[clamav-users] [ext] About Madeba-8019734

[Ralf Hildebrandt]

* Michel GALLE <michel.galle at 6wind.com>:
> Hi Everyone,
> 
> it's my first post here.
> 
> I try to get information about "Xls.Malware.Madeba-8019734-0".
> 
> Clamav informed me a previously clean (or supposedly to be clean) xls file
> is in fact infected by Xls.Malware.Madeba-8019734-0.
> 
> The file was not modified or edited.
> 
> I found that Malware.Madeba-8019734-0 definition was added to Clamav the 13
> june 2020 or so, in Version 25842 of clamav signatures.
> 
> My question is : where I can find more information about
> Malware.Madeba-8019734-0 ? Is there a better website/service referencing all
> malwares known ?


# sigtool --find-sigs Xls.Malware.Madeba-8019734-0 | sigtool
--decode-sigs
VIRUS NAME: Xls.Malware.Madeba-8019734-0
TDB: Engine:51-255,Target:2
LOGICAL EXPRESSION: 0&1&2&3&4&5
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
-- Limits in place 2004-09-23 ...
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
Dim RABJI1  As String
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
Dim words(100) As String
 * SUBSIG ID 3
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
FLITIES = words(DOZAL
 * SUBSIG ID 4
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
If PAST4 > 0 Then
 * SUBSIG ID 5
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
words(85
 
So, as you can see the signature consists of 6 subsignatures numbered
0-5, ll of which must match. It sort-of looks highly specific to me.

Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebrandt at charite.de
https://www.charite.de