[Community-sigs] Questions about Submitted False Positives and 7zip ClamWin UpgradeRE: Community-sigs Digest, Vol 11, Issue 10

David Sicks franklin_6 at msn.com
Wed Mar 25 14:16:48 EDT 2015 


> From: community-sigs-request at lists.clamav.net
> Subject: Community-sigs Digest, Vol 11, Issue 10
> To: community-sigs at lists.clamav.net
> Date: Wed, 25 Mar 2015 12:00:00 -0400
> 
> Send Community-sigs mailing list submissions to
> 	community-sigs at lists.clamav.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> or, via email, send a message with subject or body 'help' to
> 	community-sigs-request at lists.clamav.net
> 
> You can reach the person managing the list at
> 	community-sigs-owner at lists.clamav.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Community-sigs digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Community-sigs Digest, Vol 11, Issue 9 (David Sicks)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Tue, 24 Mar 2015 08:54:00 -0800
> From: David Sicks <franklin_6 at msn.com>
> To: "community-sigs at lists.clamav.net"
> 	<community-sigs at lists.clamav.net>
> Subject: Re: [Community-sigs] Community-sigs Digest, Vol 11, Issue 9
> Message-ID: <BAY177-W3804104743E07688FE880FB70A0 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Question #1.
> 
> I have repeatedly received a popup message that states my version of ClamWin is out 
> of date and should be upgraded by downloading a new version via a 7.zip file.
> 
> I was advised by a systems expert friend not to download / open the file as nobody 
> much less Clam upgrades AV software w/ zip files.  
> 
> I recently disinfected my PC (or so I thought) with ClamWin, but if so, and if the 
> 7zip clamwin is a malware imposter, why did ClamWin not find and quarantine the 
> imposter?
> 
> Question #2.
> 
> ClamWin found and I  submitted to Clam three false-positives.  I then received a 
> reply notice from Clam requesting that I verify my submission. I did not respond 
> within three days and apparently my three false-positive submission lapsed. Now, 
> I cannot find out if my false positives were in fact, false positives and, until 
> now, I have not been able to contact someone at Clam with questions.
> 
> Can I now find out the status of my three false positives ... and if so, how? 
>  		 	   		  
> > From: community-sigs-request at lists.clamav.net
> > Subject: Community-sigs Digest, Vol 11, Issue 9
> > To: community-sigs at lists.clamav.net
> > Date: Tue, 24 Mar 2015 12:00:01 -0400
> > 
> > Send Community-sigs mailing list submissions to
> > 	community-sigs at lists.clamav.net
> > 
> > To subscribe or unsubscribe via the World Wide Web, visit
> > 	http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > or, via email, send a message with subject or body 'help' to
> > 	community-sigs-request at lists.clamav.net
> > 
> > You can reach the person managing the list at
> > 	community-sigs-owner at lists.clamav.net
> > 
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Community-sigs digest..."
