RE: [vps-mail] New virus signature

["John Oligario" <joligario@xxxxxxxxxxxxxxx>]

Sigtool is available on the servers where clamav is installed.  I do not
have the price zip file on my mail server anymore, there is an option using
sigtool --f filename which from what I can tell will help putting things
together.

 Here is the section from the guy who wrote sigtool:

NAME
sigtool - generate a virus signature   

SYNOPSIS
sigtool [options]   

DESCRIPTION
sigtool generates a virus signature using an external anti-virus scanner
which is able to detect the virus. It can also create a hexadecimal dump and
build and unpack a CVD database.   

OPTIONS


-h, --help
Output help information and exit. 
-V, --version
Print version number and exit. 
--quiet
Be quiet - output only error messages. 
--stdout
Write all messages to standard output (stdout), instead of standard error
output (stderr). 
--hex-dump
Read data from stdin and write hex string to stdout. 
-c, --command
Anti-virus scanner command with options. Remember about quotes if the
argument string contains white characters. Command should contain everything
except infected file name. 
-f, --file
Infected file name. 
-s, --string
Unique string from anti-virus scanner's output when it detects the virus. In
most cases it should be a virus name. 
-i, --info
Print a CVD information and verify MD5 and a digital signature. 
-b, --build
Build a CVD file. -s, --server is required. 
--server
ClamAV Signing Service address (for virus database developers only). 
--unpack, -u
Unpack a selected CVD file to a current directory. 
--unpack-current
Unpack a local CVD file to a current directory. 
  
EXAMPLES

(0) Generate hex string from testfile and save it to testfile.hex:
cat testfile | sigtool --hex-dump > testfile.hex 

(1) Please check clamdoc.pdf and signatures.pdf for more example of usage.
  
CREDITS
Please check the full documentation for credits.   
AUTHOR
Tomasz Kojm <tkojm@xxxxxxxxxx>   



-----Original Message-----
From: owner-vps-mail@xxxxxxxxxxxx [mailto:owner-vps-mail@xxxxxxxxxxxx] On
Behalf Of Scott Wiersdorf
Sent: Monday, August 09, 2004 9:05 PM
To: vps-mail@xxxxxxxxxxxx
Subject: Re: [vps-mail] New virus signature

On Mon, Aug 09, 2004 at 05:31:59PM -0700, Abigail Marshall wrote:
> There is a new virus which is a variant of Bagel - it comes with a zip 
> file with some variant of price*.zip attached, and there is text in 
> the body that is either the word "price" alone or "new price".  It is 
> very small - only 9 kb,

That's pretty small. We've been accustomed to larger worms, certainly.
Thank you Abigail for the update.

Abigail, have you considered using sigtool (the clamav signature generator)?
I've read some of the documentation and it seems like it might be worth
investigating (and possibly less work to detect the actual signature).

Has anyone here used sigtool before? It seems that it would help a lot of
people to kick back the signature to clamav itself so all those who are
using clamav would receive the update automatically via normal mechanisms.

Scott
--
Scott Wiersdorf
scott@xxxxxxxxxxxx
======================================================================
This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
Before posting a question, please search the archives (see above URL).


======================================================================
This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
Before posting a question, please search the archives (see above URL).