[clamav-users] vistumbler as false positive
Al Varnell
alvarnell at mac.com
Thu Apr 8 10:47:44 UTC 2021
That signature has been in the ClamAV daily.ldb database since Jan 15 and appears to be looking for some relatively unique strings:
% sigtool -fWin.Malware.Generic-9819492-0|sigtool --decode-sigs
VIRUS NAME: Win.Malware.Generic-9819492-0
TDB: Engine:81-255,Target:1
LOGICAL EXPRESSION: 0&1&2&3&4
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
*Unable to get a list of running processes.
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
api-ms-win-core-synch-l1-2-0.dll
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
internal error: invalid forward reference offset
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>
-Al-
On Apr 8, 2021, at 03:24, Arnaud Jacques <webmaster at securiteinfo.com> wrote:
>
> Hello,
>
> At first look, ClamAV is not the only one that flags it as malware :
>
> https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection <https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection>
>
>
> Le 08/04/2021 à 11:41, Eero Volotinen a écrit :
>> Thanks. I submitted files via that url.
>> clamscan Vistumbler_v1*
>> /
>> root/Vistumbler_v10-7.exe: OK
>> /root/Vistumbler_v10-7_Portable.zip: Win.Malware.Generic-9819492-0 FOUND
>> /root/Vistumbler_v10-7.zip: Win.Malware.Generic-9819492-0 FOUND
>> So. looks like this is false positive on vistumbler..
>> Eero
>> On Thu, Apr 8, 2021 at 5:03 AM Al Varnell via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net> <mailto:clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>>> wrote:
>> Without knowing the name of the infection I can't provide even a
>> guess as to whether it is or not, but the exact answer to your
>> question is for you to report it by filling out the form found
>> @https://www.clamav.net/reports/fp <https://www.clamav.net/reports/fp>
>> <https://www.clamav.net/reports/fp <https://www.clamav.net/reports/fp>> including the file itself.
>> Sent from my iPad
>> -Al-
>> On Apr 7, 2021, at 18:03, Eero Volotinen <eero.volotinen at iki.fi <mailto:eero.volotinen at iki.fi>
>> <mailto:eero.volotinen at iki.fi <mailto:eero.volotinen at iki.fi>>> wrote:
>>> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe <https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe>
>>> <https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe <https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe>>
>>>
>>> Looks like this is (vistumbler) detected as false positive.
>>>
>>> How to fix this?
>>>
>>> Eero
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210408/df75eebf/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4376 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210408/df75eebf/attachment.bin>
More information about the clamav-users
mailing list