I was looking for Ukraine malware to see if I could help any ClamWin users in Ukraine but I ran across BazarBackdoor, a new stealthy covert malware backdoor designed for high-value targets, part of the TrickBot group toolkit. Below is an MDB signature for this malware. Copy the signature to a separate line in a new Notepad or similar text writer file, and then save the file as a file named Sigfile.mdb with a file type of “All Files” in the ClamWin database folder. Make sure the system does not name it with a .txt or .text extension on the end of the file name. ClamWin can not process signature files with those 2 extensions, and it will give you an error upon scanning. The file should be named only Sigfile.hdb.

After you save the signature file, scan a file somewhere with ClamWin to make sure the signature works okay—sometimes I can make a mistake, and I don't have ClamWin on this Linux computer. If the scan gives you an error, delete this signature file from the database folder. You can add signatures to the top of an existing MDB signature file (just add a blank line and put the signatures there—any lines needed will be added. If you add to the bottom of an existing file, you will get a scanning error. Make sure to delete any blank lines between this signature and the old signatures.

I hope this helps someone. Custom signatures like this will last for about a month. Delete them from the database folder after that.

161280:5a5effcb791104e6d9feba68659a382e:Win.Trojan.Bazar-021822.2100

Regards,