Mailing List Archive

About Madeba-8019734
Hi Everyone,

it's my first post here.

I try to get information about "Xls.Malware.Madeba-8019734-0".

Clamav informed me a previously clean (or supposedly to be clean) xls
file is in fact infected by Xls.Malware.Madeba-8019734-0.

The file was not modified or edited.

I found that Malware.Madeba-8019734-0 definition was added to Clamav the
13 june 2020 or so, in Version 25842 of clamav signatures.

My question is : where I can find more information about
Malware.Madeba-8019734-0 ? Is there a better website/service referencing
all malwares known ?

I can't find in Microsoft, Kaspersky, Trendmicro's "encyclopedia" or "lab".

Windows Defender doesn't find any threat in my excel file.

Thank you for your help.

--
Michel Galle
IT
tel: +33 6 03 05 51 47
http://www.6wind.com


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: About Madeba-8019734 [ In reply to ]
Hi there,

On Mon, 6 Jul 2020, Michel GALLE wrote:

> it's my first post here.

Welcome. :)

> I try to get information about "Xls.Malware.Madeba-8019734-0".
>
> Clamav informed me a previously clean (or supposedly to be clean) xls file is
> in fact infected by Xls.Malware.Madeba-8019734-0.
>
> The file was not modified or edited.
>
> I found that Malware.Madeba-8019734-0 definition was added to Clamav the 13
> june 2020 or so, in Version 25842 of clamav signatures.

The detection is likely a false positive. They are not uncommon, and
they most often occur when a new signature is not sufficiently specific.

> My question is : where I can find more information about
> Malware.Madeba-8019734-0 ? Is there a better website/service referencing all
> malwares known ?

You can look for the plain text in the signature databases, for example

8<----------------------------------------------------------------------
$ grep -a Madeba-8019734-0 /var/lib/clamav/databases/daily.cld
Xls.Malware.Madeba-8019734-0;Engine:51-255,Target:2;0&1&2&3&4&5;2d2d204c696d69747320696e20706c61636520323030342d30392d3233202e2e2e;44696d205241424a49312020417320537472696e67;44696d20776f726473283130302920417320537472696e67;464c4954494553203d20776f72647328444f5a414c;4966205041535434203e2030205468656e;776f726473283835
8<----------------------------------------------------------------------

You can use 'sigtool' to extract information about signatures, for example

8<----------------------------------------------------------------------
$ sigtool --datadir=/var/lib/clamav/databases/ -fXls.Malware.Madeba-8019734-0 | sigtool --decode-sigs
VIRUS NAME: Xls.Malware.Madeba-8019734-0
TDB: Engine:51-255,Target:2
LOGICAL EXPRESSION: 0&1&2&3&4&5
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
-- Limits in place 2004-09-23 ...
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Dim RABJI1 As String
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Dim words(100) As String
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
FLITIES = words(DOZAL
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
If PAST4 > 0 Then
* SUBSIG ID 5
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
words(85
8<----------------------------------------------------------------------

This will make more sense to people who create signatures than to
those who have never done that. The ClamAV documentation and Website
have more information about the signature formats; every ClamAV utility
has a 'man' page, for example try typing

man sigtool

at a shell prompt.

> I can't find in Microsoft, Kaspersky, Trendmicro...

There is no universally agreed naming system for malware, so it can be
difficult to compare the signatures for different scanners.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [ext] About Madeba-8019734 [ In reply to ]
* Michel GALLE <michel.galle@6wind.com>:
> Hi Everyone,
>
> it's my first post here.
>
> I try to get information about "Xls.Malware.Madeba-8019734-0".
>
> Clamav informed me a previously clean (or supposedly to be clean) xls file
> is in fact infected by Xls.Malware.Madeba-8019734-0.
>
> The file was not modified or edited.
>
> I found that Malware.Madeba-8019734-0 definition was added to Clamav the 13
> june 2020 or so, in Version 25842 of clamav signatures.
>
> My question is : where I can find more information about
> Malware.Madeba-8019734-0 ? Is there a better website/service referencing all
> malwares known ?


# sigtool --find-sigs Xls.Malware.Madeba-8019734-0 | sigtool
--decode-sigs
VIRUS NAME: Xls.Malware.Madeba-8019734-0
TDB: Engine:51-255,Target:2
LOGICAL EXPRESSION: 0&1&2&3&4&5
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
-- Limits in place 2004-09-23 ...
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Dim RABJI1 As String
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Dim words(100) As String
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
FLITIES = words(DOZAL
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
If PAST4 > 0 Then
* SUBSIG ID 5
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
words(85

So, as you can see the signature consists of 6 subsignatures numbered
0-5, ll of which must match. It sort-of looks highly specific to me.

Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebrandt@charite.de
https://www.charite.de

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [ext] About Madeba-8019734 [ In reply to ]
Michel,

Thanks for reporting this to us. This signature hit is indeed a false
positive, and the signature should be dropped shortly

-Andrew

Andrew Williams
Malware Research Team
Cisco Talos



On Mon, Jul 6, 2020 at 1:19 PM Ralf Hildebrandt via clamav-users <
clamav-users@lists.clamav.net> wrote:

> * Michel GALLE <michel.galle@6wind.com>:
> > Hi Everyone,
> >
> > it's my first post here.
> >
> > I try to get information about "Xls.Malware.Madeba-8019734-0".
> >
> > Clamav informed me a previously clean (or supposedly to be clean) xls
> file
> > is in fact infected by Xls.Malware.Madeba-8019734-0.
> >
> > The file was not modified or edited.
> >
> > I found that Malware.Madeba-8019734-0 definition was added to Clamav the
> 13
> > june 2020 or so, in Version 25842 of clamav signatures.
> >
> > My question is : where I can find more information about
> > Malware.Madeba-8019734-0 ? Is there a better website/service referencing
> all
> > malwares known ?
>
>
> # sigtool --find-sigs Xls.Malware.Madeba-8019734-0 | sigtool
> --decode-sigs
> VIRUS NAME: Xls.Malware.Madeba-8019734-0
> TDB: Engine:51-255,Target:2
> LOGICAL EXPRESSION: 0&1&2&3&4&5
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> -- Limits in place 2004-09-23 ...
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Dim RABJI1 As String
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Dim words(100) As String
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> FLITIES = words(DOZAL
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> If PAST4 > 0 Then
> * SUBSIG ID 5
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> words(85
>
> So, as you can see the signature consists of 6 subsignatures numbered
> 0-5, ll of which must match. It sort-of looks highly specific to me.
>
> Ralf Hildebrandt
> Charité - Universitätsmedizin Berlin
> Geschäftsbereich IT | Abteilung Netzwerk
>
> Campus Benjamin Franklin (CBF)
> Haus I | 1. OG | Raum 105
> Hindenburgdamm 30 | D-12203 Berlin
>
> Tel. +49 30 450 570 155
> ralf.hildebrandt@charite.de
> https://www.charite.de
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>