[clamav-users] crypto currency miner
Al Varnell
alvarnell at mac.com
Tue Jan 2 20:26:37 UTC 2018
On Tue, Jan 02, 2018 at 09:40 AM, lejeczek wrote:
> I'd like to ask if your minder, if you mine crypto conins that is, often pop up in clamav?
>
> I have this one: https://github.com/sammy007/cpuminer-multi <https://github.com/sammy007/cpuminer-multi>
>
> and it gets flagged as:
>
> ./cpuminer-multi/minerd: Unix.Tool.Minerd-6404314-0 FOUND
>
> Would someone know something more about that code and why clamav sees it as .. right, as what exactly?
>
> many thanks, L.
As others have said, clamAV correctly identifies it as a miner tool used on a unix system and you will need to either ignore it or add it to your local whitelist.
FYI, the logical signature is:
VIRUS NAME: Unix.Tool.Minerd-6404314-0
TDB: Target:6
LOGICAL EXPRESSION: (0&1&2&3&4)
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> SUBSIGNATURE:
55736167653a206d696e657264205b4f5054494f4e535d
Usage: minerd [OPTIONS]
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
stratum+tcp://
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
User-Agent: cpuminer
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
booooo
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
blake
-Al-
--
Al Varnell
ClamXAV user
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180102/c6b8b4a2/attachment.bin>
More information about the clamav-users
mailing list