[clamav-users] Ios.Trojan.FakeTelegram-6736161-0 FOUND

Eric Tykwinski eric-list at truenet.com
Thu Dec 6 16:26:00 EST 2018


Al,

I think you are probably right looking at it.

> What kind of suggestion are you looking for?
>
> They appear to be three different iPhone/iPad/iPod applications.
> 
> The signatures were added to the ClamAV database on 1 Nov 2018.
> 
> I would have to guess it has something to do with this Talos article:
> 
> <https://blog.talosintelligence.com/2018/11/persian-stalker.html?utm_source=mosaicsecurity>
>  
> -Al-
> ClamXAV User

I would just add a way to find the decoded sig like last time this was asked.

~# sigtool --find-sigs Ios.Trojan.FakeTelegram-6736161-0 daily.cld | sigtool --decode-sigs
VIRUS NAME: Ios.Trojan.FakeTelegram-6736161-0
TDB: Engine:81-255,Target:0
LOGICAL EXPRESSION: 0&1&2
 * SUBSIG ID 0
 +-> OFFSET: 0
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
PK
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
begir
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
Info.plist

Eric Tykwinski





More information about the clamav-users mailing list