PE-Sig
A common characteristic of malware distributed as an executable is to use a PE packer, such as UPX or Petite, to compress and obfuscate the malicious content. Once a file has been determined to be malware by our analysts and is using a PE packer that ClamAV does not currently unpack, a common virus writing technique is to write a signature of the packed data section of the PE file.
PE-Sig, a tool written in Ruby, uses the PE parsing and signature library from within Metasploit 3, automatically generates PE section signatures for known PE packers appropriate for loading into ClamAV.
Download PE-Sig here: http://labs.snort.org/files/pe-sig.tgz
A more comprehensive write up of PE-Sig in use is available on the VRT Blog here: http://vrt-sourcefire.blogspot.com/2009/03/generating-virus-signatures-automated.html
')
