Mailing List Archive

Virus information database?
Hi everyone,

I'm sure I must be missing something, but where can I find the ClamAV virus information database? Not to download, but for me to search for information about an alleged trojan detected by ClamAV?

I'm asking because ClamAV is currently causing trouble for me by falsely detecting something it calls "Trojan.Agent-281708" in my program, worldpainter_0.8.6.exe. I can find no information on this "Trojan.Agent-281708" online. The only reference I find when I search for it is this entry in the clamav-virusdb mailing list:

Submission-ID: 42631477
Sender: Virus Total
Sender: Anonymous
Added: Trojan.Agent-281708

What kind of trojan is this supposed to be? How does it spread? What does its payload do? What other names is it known as to other virus scanners? How is it being detected? What file was this trojan found in and its signature based on?

Is there any place online or as part of the program where I can find this information?

Kind regards,
Pepijn Schmitz

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Virus information database? [ In reply to ]
Hi--

On May 7, 2012, at 8:16 AM, Pepijn Schmitz wrote:
> I'm asking because ClamAV is currently causing trouble for me by falsely detecting something it calls "Trojan.Agent-281708" in my program, worldpainter_0.8.6.exe. I can find no information on this "Trojan.Agent-281708" online. The only reference I find when I search for it is this entry in the clamav-virusdb mailing list:
>
> Submission-ID: 42631477
> Sender: Virus Total
> Sender: Anonymous
> Added: Trojan.Agent-281708
>
> What kind of trojan is this supposed to be? How does it spread? What does its payload do? What other names is it known as to other virus scanners? How is it being detected? What file was this trojan found in and its signature based on?
>
> Is there any place online or as part of the program where I can find this information?

VirusTotal is a site at https://www.virustotal.com/ which lets one upload files and scan them against all of the major malware engines. This will show you all of the false-positive matches and let you see what the malware is being called by the various vendors-- that might help track down what the payload is and does, and also give you some idea as to which vendors you ought to contact and submit your software to as a false-positive.

Also, you can run sigtool from ClamAV to see what the hex string that is being matched is:

% sigtool -fTrojan.Agent-281708
[daily.mdb] 133632:74da9128149f4e678783b4125095d396:Trojan.Agent-281708

Regards,
--
-Chuck

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Virus information database? [ In reply to ]
Hi Chuck,

On 07-05-12 19:17, Chuck Swiger wrote:
> VirusTotal is a site at https://www.virustotal.com/ which lets one upload files and scan them against all of the major malware engines. This will show you all of the false-positive matches and let you see what the malware is being called by the various vendors-- that might help track down what the payload is and does, and also give you some idea as to which vendors you ought to contact and submit your software to as a false-positive.

Yes I know. Virus Total is what told me that ClamAV (and only ClamAV) is
identifying my file as containing a trojan:

https://www.virustotal.com/file/2a7b249b52e7c42c8ca56e97bc4165e0a5e68f8c43808efd8c322e274a34b211/analysis/

> Also, you can run sigtool from ClamAV to see what the hex string that is being matched is:
>
> % sigtool -fTrojan.Agent-281708
> [daily.mdb] 133632:74da9128149f4e678783b4125095d396:Trojan.Agent-281708

Thanks, good to know. Seems like that hex string is not distinctive
enough! I already reported the file as a false positive (using ClamTk).
Are those reports generally responded to quickly? Is there any way I can
help to speed along the process?

And is there no place where I can find more information about the trojan
ClamAV thinks it is detecting? Surely there is more information than a
hex string, somewhere?

