[clamav-users] [ext] About Madeba-8019734

Andrew Williams awillia2 at sourcefire.com
Tue Jul 7 14:50:46 UTC 2020 

Michel,

Thanks for reporting this to us.  This signature hit is indeed a false
positive, and the signature should be dropped shortly

-Andrew

Andrew Williams
Malware Research Team
Cisco Talos



On Mon, Jul 6, 2020 at 1:19 PM Ralf Hildebrandt via clamav-users <
clamav-users at lists.clamav.net> wrote:

> * Michel GALLE <michel.galle at 6wind.com>:
> > Hi Everyone,
> >
> > it's my first post here.
> >
> > I try to get information about "Xls.Malware.Madeba-8019734-0".
> >
> > Clamav informed me a previously clean (or supposedly to be clean) xls
> file
> > is in fact infected by Xls.Malware.Madeba-8019734-0.
> >
> > The file was not modified or edited.
> >
> > I found that Malware.Madeba-8019734-0 definition was added to Clamav the
> 13
> > june 2020 or so, in Version 25842 of clamav signatures.
> >
> > My question is : where I can find more information about
> > Malware.Madeba-8019734-0 ? Is there a better website/service referencing
> all
> > malwares known ?
>
>
> # sigtool --find-sigs Xls.Malware.Madeba-8019734-0 | sigtool
> --decode-sigs
> VIRUS NAME: Xls.Malware.Madeba-8019734-0
> TDB: Engine:51-255,Target:2
> LOGICAL EXPRESSION: 0&1&2&3&4&5
>  * SUBSIG ID 0
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> -- Limits in place 2004-09-23 ...
>  * SUBSIG ID 1
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> Dim RABJI1  As String
>  * SUBSIG ID 2
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> Dim words(100) As String
>  * SUBSIG ID 3
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> FLITIES = words(DOZAL
>  * SUBSIG ID 4
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> If PAST4 > 0 Then
>  * SUBSIG ID 5
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> words(85
>
> So, as you can see the signature consists of 6 subsignatures numbered
> 0-5, ll of which must match. It sort-of looks highly specific to me.
>
> Ralf Hildebrandt
> Charité - Universitätsmedizin Berlin
> Geschäftsbereich IT | Abteilung Netzwerk
>
> Campus Benjamin Franklin (CBF)
> Haus I | 1. OG | Raum 105
> Hindenburgdamm 30 | D-12203 Berlin
>
> Tel. +49 30 450 570 155
> ralf.hildebrandt at charite.de
> https://www.charite.de
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200707/b1a47211/attachment.htm>

More information about the clamav-users mailing list