[clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0

Brian Cole cole at echoworx.com
Tue Aug 27 14:05:53 EDT 2019


Alain and Eric,  Thanks for those answers, that definitely seems to be the issue.

I ran the sigtool command you provided and it displayed the following information:

$ sigtool --find-sigs Txt.Coinminer.Generic-7132166-0 | sigtool --decode-sigs
VIRUS NAME: Txt.Coinminer.Generic-7132166-0
TDB: Engine:81-255,Target:7
LOGICAL EXPRESSION: 0&1&2&3&4&5
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
miner
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
coinhive
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
keepalive
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
params
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
algo
* SUBSIG ID 5
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
pass
$

I then grepped for those 6 strings in my text file and sure enough they are all present in that one single file:

$ grep -i miner /var/log/sid_changes.log  | wc
     75     484    5299
$ grep -i coinhive /var/log/sid_changes.log | wc
     12      82     824
$ grep -i keepalive /var/log/sid_changes.log | wc
     10      60     658
$ grep -i params /var/log/sid_changes.log | wc
     10      86     796
$ grep -i algo /var/log/sid_changes.log | wc
     13     152    1302
$ grep -i pass /var/log/sid_changes.log | wc
   1739   17000  151213
$

…Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190827/c3e7d295/attachment.html>


More information about the clamav-users mailing list