Kind regards,
Pepijn Schmitz
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Virus information database? [ In reply to ]
On 5/7/12 10:49 AM, "Pepijn Schmitz" <clamav@pepsoft.org> wrote:

> Hi Chuck,
>
> On 07-05-12 19:17, Chuck Swiger wrote:
>> VirusTotal is a site at https://www.virustotal.com/ which lets one upload
>> files and scan them against all of the major malware engines. This will show
>> you all of the false-positive matches and let you see what the malware is
>> being called by the various vendors-- that might help track down what the
>> payload is and does, and also give you some idea as to which vendors you
>> ought to contact and submit your software to as a false-positive.
>
> Yes I know. Virus Total is what told me that ClamAV (and only ClamAV) is
> identifying my file as containing a trojan:
>
> https://www.virustotal.com/file/2a7b249b52e7c42c8ca56e97bc4165e0a5e68f8c43808e
> fd8c322e274a34b211/analysis/
>
>> Also, you can run sigtool from ClamAV to see what the hex string that is
>> being matched is:
>>
>> % sigtool -fTrojan.Agent-281708
>> [daily.mdb] 133632:74da9128149f4e678783b4125095d396:Trojan.Agent-281708
>
> Thanks, good to know. Seems like that hex string is not distinctive
> enough! I already reported the file as a false positive (using ClamTk).
> Are those reports generally responded to quickly? Is there any way I can
> help to speed along the process?
>
The hex string being matched is the MD5 of the file, but it doesn't match
the one listed in VirusTotal so I'm confused here.

> And is there no place where I can find more information about the trojan
> ClamAV thinks it is detecting? Surely there is more information than a
> hex string, somewhere?
>
The only one that might know something about it is the member of the
signature team that published it (Alain Zidouemba) who probably isn't going
to remember what he did back on 19 April unless he took good notes:

> Submission-ID: 42631477
> Sender: Virus Total
> Sender: Anonymous
> Added: Trojan.Agent-281708

This says it originated at VirusTotal.

When I do a Google search for
"74da9128149f4e678783b4125095d396 +site:virustotal.com"
I get 6 hits, several of which show a VBA32 detection of
TrojanBanker.Qhost.aaji


-Al-

--
Al Varnell
Mountain View, CA



_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Virus information database? [ In reply to ]
On May 7, 2012, at 10:49 AM, Pepijn Schmitz wrote:
> Hi Chuck,
>
> On 07-05-12 19:17, Chuck Swiger wrote:
>> VirusTotal is a site at https://www.virustotal.com/ which lets one upload files and scan them against all of the major malware engines. This will show you all of the false-positive matches and let you see what the malware is being called by the various vendors-- that might help track down what the payload is and does, and also give you some idea as to which vendors you ought to contact and submit your software to as a false-positive.
>
> Yes I know. Virus Total is what told me that ClamAV (and only ClamAV) is
> identifying my file as containing a trojan:
>
> https://www.virustotal.com/file/2a7b249b52e7c42c8ca56e97bc4165e0a5e68f8c43808efd8c322e274a34b211/analysis/

OK, that's good. It means you only need to follow up with one or maybe two places. :-)

>> Also, you can run sigtool from ClamAV to see what the hex string that is being matched is:
>>
>> % sigtool -fTrojan.Agent-281708
>> [daily.mdb] 133632:74da9128149f4e678783b4125095d396:Trojan.Agent-281708
>
> Thanks, good to know. Seems like that hex string is not distinctive enough!

Yes, that appears to be true.

> I already reported the file as a false positive (using ClamTk).
> Are those reports generally responded to quickly?

Mostly? (That's a subjective question and someone who has software being affected is quite reasonably eager to see things fixed more rapidly than someone not affected by the issue.)

> Is there any way I can help to speed along the process?

In the sort term, probably no. In the longer term, supporting ClamAV project would help them have more resources available to process FPs.

> And is there no place where I can find more information about the trojan
> ClamAV thinks it is detecting? Surely there is more information than a
> hex string, somewhere?

Yes. I'd imagine that either VirusTotal or ClamAV's malware database maintainers have a copy of the malware and could provide more info about it....