> > 
> > 
> > Today's Topics:
> > 
> >    1. linux backdoors trapped by kippo (Janos Cservenak)
> >    2. router backdoor/ddos (Janos Cservenak)
> >    3. linux backdoor program (Janos Cservenak)
> >    4. linux backdoor program received (Janos Cservenak)
> >    5. Windows trojan / Win32/Emotet.AD (Janos Cservenak)
> > 
> > 
> > ----------------------------------------------------------------------
> > 
> > Message: 1
> > Date: Tue, 24 Mar 2015 11:36:14 +0100
> > From: Janos Cservenak <hawk at hwk.hu>
> > To: community-sigs at lists.clamav.net
> > Subject: [Community-sigs] linux backdoors trapped by kippo
> > Message-ID: <55113E1E.6070106 at hwk.hu>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> > 
> > Filename: npc
> > Architecture: x86
> > Detected actions:
> >   - it copies itself as /usr/bin/acpid
> >   - start running itself many copies (as npc and as acpid too)
> >   - connecting to remote server: 182.92.26.210 / port 12027
> >      inetnum:        182.92.0.0 - 182.92.255.255
> >      netname:        ALISOFT
> >      descr:          Aliyun Computing Co., LTD
> >      country:        CN
> > 
> > External virus scanners knowledge:
> > https://www.virustotal.com/en/file/4fb50087fd3ecf8590b34a6ef40bdc227caee4314f480a4b01abab01c3e805ea/analysis/1427192727/
> > 
> > Signatures:
> > md5: 0c2fced6cd1b58dc85669dae1736a19e:1135000:Linux.Backdoor.I
> > sha1: 775a3e0e4c5e0b53c7adf2e81ab13b0994338e0a:1135000:Linux.Backdoor.I
> > sha256: 
> > 4fb50087fd3ecf8590b34a6ef40bdc227caee4314f480a4b01abab01c3e805ea:1135000:Linux.Backdoor.I
> > 
> > ------------------------
> > 
> > Filename: npc1
> > Architecture: x86
> > Detected actions:
> >   - it copies itself as /usr/bin/acpid
> >   - start running itself many copies (as npc and as acpid too)
> >   - connecting to remote server: 182.92.26.210 / port 12027
> >      inetnum:        182.92.0.0 - 182.92.255.255
> >      netname:        ALISOFT
> >      descr:          Aliyun Computing Co., LTD
> >      country:        CN
> > 
> > External virus scanners knowledge:
> > https://www.virustotal.com/en/file/d17f05e997d869f7e632b88f2d93bb4a1a3519cc4dad8cf319d0e7ac19aecba4/analysis/1427192846/
> > 
> > Signatures:
> > md5: 0837d98901aa7ccf84d416d9ffdfe402:1521642:Backdoor.Linux.Gates.B
> > sha1: 
> > 7de0e5037c53c9e44f61c90e24bfeeaa324e55ba:1521642:Backdoor.Linux.Gates.B
> > sha256: 
> > d17f05e997d869f7e632b88f2d93bb4a1a3519cc4dad8cf319d0e7ac19aecba4:1521642:Backdoor.Linux.Gates.B
> > 
> > 
> > ------------------------------
> > 
> > Message: 2
> > Date: Tue, 24 Mar 2015 11:47:04 +0100
> > From: Janos Cservenak <hawk at hwk.hu>
> > To: community-sigs at lists.clamav.net
> > Subject: [Community-sigs] router backdoor/ddos
> > Message-ID: <551140A8.1030408 at hwk.hu>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> > 
> > Filename: 20150320152114_http___103_42_13_253_DDos
> > Architecture: MIPS
> > Detected actions: I was not able to run
> > 
> > External virus scanner results:
> > https://www.virustotal.com/en/file/31d51cca6a90a0fdf0da4d88350ad42765a2c5de49df4380078447947333b0f0/analysis/1427191922/
> > 
> > md5: f3edeb1604a955f6f733b2bba2389918:763528:Backdoor.Linux.Agent.N
> > sha1: 
> > 7b29213df6ca97ecf50b7450ef95d239c0b101ad:763528:20150320152114_http___103_42_13_253_DDos
> > sha256: 
> > 31d51cca6a90a0fdf0da4d88350ad42765a2c5de49df4380078447947333b0f0:763528:Backdoor.Linux.Agent.N
> > 
> > 
> > 
> > ------------------------------
> > 
> > Message: 3
> > Date: Tue, 24 Mar 2015 12:27:34 +0100
> > From: Janos Cservenak <hawk at hwk.hu>
> > To: community-sigs at lists.clamav.net
> > Subject: [Community-sigs] linux backdoor program
> > Message-ID: <55114A26.3090905 at hwk.hu>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> > 
