[clamav-users] Probably false-positive Exploit.MS04_028-4 re…

Top Page
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Henri Salo
To: clamav-users
Subject: [clamav-users] Probably false-positive Exploit.MS04_028-4 reported
I just reported sample as false-positive, which is detected as Exploit.MS04_028-4. This picture is generated by web-camera with SHA1 d7ad16339fbf5d2b193bb4df7299c6f3da20c0b8 and I do have another file, which were detected with same malware name at 2012-01-25 with SHA1 cb446b3002f39b250abb5a3eaec8e59e46b4b9e2, but it is not detected anymore by ClamAV. This web-camera is used in Tampere Finland to record city and our shell-user is using crontab to create a videos like this: http://vimeo.com/35187490

Please notify me as soon as possible if you think this is malicious file and I can try to contact web-camera owner and/or vendor. Related to this: http://technet.microsoft.com/en-us/security/bulletin/ms04-028

If you know similar cases, have/need more information about this or want the samples please contact me. I am happy to help!

Using ClamAV 0.97.3/14426/Fri Feb 10 07:15:20 2012 with signatures:
ClamAV update process started at Fri Feb 10 12:57:10 2012
main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
daily.cld is up to date (version: 14426, sigs: 91708, f-level: 63, builder: guitar)
bytecode.cld is up to date (version: 167, sigs: 40, f-level: 63, builder: edwin)

- Henri Salo
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net