Instructions for identifying infected emails

Discussions relating to ClamXav

Moderator: Mark

Instructions for identifying infected emails

Postby Mark » Wed 13 Jul 2005 1:13 am

Here's a method for weeding out virus infected emails from your mailbox. I'll take you through an example of searching for the phising email HTML.Phishing.Bank-246

Copy and paste that name into http://clamav-du.securesites.net/cgi-bin/clamgrok?display=virus&display=signature and hit submit.

This gives you a list of matching viruses/threats. In this case, there is only one result:
HTML.Phishing.Bank-246 3:*:6c696e6b2062656c6f7720616e64207375626d69742061732077652061726520747279696e6720746f2076657269667920796f7572206163636f756e7420696e666f726d6174696f6e2e2028696e206361736520796f7520617265206e6f7420656e726f6c6c6564

The section above which we're interested in is in bold. This is known as the virus signature and is encoded as a hexadecimal string.

First we need to translate it to ASCII (actual words) using the following website: http://www.dolcevie.com/js/converter.html .

Paste the long hexadecimal text into the top (Hex) box and click the "Hex to ASCII" button. What appears in the bottom (ASCII) box is the text that you need to search for in your email client, in this case
Code: Select all
link below and submit as we are trying to verify your account information. (in case you are not enrolled
Mark
Site Admin
 
Posts: 1460
Joined: Sat 28 May 2005 9:46 pm
Location: Edinburgh, Scotland

Postby jow » Wed 13 Jul 2005 1:10 pm

Thanks Mark, an invaluable piece of information, works a treat.
jow
 
Posts: 120
Joined: Sat 28 May 2005 9:46 pm

What is happening ?

Postby Cary » Sat 23 Jul 2005 2:29 pm

Greetings!

Mark, I did as you suggested to no avail. Take a look,
+++++++++++++++++++
ClamAV Virus Database Search

Search for: begins withcontainsexactregex
Case-sensitive search: YesNo
Search database(s): DailyMain
Display results: DatabaseFileVirus NameSignature
Search results:
0 hits for 'HTML.Phishing.Bank-246 '
++++++++++++++++++++

There were zero hits. What am I doing wrong ?

Appreciate,
Cary
Appreciative,
Cary
http://ADAtech.org
Cary
 
Posts: 5
Joined: Sat 23 Jul 2005 1:48 pm
Location: Lowell, MA. USA

Postby jow » Sat 23 Jul 2005 7:14 pm

Yes, you are right, it now shows no hits for HTML.Phishing.Bank-246
It most definitely worked when I tried it, the day after Mark made the posting on 13 July.
It was quite easy and simple to do, so why it doesn't work now I don't know.
I suggest we wait for Mark to sort it out, I have a feeling he is on holiday at the moment.
:cry: :cry: :cry:
jow
 
Posts: 120
Joined: Sat 28 May 2005 9:46 pm

I will wait for Mark.

Postby Cary » Sun 24 Jul 2005 5:41 pm

Jow -

Thanks for your reply I shall wait
for Mark to adress this problem.
Appreciative,
Cary
http://ADAtech.org
Cary
 
Posts: 5
Joined: Sat 23 Jul 2005 1:48 pm
Location: Lowell, MA. USA

Postby Mark » Wed 27 Jul 2005 7:10 pm

Indeed I was on holiday but it was only a short one and I'm back now.

I think I may have missed the storm on this one though, the database seems to be returning the correct thing again. Is it still not working for anyone else?
Mark
Site Admin
 
Posts: 1460
Joined: Sat 28 May 2005 9:46 pm
Location: Edinburgh, Scotland

Postby jow » Wed 27 Jul 2005 7:20 pm

You certainly did miss the storm Mark, I've being trying this one every day and no luck, then after seeing your reply, tried it again today and it's working again.
Very very weird. Oh well, such is life!
jow
 
Posts: 120
Joined: Sat 28 May 2005 9:46 pm

Urgently: When will this method described here work again ??

Postby ivanua » Sun 07 Aug 2005 10:56 am

Hello,

I urgently need to indentify one of my emails, but what is described here doesn´t work till now. I always get the answer "0 found" !

Please (developer of clamxav !!!), can you integrate this way of identify one of many emails in the software !

You can not delete all of your emails because you are not able to exclude and delete the one which is infected !

Many Thanks

Ivanua
ivanua
 
Posts: 1
Joined: Sun 07 Aug 2005 10:50 am

Postby jow » Sun 07 Aug 2005 11:42 am

Hi
Yes, you're right it's not working again.
This method seems to be very erractic, I tried it 1 hour ago and it found 1 hit, no problem, but now it's not working again, it keeps saying 0 hits, tried it about 6 times.
I think there is something wrong with the clamAV virus database search.
All I can suggest is keep trying it every so often and hope it starts working again.
jow
 
Posts: 120
Joined: Sat 28 May 2005 9:46 pm

Postby jow » Tue 09 Aug 2005 1:36 pm

Now working again!!!!!!! on Tuesday 9th August at 14.30
jow
 
Posts: 120
Joined: Sat 28 May 2005 9:46 pm

Postby jow » Mon 22 Aug 2005 11:06 pm

Guess what, now not working again.
The ClamAV Virus Database Search page seems to be a bit of a hit and miss I'm afraid. It's a case of now you see it, now you don't. :?
jow
 
Posts: 120
Joined: Sat 28 May 2005 9:46 pm

Postby jow » Tue 23 Aug 2005 8:39 am

Working again !!!!!!!!!!!
This is definitely the last reply on this subject.
jow
 
Posts: 120
Joined: Sat 28 May 2005 9:46 pm

What about worms and trojans?

Postby earleyedition » Mon 08 May 2006 5:57 am

Your instructions for HTML.phishing is great, but what about worms and trojans?

For example, when submitting Worm.Mytob.S to the virus database search, it doesn't return
3:*:6c696e6 etc etc
where 6c696e6 etc etc can then be entered into the Hex/Ascii converter.

To be specific, Worm.Mytob.S returns
Worm.Mytob.S (Clam) 72190245f3706470aba2cfa16bbca9bb4647029a etc etc

Which, when put through the Hex/Ascii converter, returns
r??E?pdp????k???FG????MX?/??{<Pj??????~y???]????t6??WEsO??O^Et_??bXp??????9C???cO:?_?Dd{?B\h???WK????j!???`?C+??Kx???????Aim???|?P??0?????Ps!/w?st?S?[?

Trying to search on various parts of this string returns nothing, so what am I doing wrong, or what do I need to know?
earleyedition
 
Posts: 3
Joined: Tue 25 Apr 2006 3:35 pm

Postby Greenman » Wed 10 May 2006 4:04 pm

Thanks mark, got your example to work first time which is a miracle for me.

Knowing nothing about this sort of thing and looking at an open mail page how can you tell what to test & and what should be tested, see what I mean about knot knowning any thing, so if you have time tutorial/example for idiots ( like me) would be great.
(\../)
(^.^)
(>0<) Help him achieve world domination
(_)(_)
Greenman
 
Posts: 1
Joined: Wed 10 May 2006 3:15 pm

What about worms and trojans?

Postby Geroell » Thu 11 May 2006 7:07 pm

I followed your tips. I deleted three emails. I started virus checking again and the worm alert remains the same.

How can I find the infected emails?
Geroell
 
Posts: 5
Joined: Thu 11 May 2006 6:59 pm
Location: NRW, Germany

Next

Return to ClamXav

Who is online

Users browsing this forum: No registered users

cron