Bug 11582 – [clamav-users] fake mp3, real malware.

Bug 11582 - [clamav-users] fake mp3, real malware.


Summary:	[clamav-users] fake mp3, real malware.

Status:	NEW

Product:	ClamAV
Classification:	ClamAV
Component:	libclamav
Version:	ALL
Hardware:	x86_64 GNU/Linux

Importance:	P3 normal
Target Milestone:	0.99.4
Assigned To:	ClamAV team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-06-06 12:01 EDT by Steven Morgan
Modified:	2016-08-22 04:28 EDT (History)
CC List:	1 user (show)

See Also:
QA Contact:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Steven Morgan 2016-06-06 12:01:02 EDT

From clamav-users:

Hello Clamav,

A new malware is an ascii text begining by "ID3 = ".
Clamav see it as an MP3 file :

clamscan --debug SecuriteInfo.com.JS.Downloader.Agent.15736.18211.371
(...)
LibClamAV debug: Recognized MP3 file
(...)

clamscan -V
ClamAV 0.99.2/21668/Sat Jun  4 11:35:05 2016

The problem is this ascii malware cannot be normalised, but it should be.

The sample has been sent to http://www.clamav.net/reports/malware

md5sum of malware sent is : 023bff926f5852ba0e58a72c10e77f2a

--
Best regards,

Arnaud Jacques
SecuriteInfo.com

Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Comment 1 Steven Morgan 2016-06-06 12:20:32 EDT

To be done in conjunction with bug 11156.