On Tue, Feb 23, 2021 at 09:30 AM, Ron Seguin via clamav-users wrote:
Hi,
Uploaded a file to
virustools.com and results show that ClamAV detects the Unix.Trojan.Tsunami-6981155-0 exploit.
I'm not familiar with
virustools.com and I get a redirect when I attempt to access it. Did you mean VirusTotal? If so, can you provide the link to the actual results of the file you uploaded?
The command-line utility did not detect it. Up-to-date DB. The signature appears to exist in the signature database.
Something I'm missing?
# freshclam
ClamAV update process started at Tue Feb 23 12:12:30 2021
daily.cld database is up to date (version: 26089, sigs: 4000162, f-level: 63, builder: raynman)
main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
bytecode.cvd database is up to date (version: 332, sigs: 93, f-level: 63, builder: awillia2)
# clamscan /var/tmp/pty3
/var/tmp/pty3: OK
You might find this breakout more useful when searching the file for matching strings:
~ % sigtool -fUnix.Trojan.Tsunami-6981155-0|sigtool --decode-sigs
VIRUS NAME: Unix.Trojan.Tsunami-6981155-0
TDB: Engine:51-255,Target:6
LOGICAL EXPRESSION: 0&1&2&3&4
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; MyIE2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0)
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4