Below are some MDB signatures for RuRat, a remote access trojan targeting USA media organizations. Copy the signature(s) to a new Notepad or similar text writer file, and save the file in the ClamWin database folder as a file named Sigfile.mdb with a file type of “All Files”. Make sure the system does not name it as anything other than Sigfile.mdb because ClamWin will give you an error upon scanning otherwise. Nothing but .mdb should go on the end of the filename.

After you save the signature file, scan a file somewhere with ClamWin to make sure the signature(s) work. Delete this signature file from the database folder if you get a scan error. You can add signatures to the top of an existing MDB signature file (just add one blank line and copy/paste the signatures there—any lines needed will be added if there is more than one signature line. Delete any blank lines between signatures. If you add to the bottom of an existing signature file, you will get a scanning error.

Delete MDB and HDB signatures after they are a month old because they will be updated by then. The date and time are the last 2 items of the signature.

22528:c76b9ce587690b8a39ba7840b7dd540c:Win.Trojan.RuRat-030322.2115
170496:6830a9b5c13f6430b2cca8f96995cdee:Win.Trojan.RuRat-030322.2119
20815872:8068e9436a4ad15708888c50b02300f9:Win.Trojan.RuRat-030322.2123
22528:c76b9ce587690b8a39ba7840b7dd540c:Win.Trojan.RuRat-030322.2123

Regards,