12 AM, Walter H. wrote:
> 
> Just submitted two new samples, as I received them today;
> 
> SHA1(28.zip)= d0f18efb2d92c0528fab3736b134d5ad13d23be3
> SHA1(29.zip)= b399b5c9e6e4567740825ac85754191a7648dfaa
> 
> On 25.12.2015 02:05, Al Varnell wrote:
>> Surely you cannot mean that all of those represent critical threats that require immediate attention from the already overworked ClamAV signature team?
> what do you really think are these?
> 
> just as an expanded sample the complete E-mail, where I removed the malware content;
> I get these regularily, and for this another way of submission -> just an E-mail-Address, where to forward these ...
> 
> -----[ 28.eml ]-----
> 
> Return-Path: <bozdogand at bozdogandagitim.com>
> Received: from storage.mail ([unix socket])
>     by storage.mail (Cyrus v2.3.16-Fedora-RPM-2.3.16-13.el6_6) with LMTPA;
>     Fri, 25 Dec 2015 03:01:35 +0100
> X-Sieve: CMU Sieve 2.3
> Received: from filter.mail by storage.mail (Postfix) with ESMTP id CE10B62834
> Received: by filter.mail (Postfix) id C38334905
> X-From-noReply-Box: yes
> Delivered-To: walter+noreply at filter.mail
> Received: by filter.mail (Postfix, userid 500) id BE1B84913
> X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on filter.mail
> X-Spam-Status: No, score=2.1 required=4.0 tests=HELO_LH_HOME,XPRIO
>    autolearn=no version=3.3.1
> Received: from filter.mail by filter.mail (Postfix) with ESMTP id 6774F4905
> Envelope-to: 8000804 at mathemainzel.info
> Delivery-date: Fri, 25 Dec 2015 02:03:37 +0100
> Received: from [w4y-pop-server] by filter.mail with POP3 (fetchmail-6.3.17)
> Received: from [81.19.149.129] (helo=mx19lb.world4you.com)
>    by mail12.world4you.com with esmtp (Exim 4.76)
>    (envelope-from <bozdogand at bozdogandagitim.com>)
>    id 1aCGnA-0001D7-Uf
>    for 8000804 at mathemainzel.info; Fri, 25 Dec 2015 02:03:36 +0100
> Received: from [188.132.250.211] (helo=ns1.adanabook.com)
>    by mx19lb.world4you.com with esmtps (TLSv1:AES256-SHA:256)
>    (Exim 4.77)
>    (envelope-from <bozdogand at bozdogandagitim.com>)
>    id 1aCGnA-0003qG-Hu
>    for 8000804 at mathemainzel.info; Fri, 25 Dec 2015 02:03:36 +0100
> Received: by ns1.adanabook.com (Postfix, from userid 10006)
>    id 1B3ED10EE07; Fri, 25 Dec 2015 04:08:11 +0200 (EET)
> To: 8000804 at mathemainzel.info
> X-PHP-Originating-Script: 10006:post.php(5) : regexp code(1) : eval()'d code(17) : eval()'d code
> Date: Fri, 25 Dec 2015 04:08:11 +0200
> From: "Interfax Online" <incoming at interfax.net>
> Reply-To: "Interfax Online" <incoming at interfax.net>
> Message-ID: <a1948b492afbeeab345181e8084c7ccc at bozdogandagitim.com>
> X-Priority: 3
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
>    boundary="b1_9d092492ac2cddaeaa628f93cbfb66a1"
> Content-Transfer-Encoding: 8bit
> X-SA-Exim-Connect-IP: 188.132.250.211
> X-SA-Exim-Mail-From: bozdogand at bozdogandagitim.com
> Subject: [SPAM] You have received a new fax, document 0000471075
> X-Spam-Prev-Subject: You have received a new fax, document 0000471075
> X-SA-Exim-Version: 4.2.1 (built Sat, 28 Apr 2007 14:02:57 +0200)
> X-SA-Exim-Scanned: Yes (on mx19lb.world4you.com)
> 
> --b1_9d092492ac2cddaeaa628f93cbfb66a1
> Content-Type: text/plain; charset=us-ascii
> 
> A new fax document for you.
> 
> 
> 
> Please, download fax document attached to this email.
> 
> 
> 
> Filesize:              150 Kb
> 
> File name:             scan-0000471075.doc
> 
> Scanned in:            9 seconds
> 
> Scanned at:            Thu, 24 Dec 2015 17:05:33 +0300
> 
> From:                  Gerald Calhoun
> 
> Number of pages:       5
> 
> Quality:               300 DPI
