Below is one mdb signature and one hdb signature for new Russian malware that attacked a Ukraine power station. There are several other files involved but they are not widely distributed/detected.

Copy the signatures to separate new Notepad or similar text writer files and save them in the ClamWin database folder as a file named Sigfile.mdb with a file type of “All Files” for the mdb file and Sigfile.hdb for the hdb file. Do not save them as text files. The file names should be Sigfile.mdb and Sigfile.hdb and nothing else.

For multiple signatures, put each signature on a separate line in a Notepad file. You can add multiple signatures to the top of an existing hdb or mdb signature file. Copy the signatures, add one blank line to the top of the file and paste the signatures there—any additional lines needed will be added. Do not add to the bottom of an existing signature file or you will get a ClamWin scanning error. Delete any blank lines between signatures in the files before saving them.

After you save the signature files one at a time in the ClamWin database folder, scan something with ClamWin to make sure the signatures work. If you get a scan error, accept my apology, and delete the signature file from the database folder or delete only the signatures that you just posted to an existing hdb or mdb file and re-save it after first removing any blank lines in the signature file. Do the scan after you signature one file and then after you signature the other file so that you can see if there are any errors—one file at a time.

After 4 weeks, the malware will probably be updated, so you can delete the signatures then. The date (USA) and time (24 hr) are the last two items in the signature.

Thanks to Eset and Ukraine CERT!

MDB Signature
24576:0a228ece406253df9dbb17909d346d2e:Win.Trojan.Wiper-041222.1035


HDB Signature
1938380a81a23b8b1100de8403b583a7:3734:ZIP.Trojan.Wiper-041222.1043

Regards,