Below is a HDB signature for a remote access trojan (backdoor) that is being used in corporate contact forms to distribute ransomeware or other malware, primarily to corporations. The malware could be used on any computer, I guess. This current campaign distributes the malware in a .LNK file.

Copy the signature and post it to a new Notepad or similar text writer file, and save it in the ClamWin database folder as a file named Sigfile.hdb with a file type of “All Files”. Do not save it as text file. The file name should end in nothing but .hdb. The date and time are the last two items in the signature.

For multiple signatures, put each one on a separate line in the Notepad file. You can add multiple signatures to the top of an existing HDB signature file (just add one blank line and paste the signatures there—any lines needed will be added). Adding signatures to the bottom of an existing signature file will give you a scanning error. Delete any blank lines between signatures in the signature file after pasting.

After you save the signature file in the database folder, scan something with ClamWin to make sure it works. If you get a scan error, delete the signature file from the database folder or delete only the signatures that you just posted to an existing HDB file and resave it. Leave no blank lines in the signature file.

Delete signatures after they are 6 weeks old. The viruses will be updated by then.

809e4d7f6dd74357066a02a5c3d8d29b:1182:LNK.Trojan.RAT-031122.0858

Regards,