> 
> 
> 
> Thank you for using Interfax!
> 
> 
> --b1_9d092492ac2cddaeaa628f93cbfb66a1
> Content-Type: application/zip; name="scan-0000471075.zip"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename=scan-0000471075.zip
> 
> #content#removed#
> 
> --b1_9d092492ac2cddaeaa628f93cbfb66a1--
> 
> 
> -----[ 29.eml ]-----
> 
> Return-Path: <www at host3.webhostingservers.net>
> Received: from storage.mail ([unix socket])
>     by storage.mail (Cyrus v2.3.16-Fedora-RPM-2.3.16-13.el6_6) with LMTPA;
>     Fri, 25 Dec 2015 08:50:07 +0100
> X-Sieve: CMU Sieve 2.3
> Received: from filter.mail by storage.mail (Postfix) with ESMTP id 4E24D635DA
> Received: by filter.mail (Postfix) id 3799C491C
> X-From-noReply-Box: yes
> Delivered-To: walter+noreply at filter.mail
> Received: by filter.mail (Postfix, userid 500) id 2E66A4948
> X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on filter.mail
> X-Spam-Status: No, score=2.1 required=4.0 tests=HELO_LH_HOME,XPRIO
>    autolearn=no version=3.3.1
> Received: from filter.mail by filter.mail (Postfix) with ESMTP id 045E84905
> Envelope-to: 9050903 at mathemainzel.info
> Delivery-date: Fri, 25 Dec 2015 07:21:09 +0100
> Received: from [w4y-pop-server] by filter.mail with POP3 (fetchmail-6.3.17)
> Received: from [81.19.149.133] (helo=mx23lb.world4you.com)
>    by mail12.world4you.com with esmtp (Exim 4.76)
>    (envelope-from <www at host3.webhostingservers.net>)
>    id 1aCLkT-0002YU-M4
>    for 9050903 at mathemainzel.info; Fri, 25 Dec 2015 07:21:09 +0100
> Received: from [209.239.57.35] (helo=host3.webhostingservers.net)
>    by mx23lb.world4you.com with esmtp (Exim 4.77)
>    (envelope-from <www at host3.webhostingservers.net>)
>    id 1aCLkS-0000UT-Sq
>    for 9050903 at mathemainzel.info; Fri, 25 Dec 2015 07:21:09 +0100
> Received: (from www at localhost)
>    by host3.webhostingservers.net (8.14.3/8.12.10) id tBP5RTEW028021;
>    Fri, 25 Dec 2015 00:27:29 -0500
> To: 9050903 at mathemainzel.info
> Date: Fri, 25 Dec 2015 00:27:29 -0500
> From: "Interfax Online" <incoming at interfax.net>
> Reply-To: "Interfax Online" <incoming at interfax.net>
> Message-ID: <95b13738ef4dbec76bba040b833250a3 at bibleinsight.com>
> X-Priority: 3
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
>    boundary="b1_65c1451b368193580c19c5cf984dd73f"
> Content-Transfer-Encoding: 8bit
> X-SA-Exim-Connect-IP: 209.239.57.35
> X-SA-Exim-Mail-From: www at host3.webhostingservers.net
> Subject: [SPAM] You have received a new fax, document 00845094
> X-Spam-Prev-Subject: You have received a new fax, document 00845094
> X-SA-Exim-Version: 4.2.1 (built Sat, 22 Jan 2011 20:12:41 -0500)
> X-SA-Exim-Scanned: Yes (on mx23lb.world4you.com)
> 
> 
> --b1_65c1451b368193580c19c5cf984dd73f
> Content-Type: text/plain; charset=us-ascii
> 
> You have received a new fax.
> 
> Please check your fax document in the attachment to this e-mail.
> 
> File name:          scan-00845094.doc
> Sender:             Manuel Hooper
> File size:          102 Kb
> Resolution:         400 DPI
> Scan date:          Thu, 24 Dec 2015 10:20:07 +0300
> Pages scanned:      6
> Scan duration:      21 seconds
> 
> Thanks for using Interfax service!
> 
> 
> --b1_65c1451b368193580c19c5cf984dd73f
> Content-Type: application/zip; name="scan-00845094.zip"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename=scan-00845094.zip
> 
> #content#removed#

-Al-
-- 
Al Varnell
Mountain View, CA





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2366 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20151225/cc769b78/attachment.bin>

More information about the clamav-users mailing list