Hi there, I've been using Clamwin for several years now, but I'm new to the forums. Last night I found JS.Obfus-48 on my laptop with Clamwin and manually disinfected by removing affected files. The virus alerted me to its presence by popping up a message box when I was not connected to anything else.

I scoured the internet to find out what this virus might additionally do (e.g. would it have launched itself into emails I've sent?) but found nothing. Is there a database available that tells you what viruses do? How else do we find out what a virus is capable of?

Thanks!
-sumi

You can do a search on Google for the virus name, but the problem with that is that different AV companies will have different names for the same virus. Here's what I suggest: get a file hash for the virus file. The MD5 hash and the SHA-1 hash are often used. You will need a file hashing program to get a hash from the file, and then you can use the hash in a Google search. A hash is sort of a shortcut mathmatical summary of a particular file. Here is the MD5 hash for the ClamWin.exe executable: 46987F48965E0D489555723775158B7F.

I like the little dphash program, which is free and available at http:/www.paehl.de on the web. A file hashing program can be very useful. Some software download sites will publish a hash for their files. You can download the file and get a hash with your hashing program and compare your hash to the published hash before you install the program. If the hashes are different, you do not have the program you wanted. It may be corrupted or even contain a virus.

Regards,

Thanks Bob, though I am not sure if I'm geared to do a hash check now, seeing as I trashed the files with the virus on my system. Call me paranoid but I wasn't hanging on to them.

If Clamwin calls the virus a particular name, does Clamwin itself not have a list of virus descriptions - or maybe even the hash reference? I guess not, else you would have said so. Extremely good point about different shops calling them different names. Which is why my google search turned up zilch.

Really appreciate you getting back to me -sumi

Silly me. You meant hash the target executable and compare original with downloaded copy. Please forget my comments on hashing the virus file.

Still, I'm not sure if that would have saved me this last time as the virus was sitting in a Firefox (yes!) cache of not sure what and seemed to be an exe embedded in a non-exe file.

Clam keeps a copy of the original submission on its submission interface, and the sigmakers can search via hash there, but there is no description of the virus. Even when a signature is prepared, there is no formal description of the virus, unless the sigmaker keeps some sort of personal record.

That Obfus description in the name of the virus could mean theire is some sort of generic signature, so it could be a false positive--especially if there was some sort of non-executable file involved.

File hashes are very useful. Sometimes a virus file is so packed/compressed that a file hash makes the best signature.

Regards,

One of the biggest fears among new computer users is being infected by a computer virus or programs designed to destroy their personal data. Viruses are malicious software programs that have been designed by other computer users to cause destruction and havoc on a computer and spread themselves to other computers where they can repeat the process.
Once the virus is made, it is often distributed through shareware, pirated software, e-mail, P2P programs, or other programs where users share data.