draynor at sourcefire
Aug 15, 2012, 12:35 PM
Post #3 of 3
On Wed, Aug 15, 2012 at 1:11 PM, Chuck Swiger <cswiger [at] mac> wrote:
> On Aug 15, 2012, at 7:55 AM, Gene Heskett wrote:
> > Greets all;
> > I got one of those emails from what looked like the IRS yesterday, but
> > .doc file it linked to was .htm and supposedly infected my machine with
> > either the JS/Iframe.W!tr; Trojan-Downloader.JS.Iframe.czj or once
> > infected, the Trojan-Ransom.Win32.Gimemo.akxc
> > I killed firefox about 1.5 seconds after the dummy download screen was
> > displayed.
> OK. 1.5 seconds is quite a while as far as a computer is concerned;
> if you were running a vulnerable platform, then yeah, your system probably
> was compromised.
> > So I made a /virii directory, cd'd to / and ran:
> > clamscan -r --move=/virii
> My first instincts would have been to take a complete backup for
> forensic purposes, and then reinstall the OS and restore from a prior
> (You are taking backups of everything you care about, right?)
> > And moved what I would consider quite a few FP's to that directory.
> > .log files it didn't like, and one wine .dll it moved many copies of. A
> > partial list, not including hundreds of mozilla cache files:
> [ ... ]
> > It didn't like quite a few of clamav's own files, and had a regular party
> > with the spamassassin source tarballs too.
> These aren't false positives-- a virus scanner _should_ trigger from
> malware signatures.
> > End of partial list.
> > Now, how do I get it to rescan those 963 files and report the matching
> > signature that triggered the move?
> clamscan -v?
> > And, how do I go about bringing the engine up to 0.96.7 since it appears
> > that Ubuntu-10.04.4 LTS has no intention up updating it?
> One can build ClamAV-0.96.7 from source code, just as whoever builds the
> Ubuntu packages would.
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
Chuck is right on all accounts. Those clam* files that your scan detected
and moved are sample files used with ClamAV for unit testing. They match
the "ClamAV-Test-File" signature and almost certainly did not come from
your malware exposure.
Many other details would have been printed before the clamscan final
summary. Did you save the output anywhere? That would have included the
matching virus sigs and which files were moved [.including telling you if
there were infected files it could not move]. If you do a rescan, the "-i"
flag tells clamscan only to print files that are infected [leaving the
891000 uninfected files out of the log] and I recommend sending the output
to a file and using "--exclude=yourlogfilename" so clamscan will not try to
scan its own output.
Sourcefire Vulnerability Research Team
draynor [at] sourcefire
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net