Regards,
--
-Chuck

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Virus information database? [ In reply to ]
Could you also send the sample to http://anubis.iseclab.org/

- Henri Salo
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Virus information database? [ In reply to ]
On 05/07/2012 09:44 PM, Al Varnell wrote:
> On 5/7/12 10:49 AM, "Pepijn Schmitz" <clamav@pepsoft.org> wrote:
>
>> Hi Chuck,
>>
>> On 07-05-12 19:17, Chuck Swiger wrote:
>>> VirusTotal is a site at https://www.virustotal.com/ which lets one upload
>>> files and scan them against all of the major malware engines. This will show
>>> you all of the false-positive matches and let you see what the malware is
>>> being called by the various vendors-- that might help track down what the
>>> payload is and does, and also give you some idea as to which vendors you
>>> ought to contact and submit your software to as a false-positive.
>>
>> Yes I know. Virus Total is what told me that ClamAV (and only ClamAV) is
>> identifying my file as containing a trojan:
>>
>> https://www.virustotal.com/file/2a7b249b52e7c42c8ca56e97bc4165e0a5e68f8c43808e
>> fd8c322e274a34b211/analysis/
>>
>>> Also, you can run sigtool from ClamAV to see what the hex string that is
>>> being matched is:
>>>
>>> % sigtool -fTrojan.Agent-281708
>>> [daily.mdb] 133632:74da9128149f4e678783b4125095d396:Trojan.Agent-281708
>>
>> Thanks, good to know. Seems like that hex string is not distinctive
>> enough! I already reported the file as a false positive (using ClamTk).
>> Are those reports generally responded to quickly? Is there any way I can
>> help to speed along the process?
>>
> The hex string being matched is the MD5 of the file, but it doesn't match
> the one listed in VirusTotal so I'm confused here.

Its the MD5 of a section of your executable file [*] Virustotal doesn't print those.

[*] a typical executable has several sections used to store code, data, resources, and so on.

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Virus information database? [ In reply to ]
Hi Henri,

On 07-05-12 21:29, Henri Salo wrote:
> Could you also send the sample to http://anubis.iseclab.org/
I did as requested. You can view the result at:

http://anubis.iseclab.org/?action=result&task_id=17b7c7df4a9514704d1d5ef54cabada48
<http://anubis.iseclab.org/?action=result&task_id=17b7c7df4a9514704d1d5ef54cabada48>

Interesting results, that seem consistent with being an installer for a
Java program to me. I think the "high" risk for writing to foreign
memory areas is a bit alarmist, if it's memory of a process that it
started itself. I don't know why it says it crashed. The installer needs
user input, which I'm guessing the analyser does not emulate. Or perhaps
the version of Java is too old, 1.6.0 is pretty ancient.

It's also a bit odd that it seems to have renamed the file to
"worldpaint.exe", which is too long for DOS 8.3 format, but shorter than
its original name of worldpainter_0.8.6.exe. But I don't think that
should have caused any problems.

Interesting tool!

Kind regards,
Pepijn Schmitz

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Virus information database? [ In reply to ]
Hi Török,

On 07-05-12 21:46, Török Edwin wrote:
> On 05/07/2012 09:44 PM, Al Varnell wrote:
>> The hex string being matched is the MD5 of the file, but it doesn't match
>> the one listed in VirusTotal so I'm confused here.
> Its the MD5 of a section of your executable file [*] Virustotal doesn't print those.
Actually, Virus Total /does/ print the MD5's of the PE sections, and Al
is right, the hex string sigtool says is the signature for
Trojan.Agent-281708 is not among them! So something strange is
definitely going on.

Another strange thing I didn't mention yet is that I first tried to
submit the false positive through the web interface, but it wouldn't
allow me to, because it said ClamAV did not detect any threats in the
file! But my local copy of ClamAV definitely says that it contains
"Trojan.Agent-281708", and so does the copy of ClamAV that Virus Total
uses, apparently.

So weird things are definitely going on. I hope it can be resolved quickly.

