Discussion:
[clamav-users] Malware alert???
Jean-Francois Tasse
2018-10-13 15:10:56 UTC
Permalink
Today during ClamWin update:

main.cvd version 58

daily.cvd version 25033

bytecode version 327


Windows Defender stopped the update process saying that "TrojanDownloader:JS/Nemucod" was present. Scanned all of my system nothing found and tried updating ClamWin again and everything was ok.


anyone else got a weird message like that today?


JF
Matthes, Marc
2018-10-13 15:12:25 UTC
Permalink
Same here

Marc Matthes
Director of Computer Networking Programs
Iowa Central CC
5155741099

________________________________
From: clamav-users <clamav-users-***@lists.clamav.net> on behalf of Jean-Francois Tasse <***@hotmail.com>
Sent: Saturday, October 13, 2018 10:10:56 AM
To: ClamAV users ML
Subject: [clamav-users] Malware alert???


Today during ClamWin update:

main.cvd version 58

daily.cvd version 25033

bytecode version 327


Windows Defender stopped the update process saying that "TrojanDownloader:JS/Nemucod" was present. Scanned all of my system nothing found and tried updating ClamWin again and everything was ok.


anyone else got a weird message like that today?


JF
Alain Zidouemba
2018-10-13 15:59:57 UTC
Permalink
Do you have the specific signature name that alerted?

-Alain

On Oct 13, 2018, at 11:12 AM, Matthes, Marc <***@iowacentral.edu> wrote:

Same here

Marc Matthes
Director of Computer Networking Programs
Iowa Central CC
5155741099

------------------------------
*From:* clamav-users <clamav-users-***@lists.clamav.net> on behalf of
Jean-Francois Tasse <***@hotmail.com>
*Sent:* Saturday, October 13, 2018 10:10:56 AM
*To:* ClamAV users ML
*Subject:* [clamav-users] Malware alert???


Today during ClamWin update:

main.cvd version 58

daily.cvd version 25033

bytecode version 327


Windows Defender stopped the update process saying that
"TrojanDownloader:JS/Nemucod" was present. Scanned all of my system
nothing found and tried updating ClamWin again and everything was ok.


anyone else got a weird message like that today?


JF

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Jean-Francois Tasse
2018-10-13 16:40:49 UTC
Permalink
no, when I wanted to get it out of quarantine I was unable to get it because it came from a tmp folder during the update. I have attached a screenshot to this email, that is the best I can do. To translate it, it's saying that it is a trojan that is downloading other programs.


I have 3 virtual machine with Avast, AVG and Avira, I will see if I can reproduce it with the other antivirus. Up to now AVG did not see anything wrong.


JF

________________________________
De : clamav-users <clamav-users-***@lists.clamav.net> de la part de Alain Zidouemba <***@sourcefire.com>
Envoyé : 13 octobre 2018 11:59:57
À : ClamAV users ML
Objet : Re: [clamav-users] Malware alert???

Do you have the specific signature name that alerted?

-Alain

On Oct 13, 2018, at 11:12 AM, Matthes, Marc <***@iowacentral.edu<mailto:***@iowacentral.edu>> wrote:

Same here

Marc Matthes
Director of Computer Networking Programs
Iowa Central CC
5155741099

________________________________
From: clamav-users <clamav-users-***@lists.clamav.net<mailto:clamav-users-***@lists.clamav.net>> on behalf of Jean-Francois Tasse <***@hotmail.com<mailto:***@hotmail.com>>
Sent: Saturday, October 13, 2018 10:10:56 AM
To: ClamAV users ML
Subject: [clamav-users] Malware alert???


Today during ClamWin update:

main.cvd version 58

daily.cvd version 25033

bytecode version 327


Windows Defender stopped the update process saying that "TrojanDownloader:JS/Nemucod" was present. Scanned all of my system nothing found and tried updating ClamWin again and everything was ok.


anyone else got a weird message like that today?


JF

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2018-10-13 21:46:17 UTC
Permalink
It's not unusual to see such things on machines running multiple A-V software packages. Vendors do their best to obfuscate and protect signatures for that reason, but it usually happens during updates when the signatures are unpacked to a tmp area as plain text before moving them to a protected area. If both are using the same strings as signatures, they will undoubtedly see such updates as matching.

