Necurs is a botnet distributing malware that runs spam, disables antivirus software, and steals information. The latest version uses scripts that never get copied to user computers. The final script in the infection chain downloads the loader of the actual malware. Some AVs (including Clam AV) will not be able to detect the malware because of the scripts. Below are signatures for the loaders of different versions of the current Necurs campaign. The loaders are placed on a computer via clicked internet shortcut files (.URL) that look like folders and act like .lnk files and are actually internet shortcuts to the downloaders. Copy the signatures, put them in a Notepad file, name the file sigfile.mdb, and save it in the C:\ProgramData\.clamwin\db folder. If you already have an mdb file in the db folder, just add it to the other signatures in the file. Make sure that there is no .txt extension in the saved mdb file. The signatures work for me, but test them by scanning a file with ClamWin after saving the mdb file. Also add .url as an extension to be scanned by ClamWin/Clam Sentinel.

33280:89ce8c7867f0575e2db1045c5c339b7a:Win.Trojan.Quantloader-042618.0958
8192:d1d31a2a01cdfd650c429599d23e7c01:Win.Trojan.Quantloader-042618.0953
30720:e3ab8a8bacf4a74e73549623dbd434cb:Win.Trojan.Quantloader-042618.0953
8192:64631fc4a64b31263c73975381fa1bea:Win.Trojan.Quantloader-042618.0950

Regards,