[clamav-users] Nonsensical noreplies from ClamAV team

Christopher Marczewski cmarczewski at sourcefire.com
Thu Dec 9 17:06:10 UTC 2021 

Win.Malware.Agent-9914239-0 will be published shortly and covers both DLL
samples.

On Thu, Nov 18, 2021 at 2:16 PM Christopher Marczewski <
cmarczewski at sourcefire.com> wrote:

> Hello Alessandro,
>
> Given the SHA256 hashes in those replies, we've confirmed it was the
> original e-mail and your subsequent reply that were submitted to us, not
> the DLL files themselves. I'll take a look at both binaries and reply back
> with the signature names.
>
> Hope this helps!
>
> On Thu, Nov 18, 2021 at 1:49 PM Alessandro Vesely via clamav-users <
> clamav-users at lists.clamav.net> wrote:
>
>> Hi all,
>>
>> even though I filter incoming messages with ClamAV, last Monday I
>> received a mail with two suspicious attachments.  They were PE32+
>> executable (DLL) (GUI) x86-64, for MS Windows.  I uploaded the samples to
>> virustotal.com, who reported they were recognized as troyans.  I saved
>> the viral message and uploaded it to
>> https://www.clamav.net/reports/malware.  On Tuesday I received the
>> following message:
>>
>> -------- Forwarded Message --------
>> Subject:        ClamAV.net - Your malware submission
>> Date:   Tue, 16 Nov 2021 07:23:26 +0000 (UTC)
>> From:   noreply at clamav.com
>> To:     vesely at tana.it
>>
>>
>>
>> Alessandro Vesely,
>>
>> Thank you again for your submission.
>>
>> Your File:
>> purchase-ORD (SHA256:
>> 2ac2bb49a9135954a298cbb3e52b3ecfcb1e5e2dc6d83fac7052d4c3833ac11a)
>>
>>
>> Our initial assessment shows that this file is possibly clean. If you
>> provided a description that suggests otherwise, we will further examine the
>> sample & proceed from there.
>>
>> -The ClamAV team
>> -------- End Of Forwarded Message --------
>>
>>
>> "If you provided" looked like a future unreal conditional to me.  It is
>> certainly unreal, given the From:.  Anyway, I replied something like the
>> following text:
>>
>>
>> https://www.virustotal.com/gui/file/40392920e907b85591dac15d2f4ca49a477e0401abb3334cda2b45a9a513fd58
>> 10 security vendors flagged this file as malicious
>> 40392920e907b85591dac15d2f4ca49a477e0401abb3334cda2b45a9a513fd58
>> Notificaion-30714_20211115.xll
>>
>>
>> https://www.virustotal.com/gui/file/8c0b4c9fe9e49b8eaf449aad36ebb39235835ab2c3a49584be7d0697ecb82c21
>> 11 security vendors flagged this file as malicious
>> 8c0b4c9fe9e49b8eaf449aad36ebb39235835ab2c3a49584be7d0697ecb82c21
>> Document-055293_20211115.xll
>>
>>
>> However, on Wednesday it bounced, because ClamAV's mail server,
>> tad.clamav.net, is persistently down.  I thought that was a temporary
>> hiccup and pehaps the ClamAV team wasn't even aware of it.  So I saved the
>> bounce, which contained the whole original message, and uploaded it to the
>> same location, explaining that the attachment was a reply to their message,
>> not a sample.  Guess what I received on Thursday?
>>
>>
>> -------- Forwarded Message --------
>> Subject:        ClamAV.net - Your malware submission
>> Date:   Thu, 18 Nov 2021 08:52:21 +0000 (UTC)
>> From:   noreply at clamav.com
>> To:     vesely at tana.it
>>
>>
>>
>> Alessandro Vesely,
>>
>> Thank you again for your submission.
>>
>> Your File:
>> reply-to-Clamav-Team (SHA256:
>> e9876ec9577e7c1b4a38236a6d18306e57e618a46d4bcfd1837cfd7e9238c281)
>>
>>
>> Our initial assessment shows that this file is possibly clean. If you
>> provided a description that suggests otherwise, we will further examine the
>> sample & proceed from there.
>>
>> -The ClamAV team
>> -------- End Of Forwarded Message --------
>>
>>
>> What's the purpose of such messages?
>>
>>
>> Meanwhile, tad.clamav.net is still down.
>>
>> Best
>> Ale
>> --
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
> --
> Christopher Marczewski
> Research Engineer, Talos
> Cisco Systems
> 443-832-2975
>


-- 
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20211209/b2374593/attachment.htm>

More information about the clamav-users mailing list