[clamav-users] About Madeba-8019734

G.W. Haywood clamav at jubileegroup.co.uk
Mon Jul 6 17:16:51 UTC 2020 

Hi there,

On Mon, 6 Jul 2020, Michel GALLE wrote:

> it's my first post here.

Welcome. :)

> I try to get information about "Xls.Malware.Madeba-8019734-0".
>
> Clamav informed me a previously clean (or supposedly to be clean) xls file is 
> in fact infected by Xls.Malware.Madeba-8019734-0.
>
> The file was not modified or edited.
>
> I found that Malware.Madeba-8019734-0 definition was added to Clamav the 13 
> june 2020 or so, in Version 25842 of clamav signatures.

The detection is likely a false positive.  They are not uncommon, and
they most often occur when a new signature is not sufficiently specific.

> My question is : where I can find more information about 
> Malware.Madeba-8019734-0 ? Is there a better website/service referencing all 
> malwares known ?

You can look for the plain text in the signature databases, for example

8<----------------------------------------------------------------------
$ grep -a Madeba-8019734-0 /var/lib/clamav/databases/daily.cld 
Xls.Malware.Madeba-8019734-0;Engine:51-255,Target:2;0&1&2&3&4&5;2d2d204c696d69747320696e20706c61636520323030342d30392d3233202e2e2e;44696d205241424a49312020417320537472696e67;44696d20776f726473283130302920417320537472696e67;464c4954494553203d20776f72647328444f5a414c;4966205041535434203e2030205468656e;776f726473283835
8<----------------------------------------------------------------------

You can use 'sigtool' to extract information about signatures, for example

8<----------------------------------------------------------------------
$ sigtool --datadir=/var/lib/clamav/databases/ -fXls.Malware.Madeba-8019734-0 | sigtool --decode-sigs
VIRUS NAME: Xls.Malware.Madeba-8019734-0
TDB: Engine:51-255,Target:2
LOGICAL EXPRESSION: 0&1&2&3&4&5
  * SUBSIG ID 0
  +-> OFFSET: ANY
  +-> SIGMOD: NONE
  +-> DECODED SUBSIGNATURE:
-- Limits in place 2004-09-23 ...
  * SUBSIG ID 1
  +-> OFFSET: ANY
  +-> SIGMOD: NONE
  +-> DECODED SUBSIGNATURE:
Dim RABJI1  As String
  * SUBSIG ID 2
  +-> OFFSET: ANY
  +-> SIGMOD: NONE
  +-> DECODED SUBSIGNATURE:
Dim words(100) As String
  * SUBSIG ID 3
  +-> OFFSET: ANY
  +-> SIGMOD: NONE
  +-> DECODED SUBSIGNATURE:
FLITIES = words(DOZAL
  * SUBSIG ID 4
  +-> OFFSET: ANY
  +-> SIGMOD: NONE
  +-> DECODED SUBSIGNATURE:
If PAST4 > 0 Then
  * SUBSIG ID 5
  +-> OFFSET: ANY
  +-> SIGMOD: NONE
  +-> DECODED SUBSIGNATURE:
words(85
8<----------------------------------------------------------------------

This will make more sense to people who create signatures than to
those who have never done that.  The ClamAV documentation and Website
have more information about the signature formats; every ClamAV utility
has a 'man' page, for example try typing

man sigtool

at a shell prompt.

> I can't find in Microsoft, Kaspersky, Trendmicro...

There is no universally agreed naming system for malware, so it can be
difficult to compare the signatures for different scanners.

-- 

73,
Ged.

More information about the clamav-users mailing list