Below are HDB signatures for Russian APT Gamaredon Group intended for Ukranian computers. Copy the signature(s) to a new Notepad or similar text writer file, and save the file in the ClamWin database folder as a file named Sigfile.hdb with a file type of “All Files”. Make sure the system does not name it with a .txt or .text extension on the end of the file name. ClamWin will give you an error upon scanning files so named.

After you save the signature file, scan a file somewhere with ClamWin to make sure the signature works—I don't have ClamWin on this Linux computer, and sometimes I make a mistake. Delete this signature file from the database folder if you get a scan error. You can add signatures to the top of an existing HDB signature file (just add one blank line and copy/paste the signatures there—any lines needed will be added if there is more than one signature line. If you add to the bottom of an existing signature file, you will get a scanning error. Delete any blank lines in the new signature file—that will also give a scanning error.

If you have custom extensions for ClamWin To scan, include the .lnk extension. The first letter of the extension is a small L--not an I. The extension is for link files.

Delete MDB or HDB signatures after a month—the malware is updated by then.

df5e768a1bdf5994b54dd96b09f4068e:1799:LNK.Trojan.LNK-030222.1625
a4bc385ffef2f9e2da8773f2b2c22523:1724:LNK.Trojan.LNK-030222.1623
cef654008f6f530b37ceb884752cd4f9:1722:LNK.Trojan.LNK-030222.1620
a6fa37788bd599d0196bb74c183fe863:1779:LNK.Trojan.LNK-030222.1619
b06e5f7a899c631c7df69f8a4cfc75fc:1722:LNK.Trojan.LNK-030222.1618

Regards,