[clamav-users] Txt.Downloader.Generic-6298945-0 FOUND
Al Varnell
alvarnell at mac.com
Sat Oct 22 02:42:50 UTC 2022
Hi Wally,
Downloaders are not generally Trojans, although they may result from a Trojan that is used to install a Downloader.
This signature has been in the Clamav database since Apr 26 2017, which would tend to indicate it's validity.
The signature breaks out to:
> % sigtool -fTxt.Downloader.Generic-6298945-0|sigtool --decode-sigs
> VIRUS NAME: Txt.Downloader.Generic-6298945-0
> TDB: Engine:71-255,Target:7
> LOGICAL EXPRESSION: (0|1)&(2>1)&3&(4>5)&(5>2)&(6>125)
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> admin
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> random
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> eval(
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> wscript.shell
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> :2e{EXCLUDING_STRING_ALTERNATIVE::}
> * SUBSIG ID 5
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> activ
> * SUBSIG ID 6
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> :2
Perhaps you have an add-on that is re-creating this file or you are visiting a page that re-creates it.
-Al-
--
ClamXAV User
On Oct 21, 2022, at 5:54 PM, Wally Spratz <wally at longoz.ca> wrote:
> Hi all,
>
> Recently my clamav scan summary has starting showing a positive result for 'Txt.Downloader.Generic-6298945-0' in the following directory:
>
>> /home/a/.cache/mozilla/firefox/aumvdtqj.default-release/cache2/entries/79B6E3A1CE2A151EBE6E39D2C50B6F304AFA5F65: Txt.Downloader.Generic-6298945-0 FOUND
>
> Does anybody know whether or not this is a trojan?
>
> If I delete the Firefox cache it disappears for a few scans but eventually it comes back.
>
> Any idea what I should do to prevent this?
>
> I am on Firefox 105.0.2 (64 bit) on Fedora 35
>
> Here is the scan summary:
>
> /home/a/.cache/mozilla/firefox/aumvdtqj.default-release/cache2/entries/79B6E3A1CE2A151EBE6E39D2C50B6F304AFA5F65: Txt.Downloader.Generic-6298945-0 FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8640721
> Engine version: 0.103.7
> Scanned directories: 67339
> Scanned files: 484686
> Infected files: 1
> Data scanned: 46840.43 MB
> Data read: 598814.74 MB (ratio 0.08:1)
> Time: 4253.298 sec (70 m 53 s)
> Start Date: 2022:10:21 15:15:01
> End Date: 2022:10:21 16:25:55
>
>
> Thanks
>
> Wally
Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20221021/eb12437e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4376 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20221021/eb12437e/attachment.p7s>
More information about the clamav-users
mailing list