Mailing List Archive

Michael,

The reported detections are likely false positives (I too am seeing matches
on Chrome cache files). The signature will be dropped soon.

Thanks for bringing this to our attention.

-Andrew

Andrew Williams
Malware Research Team
Cisco Talos

On Tue, Mar 12, 2019 at 7:08 PM Michael Newman via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Mac OS 10.14.3
>
> I wake up this morning to find that clamav has discovered sixteen
> instances of this:
>
> Txt.Trojan.Kryptik-6887991-0 FOUND
>
> Most of these are in Chrome cache files, but a few were in Apple Automator
> cache files.
>
> I’ve searched around, but find precious little on this infecting Macs.
> (Lots on Windows.)
>
> Can someone point me in the right direction to find out just what this is,
> where it came from and how I can get rid of it?
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

All I can add is some technical information about the signature. I have no idea what kind of infection it causes and on what platform.

The signature was added to the database by daily - 25386 earlier today as an .ldb. Looking for a single ascii string in any type of file:

> sigtool -fTxt.Trojan.Kryptik-6887991-0|sigtool --decode-sigs
> VIRUS NAME: Txt.Trojan.Kryptik-6887991-0
> TDB: Engine:51-255,FileSize:262144-1048576,Target:0
> LOGICAL EXPRESSION: 0
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> 1/g,"");if(!/^[-_a-zA-Z0-9#.:* ,>+~[\]()=^$|]+$/.test(c))throw E


I added an extra space before the "E" in order that this message isn't found to be infected.

Another user said it appears to be associated with Google searches, but not when using Bing.

-Al-
ClamXAV User

On Mar 12, 2019, at 16:07, Michael Newman via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
> Mac OS 10.14.3
>
> I wake up this morning to find that clamav has discovered sixteen instances of this:
>
> Txt.Trojan.Kryptik-6887991-0 FOUND
>
> Most of these are in Chrome cache files, but a few were in Apple Automator cache files.
>
> I’ve searched around, but find precious little on this infecting Macs. (Lots on Windows.)
>
> Can someone point me in the right direction to find out just what this is, where it came from and how I can get rid of it?

Thanks for the prompt reply. I’m relieved….

> On Mar 13, 2019, at 10:42, Andrew Williams <awillia2@sourcefire.com> wrote:
>
> Michael,
>
> The reported detections are likely false positives (I too am seeing matches on Chrome cache files). The signature will be dropped soon.
>
> Thanks for bringing this to our attention.
>
> -Andrew
>
> Andrew Williams
> Malware Research Team
> Cisco Talos
>


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

That does not appear to be a well anchored regex.

dp

On 3/12/19 9:15 PM, Al Varnell via clamav-users wrote:
> All I can add is some technical information about the signature. I have no
> idea what kind of infection it causes and on what platform.
>
> The signature was added to the database by daily - 25386 earlier today as an
> .ldb. Looking for a single ascii string in any type of file:
>
>> sigtool -fTxt.Trojan.Kryptik-6887991-0|sigtool --decode-sigs
>> VIRUS NAME: Txt.Trojan.Kryptik-6887991-0
>> TDB: Engine:51-255,FileSize:262144-1048576,Target:0
>> LOGICAL EXPRESSION: 0
>>  * SUBSIG ID 0
>>  +-> OFFSET: ANY
>>  +-> SIGMOD: NONE
>>  +-> DECODED SUBSIGNATURE:
>> 1/g,"");if(!/^[-_a-zA-Z0-9#.:* ,>+~[\]()=^$|]+$/.test(c))throw  E


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml