Anybody can tell me the details?
How to select a correct signature form a virus sample?

A lot of that depends on the engine that will use the signature. Things you need to understand some things prior to creating a good signature.
1) Understanding if the malware is packed or not
2) If it is packed, if the engine can unpack it.
3) If the engine can unpack it, understanding what code/data is specific to the malware to place the signature on
4) Understanding your engines points of reference within a PE structure create a signature.

If you're relatively familiar with these things and you have malware samples that clamav detects; you can use the sigtool to spit out the signatures from the database files to see the bytes of the existing signatures on real files.

Below is a link to a search I did on the ClamAV Web site for "sasser" virus signatures:

https://clamav-du.securesites.net/cgi-bin/clamgrok?virus=sasser&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit+Query&.cgifields=database&.cgifields=case-sensitivity&.cgifields=search-type&.cgifields=display

At one time ClamAV was using an algorithm in virus scans that was originally developed in medical research to identify patterns of protein families. I don't know if they are still using it. Theoretically, I guess it should be very helpful, but it appears that they still need to identify most viruses separately--even slightly changed versions. They are really developing a good database--they've up to about 85,000 signatures now, which is more than some commercial antivirus firms. If you are able to identify virus families, however, the sheer number of signatures isn't that important.

Regards,