> > Filename: amra8
> > Architecture: x86
> > Detected actions:
> >   - copies itself as /usr/bin/.sEhd
> >   - start running itself many copies (as amra8 and as .sEhd too)
> >   - connecting to 222.186.56.69 port 36000
> >      inetnum:        222.186.0.0 - 222.191.255.255
> >      netname:        CHINANET-JS
> >      descr:          China Telecom
> >      country:        CN
> > 
> > External virus scanner results:
> > https://www.virustotal.com/en/file/3f06e4c6cd8126d47485d62647230dfdf1ddbbe438ed9149223103ccd1f7f797/analysis/1427196228/
> > 
> > Signatures:
> > md5: 68ef39590112a1764dc7a8746441cd46:73063:Backdoor.Linux.Gates.B
> > sha1: aa23fdf6d1280deef19c851d337b93de7be06b1a:73063:Backdoor.Linux.Gates.B
> > sha256: 
> > 3f06e4c6cd8126d47485d62647230dfdf1ddbbe438ed9149223103ccd1f7f797:73063:Backdoor.Linux.Gates.B
> > 
> > 
> > 
> > ------------------------------
> > 
> > Message: 4
> > Date: Tue, 24 Mar 2015 12:48:54 +0100
> > From: Janos Cservenak <hawk at hwk.hu>
> > To: community-sigs at lists.clamav.net
> > Subject: [Community-sigs] linux backdoor program received
> > Message-ID: <55114F26.5060901 at hwk.hu>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> > 
> > Filename: Systee32
> > Original source: http://222.186.56.69:9987/Systee32
> > Architecture: x86
> > Detected actions:
> >   - copy itself as freeBSD in the same directory
> >       start running like this "/tmp/freeBSD /tmp/freeBSD 1"
> >       after that delete itself
> >   - copy itself as Systee32a in the same directory
> >       and start itself like this "/tmp/Systee32a /tmp/Systee32"
> >   - after 10 minutes of running, no network traffic detected
> > 
> > External virus scanner results:
> > https://www.virustotal.com/en/file/479d8822fdf34a9daed8cd1ead77e77f0d3808f65b9c26098ea6ee3359a47246/analysis/1427194212/
> > 
> > Signatures:
> > md5: 440a60df19dcc800ce00f36de5397801:1128808:Linux.Trojan.Agent.5TAP9C
> > sha1: 
> > 91bc3fa241bf4ca3d01267eb58b8c0dd40d45f7a:1128808:Linux.Trojan.Agent.5TAP9C
> > sha256: 
> > 479d8822fdf34a9daed8cd1ead77e77f0d3808f65b9c26098ea6ee3359a47246:1128808:Linux.Trojan.Agent.5TAP9C
> > 
> > 
> > 
> > ------------------------------
> > 
> > Message: 5
> > Date: Tue, 24 Mar 2015 15:09:28 +0100
> > From: Janos Cservenak <hawk at hwk.hu>
> > To: community-sigs at lists.clamav.net
> > Subject: [Community-sigs] Windows trojan / Win32/Emotet.AD
> > Message-ID: <55117018.9070101 at hwk.hu>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> > 
> > Original source: http://petiteboutique.nl/Q21qOTtBJN
> > Filename: DHL_Sendungsverfolgung_DE_0024000035548028.zip
> > Architecture: x86
> > Operating system: windows
> > 
> > External virus scanner results:
> > https://www.virustotal.com/en/file/886e45ae10145908077829d0a76ffaaef7ce88fc07216c3a3b82cd98966b3331/analysis/
> > 
> > Signatures:
> > md5: 2fcd24fa2039d83a0326c2f36196abc4:169859: Win32/Emotet.AD
> > sha1: 3f5221ec06659df9ed4234bcfa6ed27cc089249b:169859:Win32/Emotet.AD
> > sha256: 
> > 886e45ae10145908077829d0a76ffaaef7ce88fc07216c3a3b82cd98966b3331:169859:Win32/Emotet.AD 
> > 
> > 
> > 
> > ------------------------------
> > 
> > Subject: Digest Footer
> > 
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > 
> > http://www.clamav.net/contact.html#ml
> > 
> > ------------------------------
> > 
> > End of Community-sigs Digest, Vol 11, Issue 9
> > *********************************************
>  		 	   		  
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> 
> http://www.clamav.net/contact.html#ml
> 
> ------------------------------
> 
> End of Community-sigs Digest, Vol 11, Issue 10
> **********************************************

More information about the Community-sigs mailing list