Hello trid users,
Some days ago i run out of disk space on a system. So i looked for some
large unneeded files. Some have the extension INFECTED or 3 digits like
(clam.exe.infected eicarcom2.zip.infected eicar.txt.infected.000). These
samples are normally found inside C:\ProgramData\.clamwin\quarantine
directory. These are "generated" by ClamWin Antivirus. Under menu
preferences and general you can select how to handle infected files.
Instead of option report or remove you can select "move to quarantine
folder". By default that folder is C:\ProgramData\.clamwin\quarantine but
you can select another location. So when ClamWin is running and find a
suspicious file it moves this to the quarantine folder. Then it typically
renames the suspicious file by appending additional suffix infected. If such
a file already exist it appends a 3-digit extension like 000 and so on.
Because these suspicious files are still executable or zip archives, these
infected samples are still identified by standard definitions.
But for every infected sample a text file is generated by appending txt to
file name. In this text file stand the original full file name and the
current used name. This looks like:
\\?\c:\Users\user1\Downloads\eicar_com.zip
\\?\C:\ProgramData\.clamwin\quarantine\eicar_com.zip.infected
These text files are used by the ClamWin program QRecover.exe to undo the
quarantine action.
So i run trid utility on such TXT examples. All are described as "Unknown!"
(See appended output/trid-v-old.txt).
For comparison reason i also run file command (newest version 5.44) on such
samples. Here these are described as "ASCII text" with sub classification as
", with no line terminators" (See appended output/file-5.44.txt) but with
generic mime type text/plain (See appended output/file-i-5.44.txt) and wrong
extension ??? (See appended output/file-ext-5.44.txt).
For comparison reason i also run the file format identification utility
DROID ( See
https://sourceforge.net/projects/droid/). Here all samples are
described as "Plain Text File" with mime type text/plain by PUID fmt/899
because of file name extension TXT.
Unfortunately i found no page about the used text file format and especially
from ClamWin. Luckily a little bit of information is found on forum page
with question How Do I Remove Viruses, etc. that are Quarantined? This is
expressed by line like:
<RefURL>
http://forums.clamwin.com/viewtopic.php?t=4648</RefURL>
Apparently the TXT examples are just used simple text files. So i can use
the generic mime type text/plain. But instead i use a more specific user
defined one. So this is now expressed by line like:
<Mime>text/x-clamwin-txt</Mime>
So i run tridscan on such TXT samples to generate txt-clamwin.trid.xml.
Because the text start with DOS drive in physical name convention, this is
expressed inside front block by XML constructs like:
<Pattern>
<Bytes>5C5C3F5C</Bytes>
<ASCII> \ \ ? \</ASCII>
<Pos>0</Pos>
</Pattern>
<Pattern>
<Bytes>3A5C</Bytes>
<ASCII> : \</ASCII>
<Pos>5</Pos>
</Pattern>
Because the default quarantine folder is C:\ProgramData\.clamwin\quarantine
so this was expressed inside global strings section by lines like:
<String>PROGRAMDATA</String>
<String>QUARANTINE</String>
<String>.INFECTED</String>
<String>.CLAMWIN</String>
With other quarantine folder these lines vanish. Only survived the extension
of suspicious samples. This is expressed by line like:
<String>.INFECTED</String>
With the new trid definition now my ClamWin TXT examples are more described
(see appended output/trid-v-news.txt). TrID definitions and output are
stored in archive txt_clamwin.zip. I hope that my definition can be used in
future version of triddefs .
With best wishes
Jörg Jenderek
