[clamav-users] several malware samples, clamav doesn't detect

Walter H. Walter.H at mathemainzel.info
Fri Dec 25 08:46:41 UTC 2015 

On 25.12.2015 09:23, Al Varnell wrote:
> I’m a novice at signature writing, but those e-mails don’t seem to have sufficient unique content to warrant a signature based on the text.  They look like simple Spam to me.

>    Since you removed the actual malware, I have no clue what they are and how critical of a threat they might be.
thats why I gave the hashes of the samples I submitted

SHA1(28.zip)= d0f18efb2d92c0528fab3736b134d5ad13d23be3
SHA1(29.zip)= b399b5c9e6e4567740825ac85754191a7648dfaa

to see this in context as it is not a good idea to attach malware here ...
> As Joel said,
he meant something different ...

>  what you need to post here is the hash for the file before you zipped it.


and it is not me that zips this, this comes zipped; and for submitting 
their content I MUST HAVE another way of submitting - FTP UPLOAD - as I 
risk to infekt my whole PC, as the content is a harmful script which 
might be started automatically ...
>
> -Al-
>
> On Fri, Dec 25, 2015 at 12:12 AM, Walter H. wrote:
>> Just submitted two new samples, as I received them today;
>>
>> SHA1(28.zip)= d0f18efb2d92c0528fab3736b134d5ad13d23be3
>> SHA1(29.zip)= b399b5c9e6e4567740825ac85754191a7648dfaa
>>
>> On 25.12.2015 02:05, Al Varnell wrote:
>>> Surely you cannot mean that all of those represent critical threats that require immediate attention from the already overworked ClamAV signature team?
>> what do you really think are these?
>>
>> just as an expanded sample the complete E-mail, where I removed the malware content;
>> I get these regularily, and for this another way of submission ->  just an E-mail-Address, where to forward these ...
>>
>> -----[ 28.eml ]-----
>>
>> Return-Path:<bozdogand at bozdogandagitim.com>
>> Received: from storage.mail ([unix socket])
>>      by storage.mail (Cyrus v2.3.16-Fedora-RPM-2.3.16-13.el6_6) with LMTPA;
>>      Fri, 25 Dec 2015 03:01:35 +0100
>> X-Sieve: CMU Sieve 2.3
>> Received: from filter.mail by storage.mail (Postfix) with ESMTP id CE10B62834
>> Received: by filter.mail (Postfix) id C38334905
>> X-From-noReply-Box: yes
>> Delivered-To: walter+noreply at filter.mail
>> Received: by filter.mail (Postfix, userid 500) id BE1B84913
>> X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on filter.mail
>> X-Spam-Status: No, score=2.1 required=4.0 tests=HELO_LH_HOME,XPRIO
>>     autolearn=no version=3.3.1
>> Received: from filter.mail by filter.mail (Postfix) with ESMTP id 6774F4905
>> Envelope-to: 8000804 at mathemainzel.info
>> Delivery-date: Fri, 25 Dec 2015 02:03:37 +0100
>> Received: from [w4y-pop-server] by filter.mail with POP3 (fetchmail-6.3.17)
>> Received: from [81.19.149.129] (helo=mx19lb.world4you.com)
>>     by mail12.world4you.com with esmtp (Exim 4.76)
>>     (envelope-from<bozdogand at bozdogandagitim.com>)
>>     id 1aCGnA-0001D7-Uf
>>     for 8000804 at mathemainzel.info; Fri, 25 Dec 2015 02:03:36 +0100
>> Received: from [188.132.250.211] (helo=ns1.adanabook.com)
>>     by mx19lb.world4you.com with esmtps (TLSv1:AES256-SHA:256)
>>     (Exim 4.77)
>>     (envelope-from<bozdogand at bozdogandagitim.com>)
>>     id 1aCGnA-0003qG-Hu
>>     for 8000804 at mathemainzel.info; Fri, 25 Dec 2015 02:03:36 +0100
>> Received: by ns1.adanabook.com (Postfix, from userid 10006)
>>     id 1B3ED10EE07; Fri, 25 Dec 2015 04:08:11 +0200 (EET)
>> To: 8000804 at mathemainzel.info
>> X-PHP-Originating-Script: 10006:post.php(5) : regexp code(1) : eval()'d code(17) : eval()'d code
>> Date: Fri, 25 Dec 2015 04:08:11 +0200
>> From: "Interfax Online"<incoming at interfax.net>
>> Reply-To: "Interfax Online"<incoming at interfax.net>
>> Message-ID:<a1948b492afbeeab345181e8084c7ccc at bozdogandagitim.com>
>> X-Priority: 3
>> MIME-Version: 1.0
>> Content-Type: multipart/mixed;
>>     boundary="b1_9d092492ac2cddaeaa628f93cbfb66a1"
>> Content-Transfer-Encoding: 8bit
>> X-SA-Exim-Connect-IP: 188.132.250.211
>> X-SA-Exim-Mail-From: bozdogand at bozdogandagitim.com
>> Subject: [SPAM] You have received a new fax, document 0000471075
>> X-Spam-Prev-Subject: You have received a new fax, document 0000471075
>> X-SA-Exim-Version: 4.2.1 (built Sat, 28 Apr 2007 14:02:57 +0200)
>> X-SA-Exim-Scanned: Yes (on mx19lb.world4you.com)
>>
>> --b1_9d092492ac2cddaeaa628f93cbfb66a1
>> Content-Type: text/plain; charset=us-ascii
>>
>> A new fax document for you.
>>
>>
>>
>> Please, download fax document attached to this email.
>>
>>
>>
>> Filesize:              150 Kb
>>
>> File name:             scan-0000471075.doc
>>
>> Scanned in:            9 seconds
>>
>> Scanned at:            Thu, 24 Dec 2015 17:05:33 +0300
>>
>> From:                  Gerald Calhoun
>>
>> Number of pages:       5
>>
>> Quality:               300 DPI
>>
>>
>>
>> Thank you for using Interfax!
>>
>>
>> --b1_9d092492ac2cddaeaa628f93cbfb66a1
>> Content-Type: application/zip; name="scan-0000471075.zip"
>> Content-Transfer-Encoding: base64
>> Content-Disposition: attachment; filename=scan-0000471075.zip
>>
>> #content#removed#
>>
>> --b1_9d092492ac2cddaeaa628f93cbfb66a1--
>>
>>
>> -----[ 29.eml ]-----
>>
>> Return-Path:<www at host3.webhostingservers.net>
>> Received: from storage.mail ([unix socket])
>>      by storage.mail (Cyrus v2.3.16-Fedora-RPM-2.3.16-13.el6_6) with LMTPA;
>>      Fri, 25 Dec 2015 08:50:07 +0100
>> X-Sieve: CMU Sieve 2.3
>> Received: from filter.mail by storage.mail (Postfix) with ESMTP id 4E24D635DA
>> Received: by filter.mail (Postfix) id 3799C491C
>> X-From-noReply-Box: yes
>> Delivered-To: walter+noreply at filter.mail
>> Received: by filter.mail (Postfix, userid 500) id 2E66A4948
>> X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on filter.mail
>> X-Spam-Status: No, score=2.1 required=4.0 tests=HELO_LH_HOME,XPRIO
>>     autolearn=no version=3.3.1
>> Received: from filter.mail by filter.mail (Postfix) with ESMTP id 045E84905
>> Envelope-to: 9050903 at mathemainzel.info
>> Delivery-date: Fri, 25 Dec 2015 07:21:09 +0100
>> Received: from [w4y-pop-server] by filter.mail with POP3 (fetchmail-6.3.17)
>> Received: from [81.19.149.133] (helo=mx23lb.world4you.com)
>>     by mail12.world4you.com with esmtp (Exim 4.76)
>>     (envelope-from<www at host3.webhostingservers.net>)
>>     id 1aCLkT-0002YU-M4
>>     for 9050903 at mathemainzel.info; Fri, 25 Dec 2015 07:21:09 +0100
>> Received: from [209.239.57.35] (helo=host3.webhostingservers.net)
>>     by mx23lb.world4you.com with esmtp (Exim 4.77)
>>     (envelope-from<www at host3.webhostingservers.net>)
>>     id 1aCLkS-0000UT-Sq
>>     for 9050903 at mathemainzel.info; Fri, 25 Dec 2015 07:21:09 +0100
>> Received: (from www at localhost)
>>     by host3.webhostingservers.net (8.14.3/8.12.10) id tBP5RTEW028021;
>>     Fri, 25 Dec 2015 00:27:29 -0500
>> To: 9050903 at mathemainzel.info
>> Date: Fri, 25 Dec 2015 00:27:29 -0500
>> From: "Interfax Online"<incoming at interfax.net>
>> Reply-To: "Interfax Online"<incoming at interfax.net>
>> Message-ID:<95b13738ef4dbec76bba040b833250a3 at bibleinsight.com>
>> X-Priority: 3
>> MIME-Version: 1.0
>> Content-Type: multipart/mixed;
>>     boundary="b1_65c1451b368193580c19c5cf984dd73f"
>> Content-Transfer-Encoding: 8bit
>> X-SA-Exim-Connect-IP: 209.239.57.35
>> X-SA-Exim-Mail-From: www at host3.webhostingservers.net
>> Subject: [SPAM] You have received a new fax, document 00845094
>> X-Spam-Prev-Subject: You have received a new fax, document 00845094
>> X-SA-Exim-Version: 4.2.1 (built Sat, 22 Jan 2011 20:12:41 -0500)
>> X-SA-Exim-Scanned: Yes (on mx23lb.world4you.com)
>>
>>
>> --b1_65c1451b368193580c19c5cf984dd73f
>> Content-Type: text/plain; charset=us-ascii
>>
>> You have received a new fax.
>>
>> Please check your fax document in the attachment to this e-mail.
>>
>> File name:          scan-00845094.doc
>> Sender:             Manuel Hooper
>> File size:          102 Kb
>> Resolution:         400 DPI
>> Scan date:          Thu, 24 Dec 2015 10:20:07 +0300
>> Pages scanned:      6
>> Scan duration:      21 seconds
>>
>> Thanks for using Interfax service!
>>
>>
>> --b1_65c1451b368193580c19c5cf984dd73f
>> Content-Type: application/zip; name="scan-00845094.zip"
>> Content-Transfer-Encoding: base64
>> Content-Disposition: attachment; filename=scan-00845094.zip
>>
>> #content#removed#


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20151225/d1303e9a/attachment.bin>

More information about the clamav-users mailing list