Below are HDB phishing signatures for the Russian Armageddon APT group designed to phish and infect Ukranian and European government and NGO computers with malware. If you use custom ClamWin signatures, make sure that these extensions are included: .eml, .html, .rar and .lnk

Copy the signature(s) to a new Notepad or similar text writer file, and save it in the ClamWin database folder as a file named Sigfile.hdb with a file type of “All Files”. Do not save it as a text file. The file name should be Sigfile.hdb and nothing else.

For multiple signatures, put each signature on a separate line in a Notepad file. You can add multiple signatures to the top of an existing HDB signature file. Copy the signatures, add one blank line to the top of the file and paste the signatures there—any additional lines needed will be added. Do not add to the bottom of an existing signature file or you will get a ClamWin scanning error. Delete any blank lines between signatures in the file before saving.

After you save the signature file in the ClamWin database folder, scan something with ClamWin to make sure the signature(s) work. If you get a scan error, accept my apology, and delete the signature file(s) from the database folder or delete only the signatures that you just posted to an existing HDB file and re-save it after first removing any blank lines in the signature file.

After 4 weeks, the malware will probably be updated, so you can delete the signatures then. The date (USA) and time (24 hr) are the last two items in the signature.

Thanks to CERT-UA!

c1c62da5a36fed274f7777d5b8d111ae:687107:EML.Trojan.Agent-040522.1657
602e39a47a531b3f2b394a7176d6c87d:198972:HTML.Trojan.Agent-040522.1659
35323ab59c094f3742a60998be6d0a27:373887:RAR.Trojan.Agent-040522.1703
73479ebeb7db408e1cabd3e5a9c3ab8d:569284:LNK.Trojan.Agent-040522.1707

Regards,