C:\temp\____\ZFPXJ70E.CNM: Exploit.IFrame.Gen FOUND

Excuse me, I cannot find any virus in fully textual file:

The file could be downloaded from here:
https://www.penguin.cz/~fojtik/ClamWin/ https://www.penguin.cz/~fojtik/ClamWin/

ClamWin uses the virus signature database provided by Clam AV. Please send false positives (and infected files) to Clam AV at https://www.clamav.net/sendvirus/ on the web.

Regards,

OK

Result:
Submission completed!
ZFPXJ70E.CNM has been successfully sent to the virusdb maintainer team...

That was a generic detection (GEN on the end of the name). It wasn't actually a specific virus detected--just code that can be used in exploits. Clam will either adjust the signature or whitelist your file (probably the latter). Thanks for making Clam (and ClamWin) a better antivirus.

Regards,

It is not a good idea to whitelist this particular file. Emails could slightly differ by sender, recepient, SMTP servers in way and so on. And I have packed this file inside big textual file that changes after every Email inserting, removing and so on.
And I have more folders marked as viruses.

If you note this Email more carefully, you could find that no uuencoded stuff is present here. So there is no chance that this file accommodates virus. But sometimes there was a virus that has been removed by Email server or something like this.

When they find an email containing a virus attachment or a link/attachment that leads to a virus, Clam gets two signatures--one for the email itself and one for the virus. Every once in a while someone sends in a false positive for an email that has been stripped of the virus attachment, but it's still a good signature.

Regards,

Nice, but this information is nowhere present. Accordind to scan of my mailbox it looks that it is totally contamined. Clamwin should at least write that if has found signature only. Another virus scanner AVG did not find anything wrong here.

And second, clamwin should write at which offset the virus is found. PMM file is packed ftom thousands plaintext mails and it is very hard to orient in this file.


Scan Started Tue Mar 31 08:38:07 2009
-------------------------------------------------------------------------------


C:\mailbox\fojtik\self2001.PMM: Exploit.IFrame.Gen FOUND
C:\mailbox\fojtik\main2002.PMM: Exploit.IFrame.Gen FOUND
C:\mailbox\fojtik\main2003.PMM: Exploit.IFrame.Gen FOUND
C:\mailbox\fojtik\FOL01255.PMm: Exploit.IFrame.Gen FOUND
C:\mailbox\fojtik\main2001.pmm: Exploit.IFrame.Gen FOUND
----------- SCAN SUMMARY -----------
Known viruses: 537581
Engine version: 0.94.1
Scanned directories: 4
Scanned files: 360
Infected files: 5

Data scanned: 626.02 MB
Time: 70.281 sec (1 m 10 s)
--------------------------------------
Completed
--------------------------------------

I don't believe any AV will tell the user the offset of something it detects. This signature is very generic--designed to detect simple IFrames. Here it is below in hex. If you convert it, you will see how generic it is.

696672616d65207372633d{-4096}6369643a{-8192}6865696768743d{-4096}2077696474683d{-1024}2f696672616d65{-4096}2f424f44593e3c2f48544d4c3e{-512}436f6e74656e742d??7970653a2061 .

Regards,

No (or I do not know), but it would be very helpful to know where a virus is. For executables it does not matter, but for 50megabyte textual file it will really help.

When a signature is very generic, it would be also a good idea to output a probability or something like this.

And yes, I see it:
696672616d65207372633d
<iframe src=

6369643a
3Dcid

6865696768743d
height=3D0

You might suggest this to Clam AV. They provide the scanning engine and signature database that ClamWin uses. Clam started out as an email scanner, and it is still used primarily by email outfits.

Regards,

The offset would be very userfull as far as it is quite hard to orient in a file.

Grr, I have found that a real virus is not detected! So I have a lot of false positives and real viruses are not recognized.

But when I attempt to upload it, Clam AV recognised it:
> This virus is already recognized by ClamAV 0.95/9204/Sat Apr 4 03:22:15 2009 (timezone: ) as W32.Elkern.C . Be careful
>when submitting samples and remember to run freshclam!
>Check the FAQ now

I did not find 0.95, 0.94.1 is available: https://www.clamwin.com/
So I hope that this would be OK after while.

You have to be sure that you check the false positive block on the Clam submission form to let them know it is a false positive you are sending and not a virus.

ClamWin is beta testing version .95 now, but it may be a week or two before it is ready. There should not be any difference in detection between versions.

Regards,

Sorry for misunderstanding, my second submission (attempt of submission) was a real virus (that has been stripped in lot of Emails). I have found that one Email contains it. The Clam AV page detects it correctly.


Nice, I could also test it


I could only say that Clamwin does not detect this virus at all:

Yes, some AV companies just get a signature for attachments. Clam gets signatures for both email and attachments.

Send email to the ClamWin developers at https://www.clamwin.com/component/option,com_contact/task,view/contact_id,1/Itemid,64/ and tell them if you are interested in beta testing.

Regards,

Thank you for a hint. A current ClamWin beta 0.95 really detects both frame without virus 14VVSBKQ.CNM, the 0.94 ignored second file PGZQPSHY.CNM that contains virus without frame.

Scan Started Fri Apr 10 13:26:45 2009
-------------------------------------------------------------------------------
C:\temp\2\14VVSBKQ.CNM: Exploit.IFrame.Gen FOUND
C:\temp\2\PGZQPSHY.CNM: W32.Elkern.C FOUND
----------- SCAN SUMMARY -----------