Hi,

I'm getting reports on more than one of our servers about virus BC.Exploit.CVE_2012_0003 in two files: onestop.mid and town.mid

Usually when I suddenly see errors reported on multiple servers, it is because clamwin is falsely reporting the infection.

4 errors are displayed:

C:\Windows\Media\onestop.mid: BC.Exploit.CVE_2012_0003 FOUND
C:\Windows\Media\town.mid: BC.Exploit.CVE_2012_0003 FOUND
C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.0.6001.18000_none_733117b66de7085d\onestop.mid: BC.Exploit.CVE_2012_0003 FOUND
C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.0.6001.18000_none_733117b66de7085d\town.mid: BC.Exploit.CVE_2012_0003 FOUND

The dates on these files are very old and two copies are suddenly shown as infected - it seems very unlikely

There has been at least 1 false positive report to Clam AV about an exploit on midi files. They should correct their signature within a day or two, but it might help if you also make a false positive report to them and upload a couple of your midi files. Those byte code detections can be a pain if they don't get it right!

Regards,

Getting the same errors. Freaked out then I saw the report come to my email over the weekend. Any resolution?

The resolution should come when people report the false positive to Clam AV. Each Clam sigmaker is generally responsible for correcting his own false positives, so resolution depends upon the availablility of the sigmaker. In addition, the Sourcefire sigmakers (USA) may be on a holiday (it's MLK day today).

Regards,