Question about signature database details

pykko · Nov 11, 2005

I've seen that since version 1.1280 on Virus signatures database page after some viruses there is a number...

e.g. :Win32/Spy.Banbra.DT (2), Win32/Spy.Bancos.U (2), Win32/Spy.Banker (3), Win32/Spy.Banker.ACT (2),....

What are these numbers:2,3 in brackets represent ?

Thx!

webyourbusiness · Nov 11, 2005

I asked the same question 2 days ago - Marcos' response is here:

https://www.wilderssecurity.com/showthread.php?t=105690

pykko · Nov 11, 2005

thx, webyourbusiness. I haven't noticed your thread.

Happy Bytes · Nov 11, 2005

you said there in this thread:

Oh so you won't be using {} anymore?
So Barisada.{D,I,S} would be Barisada (3)?
Click to expand...

These are actual different things.
A Worm, Trojan or whatever can have multiply parts.
So you have to add for each part a signature.

Example: BagleDownloader. Executable ( the dropper ) is one part and Downloader (the DLL file) is another part. So 2 Signatures needed to detect one threat.

D, I, S are version numbers. This can include also subsignatures for each version of different version parts

Brian N · Nov 11, 2005

Ahaa, good to know. Thanks

Blackspear · Nov 11, 2005

Thank HB, appreciated.

Cheers

pykko · Nov 12, 2005

nice, HB! That made me understood the whole thing.

Log in or Sign up

Question about signature database details

pykko Registered Member

webyourbusiness Registered Member

pykko Registered Member

Happy Bytes Guest

Brian N Registered Member

Blackspear Global Moderator

pykko Registered Member

Log in or Sign up

Question about signature database details

pykko Registered Member

webyourbusiness Registered Member

pykko Registered Member

Happy Bytes Guest

Brian N Registered Member

Blackspear Global Moderator

pykko Registered Member

Useful Searches