Hi list,

Seem to me that the signature for this virus have to be reworked
somehow. It is throwing lots of FP on Linux developer workstations.

Here's the output from last nights scan:

/snap/code/23/usr/share/code/code: Unix.Trojan.Mirai-5932143-0 FOUND
/snap/spotify/36/usr/share/spotify/libcef.so: Unix.Trojan.Mirai-5932143-0 FOUND
/snap/bitwarden/21/bitwarden: Unix.Trojan.Mirai-5932143-0 FOUND
/snap/slack/21/usr/lib/slack/slack: Unix.Trojan.Mirai-5932143-0 FOUND
/opt/google/chrome-beta/chrome: Unix.Trojan.Mirai-5932143-0 FOUND
/opt/google/chrome/chrome: Unix.Trojan.Mirai-5932143-0 FOUND

Microsoft Visual Code (snap version)
Spotify (snap version)
Bitwarden (snap version)
Slack (snap version)
Google Chrome stable and beta from Google repository.

I unpacked the daily database and searched for this virs and found
this in daily.ldb:
Unix.Trojan.Mirai-5932143-0;Engine:51-255,Target:6;0&1&(2>1)&(3>1);75726c3d;2f63646e2d6367692f;504f5354;7761746368646f67

I opened up one of the "infected" files in a hexeditor and searched
for the above patterns. Here are the clear text of what this signature
searches for to trigger alert:

url=
/cdn-cgi/
POST
watchdog

Personally I think it's unreasonable to trigger virus alert just
because you can find the above strings in a binary. I think this rule
should be deleted until it's fixed.

Best regards,
Mikael Bak

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml