Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Do I have a disaster?

  

 
ClamAV users RSS feed   Index | Next | Previous | View Threaded


gheskett at wdtv

Aug 15, 2012, 7:55 AM

Post #1 of 3 (295 views)
Permalink
Do I have a disaster?
Greets all;

I got one of those emails from what looked like the IRS yesterday, but the
.doc file it linked to was .htm and supposedly infected my machine with
either the JS/Iframe.W!tr; Trojan-Downloader.JS.Iframe.czj or once
infected, the Trojan-Ransom.Win32.Gimemo.akxc

I killed firefox about 1.5 seconds after the dummy download screen was
displayed.

So I made a /virii directory, cd'd to / and ran:

clamscan -r --move=/virii

which after several hours reported:
----------- SCAN SUMMARY -----------
Known viruses: 1584189
Engine version: 0.96.5
Scanned directories: 81408
Scanned files: 893834
Infected files: 2022
Total errors: 536
Data scanned: 38491.40 MB
Data read: 84480.79 MB (ratio 0.46:1)
Time: 13466.696 sec (224 m 26 s)

But it only moved
root [at] coyot:/virii# ls -l |wc -l
963
actual files.

And moved what I would consider quite a few FP's to that directory. Several
.log files it didn't like, and one wine .dll it moved many copies of. A
partial list, not including hundreds of mozilla cache files:

-rw-r--r-- 1 root root 202381 2010-03-29 11:01 72_active.cf.001
-rw-r--r-- 1 root root 362 2012-06-15 10:31 clam.7z.001
-rw-r--r-- 1 root root 393 2012-06-15 10:31 clam.arj.001
-rw-r--r-- 1 root root 7680 2012-06-15 10:31 clam-aspack.exe.001
-rw-r--r-- 1 root root 1024 2012-06-15 10:31 clam.bin-be.cpio.001
-rw-r--r-- 1 root root 1024 2012-06-15 10:31 clam.bin-le.cpio.001
-rw-r--r-- 1 root root 462 2012-06-15 10:31 clam.bz2.zip.001
-rw-r--r-- 1 root root 621 2012-06-15 10:31 clam.cab.001
-rw-r--r-- 1 root root 3079 2012-06-15 10:31 clam_cache_emax.tgz.001
-rw-r--r-- 1 root root 10950 2012-06-15 10:31 clam.chm.001
-rw-r--r-- 1 root root 422 2012-06-15 10:31 clam.d64.zip.001
-rw-r--r-- 1 root root 211738 2012-06-15 10:31 clam.ea05.exe.001
-rw-r--r-- 1 root root 257960 2012-06-15 10:31 clam.ea06.exe.001
-rw-r--r-- 1 root root 544 2012-06-15 10:31 clam.exe.001
-rw-r--r-- 1 root root 833 2012-06-15 10:31 clam.exe.binhex.001
-rw-r--r-- 1 root root 348 2012-06-15 10:31 clam.exe.bz2.001
-rw-r--r-- 1 root root 782 2012-06-15 10:31 clam.exe.html.001
-rw-r--r-- 1 root root 919 2012-06-15 10:31 clam.exe.mbox.base64.001
-rw-r--r-- 1 root root 960 2012-06-15 10:31 clam.exe.mbox.uu.001.001
-rw-r--r-- 1 root root 20255 2012-06-15 10:31 clam.exe.rtf.001.001
-rw-r--r-- 1 root root 308 2012-06-15 10:31 clam.exe.szdd.001
-rw-r--r-- 1 root root 6656 2012-06-15 10:31 clam-fsg.exe.001
-rw-r--r-- 1 root root 394 2012-06-15 10:31 clam.impl.zip.001
-rw-r--r-- 1 root root 1748612 2012-06-15 10:31 clam_IScab_ext.exe.001
-rw-r--r-- 1 root root 1744032 2012-06-15 10:31 clam_IScab_int.exe.001
-rw-r--r-- 1 root root 1215239 2012-06-15 10:31 clam_ISmsi_ext.exe.001
-rw-r--r-- 1 root root 1184248 2012-06-15 10:31 clam_ISmsi_int.exe.001
-rw-r--r-- 1 root root 1337 2012-06-15 10:31 clam.mail.001
-rw-r--r-- 1 root root 1024 2012-06-15 10:31 clam.newc.cpio.001
-rw-r--r-- 1 root root 47437 2012-06-15 10:31 clam-nsis.exe.001
-rw-r--r-- 1 root root 1024 2012-06-15 10:31 clam.odc.cpio.001.001
-rw-r--r-- 1 root root 16384 2012-06-15 10:31 clam.ole.doc.001
-rw-r--r-- 1 root root 7277 2012-06-15 10:31 clam.pdf.001
-rw-r--r-- 1 root root 16384 2012-06-15 10:31 clam-pespin.exe.001
-rw-r--r-- 1 root root 4096 2012-06-15 10:31 clam-petite.exe.001
-rw-r--r-- 1 root root 528 2012-06-15 10:31 clam-phish-exe.001
-rw-r--r-- 1 root root 33793 2012-06-15 10:31 clam.ppt.001
-rw-r--r-- 1 root root 596 2012-06-15 10:31 clam.sis.001
-rw-r--r-- 1 root root 486 2012-06-15 10:31 clam.tar.gz.001
-rw-r--r-- 1 root root 9738 2012-06-15 10:31 clam.tnef.001
-rw-r--r-- 1 root root 1852 2012-06-15 10:31 clam-upack.exe.001
-rw-r--r-- 1 root root 3072 2012-06-15 10:31 clam-upx.exe.001.001
-rw-r--r-- 1 root root 4096 2012-06-15 10:31 clam-wwpack.exe.001
-rw-r--r-- 1 root root 6226 2012-06-15 10:31 clam-yc.exe.001
-rw-r--r-- 1 root root 404 2012-06-15 10:31 clam.zip.001
-rw-rw-r-- 1 500 500 3769 2011-02-09 13:21 dxf-g.1.001
-rw-r--r-- 1 root root 68 2012-06-25 19:36 eicar.com.001.001
-rw-r--r-- 1 root root 5482 2012-04-22 18:31 gadget_multi.txt.001.001
-rw-r--r-- 1 root root 5482 2012-04-02 12:53 gadget_multi.txt.002.001
-rw-r--r-- 1 500 500 5482 2011-03-14 21:20 gadget_multi.txt.003
-rw-r--r-- 1 500 500 5482 2011-03-14 21:20 gadget_multi.txt.003.001
-rw-rw-r-- 1 gene gene 18286759 2012-08-15 06:30 mailfilter.log.001
-rw------- 1 root root 6043510 2012-08-15 09:28 mailfilter.log.001.001
-rw-rw-r-- 1 500 500 1196842 2011-01-23 18:01 Mail-
SpamAssassin-3.3.1.tar.gz.001
-rw------- 1 root root 1196842 2012-08-15 08:50 Mail-
SpamAssassin-3.3.1.tar.gz.001.001
-rw-r--r-- 1 root root 348160 2007-09-04 14:45 msvcr71.dll.001
-rw-rw-r-- 1 gene gene 348160 2003-02-21 12:42 msvcr71.dll.001.001
-rw------- 1 root root 348160 2012-08-15 09:24 msvcr71.dll.002.001
-rw-r--r-- 1 root root 799 2010-03-16 10:49 sample-spam.txt.001.001
-rw-r--r-- 1 root root 799 2010-03-16 10:49 sample-spam.txt.002.001
-rw-r--r-- 1 500 500 874306 2012-05-15 14:34
split.clam_IScab_ext.exeaa.001.001
-rw-r--r-- 1 500 500 872016 2012-05-15 14:34
split.clam_IScab_int.exeaa.001
-rw------- 1 root root 3492266 2012-08-15 09:39 Sprocketeer2.zip.001.001
-rw-rw-r-- 1 gene gene 3492266 2010-08-02 09:50 Sprocketeer2.zip.002
-rw-r--r-- 1 gene gene 1333866 2012-07-19 01:05 ubuntu
irc_#linuxcnc.log.001
-rw-r--r-- 1 root root 59904 2007-09-04 14:45 zlib1.dll.001
It didn't like quite a few of clamav's own files, and had a regular party
with the spamassassin source tarballs too.

End of partial list.

Now, how do I get it to rescan those 963 files and report the matching
signature that triggered the move?

And, how do I go about bringing the engine up to 0.96.7 since it appears
that Ubuntu-10.04.4 LTS has no intention up updating it?

Thanks all

Cheers, Gene
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
My web page: <http://coyoteden.dyndns-free.com:85/gene> is up!
Yow! Maybe I should have asked for my Neutron Bomb in PAISLEY --
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


cswiger at mac

Aug 15, 2012, 10:11 AM

Post #2 of 3 (274 views)
Permalink
Re: Do I have a disaster? [In reply to]
On Aug 15, 2012, at 7:55 AM, Gene Heskett wrote:
> Greets all;
>
> I got one of those emails from what looked like the IRS yesterday, but the
> .doc file it linked to was .htm and supposedly infected my machine with
> either the JS/Iframe.W!tr; Trojan-Downloader.JS.Iframe.czj or once
> infected, the Trojan-Ransom.Win32.Gimemo.akxc
>
> I killed firefox about 1.5 seconds after the dummy download screen was
> displayed.

OK. 1.5 seconds is quite a while as far as a computer is concerned;
if you were running a vulnerable platform, then yeah, your system probably
was compromised.

> So I made a /virii directory, cd'd to / and ran:
>
> clamscan -r --move=/virii

My first instincts would have been to take a complete backup for
forensic purposes, and then reinstall the OS and restore from a prior
backup.

(You are taking backups of everything you care about, right?)

> And moved what I would consider quite a few FP's to that directory. Several
> .log files it didn't like, and one wine .dll it moved many copies of. A
> partial list, not including hundreds of mozilla cache files:
[ ... ]
> It didn't like quite a few of clamav's own files, and had a regular party
> with the spamassassin source tarballs too.

These aren't false positives-- a virus scanner _should_ trigger from (unencrypted)
malware signatures.

> End of partial list.
>
> Now, how do I get it to rescan those 963 files and report the matching
> signature that triggered the move?

clamscan -v?

> And, how do I go about bringing the engine up to 0.96.7 since it appears
> that Ubuntu-10.04.4 LTS has no intention up updating it?

One can build ClamAV-0.96.7 from source code, just as whoever builds the "official"
Ubuntu packages would.

Regards,
--
-Chuck

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


draynor at sourcefire

Aug 15, 2012, 12:35 PM

Post #3 of 3 (284 views)
Permalink
Re: Do I have a disaster? [In reply to]
On Wed, Aug 15, 2012 at 1:11 PM, Chuck Swiger <cswiger [at] mac> wrote:

> On Aug 15, 2012, at 7:55 AM, Gene Heskett wrote:
> > Greets all;
> >
> > I got one of those emails from what looked like the IRS yesterday, but
> the
> > .doc file it linked to was .htm and supposedly infected my machine with
> > either the JS/Iframe.W!tr; Trojan-Downloader.JS.Iframe.czj or once
> > infected, the Trojan-Ransom.Win32.Gimemo.akxc
> >
> > I killed firefox about 1.5 seconds after the dummy download screen was
> > displayed.
>
> OK. 1.5 seconds is quite a while as far as a computer is concerned;
> if you were running a vulnerable platform, then yeah, your system probably
> was compromised.
>
> > So I made a /virii directory, cd'd to / and ran:
> >
> > clamscan -r --move=/virii
>
> My first instincts would have been to take a complete backup for
> forensic purposes, and then reinstall the OS and restore from a prior
> backup.
>
> (You are taking backups of everything you care about, right?)
>
> > And moved what I would consider quite a few FP's to that directory.
> Several
> > .log files it didn't like, and one wine .dll it moved many copies of. A
> > partial list, not including hundreds of mozilla cache files:
> [ ... ]
> > It didn't like quite a few of clamav's own files, and had a regular party
> > with the spamassassin source tarballs too.
>
> These aren't false positives-- a virus scanner _should_ trigger from
> (unencrypted)
> malware signatures.
>
> > End of partial list.
> >
> > Now, how do I get it to rescan those 963 files and report the matching
> > signature that triggered the move?
>
> clamscan -v?
>
> > And, how do I go about bringing the engine up to 0.96.7 since it appears
> > that Ubuntu-10.04.4 LTS has no intention up updating it?
>
> One can build ClamAV-0.96.7 from source code, just as whoever builds the
> "official"
> Ubuntu packages would.
>
> Regards,
> --
> -Chuck
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>

Chuck is right on all accounts. Those clam* files that your scan detected
and moved are sample files used with ClamAV for unit testing. They match
the "ClamAV-Test-File" signature and almost certainly did not come from
your malware exposure.

Many other details would have been printed before the clamscan final
summary. Did you save the output anywhere? That would have included the
matching virus sigs and which files were moved [.including telling you if
there were infected files it could not move]. If you do a rescan, the "-i"
flag tells clamscan only to print files that are infected [leaving the
891000 uninfected files out of the log] and I recommend sending the output
to a file and using "--exclude=yourlogfilename" so clamscan will not try to
scan its own output.

Good luck,

Dave R.

--
---
Dave Raynor
Sourcefire Vulnerability Research Team
draynor [at] sourcefire
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.