[clamav-users] how to find Html.Phishing.Auction-214
Hajo Locke
Hajo.Locke at gmx.de
Wed Mar 22 15:21:33 UTC 2017
Hallo,
Am 22.03.2017 um 15:12 schrieb Kees Theunissen:
> On Wed, 22 Mar 2017, Hajo Locke wrote:
>
>> thank you steve. i could find the lines and removed them. How could you decode
>> this signature?
>
> ~$ sigtool --find-sigs Html.Phishing.Auction-214 | sigtool --decode-sigs
> VIRUS NAME: Html.Phishing.Auction-214
> TARGET TYPE: HTML
> OFFSET: *
> DECODED SIGNATURE:
> sein, weil sie [... snipped ...] aktualisiert wurde
thanks, this is working.
>> especially interesting is that virus was found in complete sql-file but not in
>> splitted subfiles. May be target type is ignored at filesize x?
>> complete sql file is 4.6mb
> I guess that the string that was looked for spanned a subfile boundary
> and was split over two subfiles.
text is found in one line of the sql-file, it is an insert instruction
in a sql dump.
even when extracting this single line into a separate sql file the virus
is not found. when creating a small html-file with this content so
clamscan finds successfully the infection.
this is explainable by Target Type: HTML of Sourcefile.
If virus is found in a larger sql-file only the size is the difference.
so it was my assumption, that target type is ignored at larger files.
dont find any other explanation.
>
>
> Groeten,
>
> Kees.
>
Thanks,
Hajo
More information about the clamav-users
mailing list