-Al-

On Sat, Oct 13, 2018 at 09:40 AM, Jean-Francois Tasse wrote:
> no, when I wanted to get it out of quarantine I was unable to get it because it came from a tmp folder during the update. I have attached a screenshot to this email, that is the best I can do. To translate it, it's saying that it is a trojan that is downloading other programs.
>
> I have 3 virtual machine with Avast, AVG and Avira, I will see if I can reproduce it with the other antivirus. Up to now AVG did not see anything wrong.
>
> JF
> De : clamav-users <clamav-users-***@lists.clamav.net <mailto:clamav-users-***@lists.clamav.net>> de la part de Alain Zidouemba <***@sourcefire.com <mailto:***@sourcefire.com>>
> Envoyé : 13 octobre 2018 11:59:57
> À : ClamAV users ML
> Objet : Re: [clamav-users] Malware alert???
>
> Do you have the specific signature name that alerted?
>
> -Alain
>
> On Oct 13, 2018, at 11:12 AM, Matthes, Marc <***@iowacentral.edu <mailto:***@iowacentral.edu>> wrote:
>
>> Same here
>>
>> Marc Matthes
>> Director of Computer Networking Programs
>> Iowa Central CC
>> 5155741099
>>
>> From: clamav-users <clamav-users-***@lists.clamav.net <mailto:clamav-users-***@lists.clamav.net>> on behalf of Jean-Francois Tasse <***@hotmail.com <mailto:***@hotmail.com>>
>> Sent: Saturday, October 13, 2018 10:10:56 AM
>> To: ClamAV users ML
>> Subject: [clamav-users] Malware alert???
>>
>> Today during ClamWin update:
>> main.cvd version 58
>> daily.cvd version 25033
>> bytecode version 327
>>
>> Windows Defender stopped the update process saying that "TrojanDownloader:JS/Nemucod" was present. Scanned all of my system nothing found and tried updating ClamWin again and everything was ok.
>>
>> anyone else got a weird message like that today?
>>
>> JF
Jean-Francois Tasse
2018-10-13 21:53:13 UTC
Permalink
Thanks a lot for the info 😊


JF

________________________________
De : clamav-users <clamav-users-***@lists.clamav.net> de la part de Al Varnell <***@mac.com>
Envoyé : 13 octobre 2018 17:46:17
À : ClamAV users ML
Objet : Re: [clamav-users] Malware alert???

It's not unusual to see such things on machines running multiple A-V software packages. Vendors do their best to obfuscate and protect signatures for that reason, but it usually happens during updates when the signatures are unpacked to a tmp area as plain text before moving them to a protected area. If both are using the same strings as signatures, they will undoubtedly see such updates as matching.

-Al-

On Sat, Oct 13, 2018 at 09:40 AM, Jean-Francois Tasse wrote:
no, when I wanted to get it out of quarantine I was unable to get it because it came from a tmp folder during the update. I have attached a screenshot to this email, that is the best I can do. To translate it, it's saying that it is a trojan that is downloading other programs.

I have 3 virtual machine with Avast, AVG and Avira, I will see if I can reproduce it with the other antivirus. Up to now AVG did not see anything wrong.

JF
________________________________
De : clamav-users <clamav-users-***@lists.clamav.net<mailto:clamav-users-***@lists.clamav.net>> de la part de Alain Zidouemba <***@sourcefire.com<mailto:***@sourcefire.com>>
Envoyé : 13 octobre 2018 11:59:57
À : ClamAV users ML
Objet : Re: [clamav-users] Malware alert???

Do you have the specific signature name that alerted?

-Alain

On Oct 13, 2018, at 11:12 AM, Matthes, Marc <***@iowacentral.edu<mailto:***@iowacentral.edu>> wrote:

Same here

Marc Matthes
Director of Computer Networking Programs
Iowa Central CC
5155741099

________________________________
From: clamav-users <clamav-users-***@lists.clamav.net<mailto:clamav-users-***@lists.clamav.net>> on behalf of Jean-Francois Tasse <***@hotmail.com<mailto:***@hotmail.com>>
Sent: Saturday, October 13, 2018 10:10:56 AM
To: ClamAV users ML
Subject: [clamav-users] Malware alert???

Today during ClamWin update:
main.cvd version 58
daily.cvd version 25033
bytecode version 327

Windows Defender stopped the update process saying that "TrojanDownloader:JS/Nemucod" was present. Scanned all of my system nothing found and tried updating ClamWin again and everything was ok.

anyone else got a weird message like that today?

JF
Continue reading on narkive:
Loading...