If anyone is interested in the file in question, you can download it
from http://www.pepsoft.org/worldpainter/updates/worldpainter_0.8.6.exe

Kind regards,
Pepijn Schmitz
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Virus information database? [ In reply to ]
Hi Al,

On 07-05-12 20:44, Al Varnell wrote:
>> And is there no place where I can find more information about the trojan
>> ClamAV thinks it is detecting? Surely there is more information than a
>> hex string, somewhere?
> The only one that might know something about it is the member of the
> signature team that published it (Alain Zidouemba) who probably isn't going
> to remember what he did back on 19 April unless he took good notes:
I must say the lack of transparency is bothering me a little. I'm used
to antivirus programs giving me access to a detailed database with
information about the threats they claim to detect, so I can make my own
determination of how likely something is to be an actual threat and what
it does and how dangerous it is, or whether it is just a theoretical
threat, or a likely false positive.
>> Submission-ID: 42631477
>> Sender: Virus Total
>> Sender: Anonymous
>> Added: Trojan.Agent-281708
> This says it originated at VirusTotal.
It's also strange that Virus Total is saying that ClamAV (and only
ClamAV) is claiming the file contains a trojan, and ClamAV says that
Virus Total is the source for that information. This seems like a
circular chain of evidence to me, which could prove anything, and
therefore nothing.

And when I search for these names and strings, all I find are Virus
Total reports, and lists of threats claimed to be detected by various
products, but no actual information about the alleged trojans themselves
(except that they're "highly dangerous"). It's all very mysterious, and
it doesn't inspire confidence in me in the accuracy of these detections,
I'm sorry to say, especially given my own current experience.
> When I do a Google search for
> "74da9128149f4e678783b4125095d396 +site:virustotal.com"
> I get 6 hits, several of which show a VBA32 detection of
> TrojanBanker.Qhost.aaji
So I see. Thanks for the tip. In most of them the only other detection
is once again by ClamAV though. It seems likely to me that those are all
false positives too. They all seem to be installers or uninstallers,
perhaps something about that is triggering ClamAV and VBA32. When I
search for this "TrojanBanker.Qhost.aaji" trojan, once again I can find
no concrete information about it whatsoever, so unfortunately it doesn't
really help in identifying what it is that ClamAV thinks my program is
infected with...

Kind regards,
Pepijn Schmitz
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Virus information database? [ In reply to ]
On May 7, 2012, at 8:35 PM, Pepijn Schmitz wrote:

> Hi Al,
>
> On 07-05-12 20:44, Al Varnell wrote:
>>> And is there no place where I can find more information about the trojan
>>> ClamAV thinks it is detecting? Surely there is more information than a
>>> hex string, somewhere?
>> The only one that might know something about it is the member of the
>> signature team that published it (Alain Zidouemba) who probably isn't going
>> to remember what he did back on 19 April unless he took good notes:
> I must say the lack of transparency is bothering me a little. I'm used
> to antivirus programs giving me access to a detailed database with
> information about the threats they claim to detect, so I can make my own
> determination of how likely something is to be an actual threat and what
> it does and how dangerous it is, or whether it is just a theoretical
> threat, or a likely false positive.
>>> Submission-ID: 42631477
>>> Sender: Virus Total
>>> Sender: Anonymous
>>> Added: Trojan.Agent-281708
>> This says it originated at VirusTotal.
> It's also strange that Virus Total is saying that ClamAV (and only
> ClamAV) is claiming the file contains a trojan, and ClamAV says that
> Virus Total is the source for that information. This seems like a
> circular chain of evidence to me, which could prove anything, and
> therefore nothing.
>
> And when I search for these names and strings, all I find are Virus
> Total reports, and lists of threats claimed to be detected by various
> products, but no actual information about the alleged trojans themselves
> (except that they're "highly dangerous"). It's all very mysterious, and
> it doesn't inspire confidence in me in the accuracy of these detections,
> I'm sorry to say, especially given my own current experience.
>> When I do a Google search for
>> "74da9128149f4e678783b4125095d396 +site:virustotal.com"
>> I get 6 hits, several of which show a VBA32 detection of
>> TrojanBanker.Qhost.aaji
> So I see. Thanks for the tip. In most of them the only other detection
> is once again by ClamAV though. It seems likely to me that those are all
> false positives too. They all seem to be installers or uninstallers,
> perhaps something about that is triggering ClamAV and VBA32. When I
> search for this "TrojanBanker.Qhost.aaji" trojan, once again I can find
> no concrete information about it whatsoever, so unfortunately it doesn't
> really help in identifying what it is that ClamAV thinks my program is
> infected with...

