| GuitarBob
 
 
 
			| Joined: 09 Jul 2006 |  | Posts: 9 |  | Location: USA |    |  | 
	
		|  Posted: Mon Oct 05, 2020 7:11 pm |  |  |  |  
		|  |  |  There is a new bootkit malware that inserts a rootkit in the Windows startup routine.  This is the second one that has been found, so they are not that common.  Because of this, some AVs may not detect them.  Clam does not detect, but many AVs already do.  Below are MDB signatures for the files that are involved in putting the bootkit on Windows machines.
 Copy the MDB signatures to a Notepad file and save it in the ClamWin db program data folder, or add the signature to an existing MDB file if you already have one in the folder. Do not save the file with a .txt or .text extension on the end of the name. Save the file as Sigfile.mdb. Select file type All Files to prevent the .txt or .text from being used at the end of the filename. ClamWin is unable to recognize a text file as a signature. After saving the file, scan something with ClamWin to make sure the signature works--delete the signature file if it does not or remove the signature from an existing MDB file if you have one there.
 
 Signatures may last up to a week or longer, depending upon how lazy the malware authors are about changing their version. MDB signatures are signatures for a section of a malware file, and they sometimes can last up to a month, especially if the section is re-used in another malware.  Because of the difficulty in developing malware like this, I think these signatures will last a long time.
 
 
 45056:aee882209a83ca2639c2db9cbbab37ac:Win.Bootkit.Regressor-100520.1402
 512:f6e66df0e257a9704f3083f0c4e4b8b0:Win.Bootkit.Regressor-100520.1400
 57344:8b39de7c0c140a41029e01bdbc4376e6:Win.Bootkit.Regressor-100520.1357
 
 Regards,
 | 
	| 
 |