Below are hdb signatures for a new African banking trojan and related files in case we have some African ClamWin users. Clam AV does not have these signatures now and probably never will.

Copy the signatures to a new Notepad or similar text writer file and save it in the ClamWin database folder as a file named Sigfile.hdb, with a file type of “All Files”. Do not save the file as a text file. The file name should be Sigfile.hdb and nothing else.

For multiple signatures, put each signature on a separate line in a Notepad or similar file. You can add multiple signatures to the top of an existing mdb or hdb signature file, depending upon the signature type. Copy the signatures, add one blank line to the top of the file and paste the signatures there—any additional lines needed will be added. Do not add to the bottom of existing signature files or you will get a ClamWin scanning error. Delete any blank lines between signatures in a file before saving the file.

After you save a signature file in the ClamWin database folder, scan something with ClamWin to make sure it works. If you get a scan error, accept my apology, and delete the signature file from the database folder or delete only the signatures that you just posted to an existing mdb or hdb file and re-save it after first removing any blank lines in the signature file. For multiple signature files, do the scan after you save a file to help you locate the file that causes a scan error.

After 4 weeks, the malware will probably be updated, so you can delete signatures then. The date (USA) and time (24 hr) are the last two items in each signature.

Thanks to HP Threat Research!

HDB Signature
3b04b3790778325f8005b37362d33630:682314:JS.Trojan.Banker-041322.2128
93fb24b55c435c5169d08f48b4a0d944:104504:VBS.Trojan.Banker-041322.2130
f34099d1b10d6a5f11952577f38a4679:474176:Win.Trojan.Crypt-041322.2133

Regards,