There are several types of signatures, and all of them are subject to false positives. Some types have a specific length/size. The most specific signature is a hash of the entire file, which iprovides a unique sig (there is a very small chance an MD5 hash can have an evil twin, however), but this will catch only a specific version of a virus file. If the file is changed just a little bit (and virus writers can change them often), the sig will not be any good. So the sigmakers try to get a signature that will be used again--entry point, packer, main executable, program code. The specific file hash is used only as a last resort.

Did you know that virus writers have services similar to VirusTotal and Jortti where they can see which AVs detect their viruses? The services will also make subsequent periodic checks and inform the virus writers when AVs start detectilng their virus, so they can change it. They then repack/compress the original file, and it comes out unique again--it's quite automated. Some viruses are changed hourly!

I am hopeful that the new Clam signatures available with version .96 will be both more specific and longer lasting.

Regards,