Pepijn

Not sure what your issue is. First, virus names are not uniform. You should not expect them to be. As for you assertion that other AV's provide detailed info as to why they detected I would say to you that you are being naive.

As for your statement about circular reference. VT supplies every sample submitted to all AV vendors. Each vendor determines if they even wish to process a submittal. In this case CalmAV did and, per Edwin's earlier response, a MD5 signature was generated around a piece of the executable sample. So if you are concerned about your app which you seem to be, you can 1) use sigtool to examine your app to see where you might further want to analyze to change, 2) submit a fp report to ClamAV, or 3) since the sig is an md5 recompile your app with some slight changes such as adding extra constants to change the md5 and you should be fine.

Tom

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Virus information database? [ In reply to ]
Hi Tom,

On 08-05-12 02:52, TR Shaw wrote:
> Pepijn
>
> Not sure what your issue is. First, virus names are not uniform. You should not expect them to be.
I /don't/ expect them to be. But I expect to be able to find some other
information about them than a cryptic name and an MD5 hash /somewhere/.
> As for you assertion that other AV's provide detailed info as to why they detected I would say to you that you are being naive.
I am asserting that in fact virus scanners I have used when I still used
Windows provided databases with detailed information about the threats
they detected and how they detected them (heuristics, etc.), either as
part of the program, or online. Are you calling me a liar?
> As for your statement about circular reference. VT supplies every sample submitted to all AV vendors. Each vendor determines if they even wish to process a submittal. In this case CalmAV did and, per Edwin's earlier response, a MD5 signature was generated around a piece of the executable sample. So if you are concerned about your app which you seem to be, you can 1) use sigtool to examine your app to see where you might further want to analyze to change,
I think me changing a perfectly valid and legitimate file just to avoid
a false positive from one virus scanner would be rather putting the cart
before the horse. Especially if I have no idea if the situation will
repeat itself later. For all I know it was *my* file that this signature
was based on to begin with!

In addition, the executable is generated by an installer generator, so I
have very little control over the details.
> 2) submit a fp report to ClamAV, or
I have, and I'm entirely confident that the situation will be resolved.
I'm just trying to find out some more information about what exactly the
supposed threat is that ClamAV thinks my program contains. That's not
unreasonable, is it?
> 3) since the sig is an md5 recompile your app with some slight changes such as adding extra constants to change the md5 and you should be fine.
I'm not sure if that would work. I already tried scanning an installer
for an earlier version of the program, and it generated the same false
positive. It would have been sufficiently different in every part I have
control over to generate different MD5 hashes, but apparently that does
not include the one that is confusing ClamAV.

Kind regards,
Pepijn Schmitz
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Virus information database? [ In reply to ]
On 5/7/12 5:35 PM, "Pepijn Schmitz" <clamav@pepsoft.org> wrote:

> On 07-05-12 20:44, Al Varnell wrote:
>>> And is there no place where I can find more information about the trojan
>>> ClamAV thinks it is detecting? Surely there is more information than a
>>> hex string, somewhere?
>> The only one that might know something about it is the member of the
>> signature team that published it (Alain Zidouemba) who probably isn't going
>> to remember what he did back on 19 April unless he took good notes:
> I must say the lack of transparency is bothering me a little. I'm used
> to antivirus programs giving me access to a detailed database with
> information about the threats they claim to detect, so I can make my own
> determination of how likely something is to be an actual threat and what
> it does and how dangerous it is, or whether it is just a theoretical
> threat, or a likely false positive.
>
I assume you are trying to compare a developer made up of volunteers who
give their product away and rely on users like you and I for all their
samples with commercial developers who can afford to man a 24/7 watch center
and laboratory to collect and analyze malware because they make a ton of
money selling their software. That strikes me as being a bit unfair.

I suspect if you can assemble a team of volunteers to prepare such detailed
analysis and offered to provide that information to clamav, they would
welcome you with open arms.


-Al-

--
Al Varnell
Mountain View, CA



_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml