[clamav-users] how to find Html.Phishing.Auction-214
Kees Theunissen
C.J.Theunissen at differ.nl
Wed Mar 22 14:12:04 UTC 2017
On Wed, 22 Mar 2017, Hajo Locke wrote:
> thank you steve. i could find the lines and removed them. How could you decode
> this signature?
~$ sigtool --find-sigs Html.Phishing.Auction-214 | sigtool --decode-sigs
VIRUS NAME: Html.Phishing.Auction-214
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
sein, weil sie [... snipped ...] aktualisiert wurde
> especially interesting is that virus was found in complete sql-file but not in
> splitted subfiles. May be target type is ignored at filesize x?
> complete sql file is 4.6mb
I guess that the string that was looked for spanned a subfile boundary
and was split over two subfiles.
Groeten,
Kees.
--
Kees Theunissen, Systeem- en netwerkbeheerder, Tel: 040-3334724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mailadres: C.J.Theunissen at differ.nl
postadres: Postbus 6336, 5600 HH, Eindhoven
bezoekersadres: De Zaale 20, 5612 AJ, Eindhoven
More information about the clamav-users
mailing list