Below are some MDB signatures for custom Chinese malware targeting financial institutions in Taiwan. Copy the signature(s) to a new Notepad or similar text writer file, and save the file in the ClamWin database folder as a file named Sigfile.mdb with a file type of “All Files”. Make sure the system does not name it with a .txt or .text extension on the end of the file name. ClamWin will give you an error upon scanning files so named.

After you save the signature file, scan a file somewhere with ClamWin to make sure the signature(s) work. Delete this signature file from the database folder if you get a scan error. You can add signatures to the top of an existing MDB signature file (just add one blank line and copy/paste the signatures there—any lines needed will be added if there is more than one signature line. Delete any blank lines between signatures. If you add to the bottom of an existing signature file, you will get a scanning error.

Delete MDB and HDB signatures after they are a month old because they will be updated by then. The date and time are the last 2 items of the signature.

7680:46e556bc4991ca2f8feba41dc4a95df2:Win.Backdoor.Antlion-030322.1509
8192:1e76f022a5cfd51c50417615e22864ca:Win.Backdoor.Antlion-030322.1515
8192:6a5971c6c1ac041378f4891fdc8dc258:Win.Backdoor.Antlion-030322.1518
8192:4bef4f34f6b5e02731487115c239eb6e:Win.Backdoor.Antlion-030322.1520
7680:a755503a21e592e98828897f397d2146:Win.Backdoor.Antlion-030322.1522
2560:d83dfa30fa1a0163477e2b19d36a66b4:Win.Backdoor.Antlion-030322.1525

Regards,