Greets all; I got one of those emails from what looked like the IRS yesterday, but the .doc file it linked to was .htm and supposedly infected my machine with either the JS/Iframe.W!tr; Trojan-Downloader.JS.Iframe.czj or once infected, the Trojan-Ransom.Win32.Gimemo.akxc
I killed firefox about 1.5 seconds after the dummy download screen was displayed. So I made a /virii directory, cd'd to / and ran: clamscan -r --move=/virii which after several hours reported: ----------- SCAN SUMMARY ----------- Known viruses: 1584189 Engine version: 0.96.5 Scanned directories: 81408 Scanned files: 893834 Infected files: 2022 Total errors: 536 Data scanned: 38491.40 MB Data read: 84480.79 MB (ratio 0.46:1) Time: 13466.696 sec (224 m 26 s) But it only moved root@coyote:/virii# ls -l |wc -l 963 actual files. And moved what I would consider quite a few FP's to that directory. Several .log files it didn't like, and one wine .dll it moved many copies of. A partial list, not including hundreds of mozilla cache files: -rw-r--r-- 1 root root 202381 2010-03-29 11:01 72_active.cf.001 -rw-r--r-- 1 root root 362 2012-06-15 10:31 clam.7z.001 -rw-r--r-- 1 root root 393 2012-06-15 10:31 clam.arj.001 -rw-r--r-- 1 root root 7680 2012-06-15 10:31 clam-aspack.exe.001 -rw-r--r-- 1 root root 1024 2012-06-15 10:31 clam.bin-be.cpio.001 -rw-r--r-- 1 root root 1024 2012-06-15 10:31 clam.bin-le.cpio.001 -rw-r--r-- 1 root root 462 2012-06-15 10:31 clam.bz2.zip.001 -rw-r--r-- 1 root root 621 2012-06-15 10:31 clam.cab.001 -rw-r--r-- 1 root root 3079 2012-06-15 10:31 clam_cache_emax.tgz.001 -rw-r--r-- 1 root root 10950 2012-06-15 10:31 clam.chm.001 -rw-r--r-- 1 root root 422 2012-06-15 10:31 clam.d64.zip.001 -rw-r--r-- 1 root root 211738 2012-06-15 10:31 clam.ea05.exe.001 -rw-r--r-- 1 root root 257960 2012-06-15 10:31 clam.ea06.exe.001 -rw-r--r-- 1 root root 544 2012-06-15 10:31 clam.exe.001 -rw-r--r-- 1 root root 833 2012-06-15 10:31 clam.exe.binhex.001 -rw-r--r-- 1 root root 348 2012-06-15 10:31 clam.exe.bz2.001 -rw-r--r-- 1 root root 782 2012-06-15 10:31 clam.exe.html.001 -rw-r--r-- 1 root root 919 2012-06-15 10:31 clam.exe.mbox.base64.001 -rw-r--r-- 1 root root 960 2012-06-15 10:31 clam.exe.mbox.uu.001.001 -rw-r--r-- 1 root root 20255 2012-06-15 10:31 clam.exe.rtf.001.001 -rw-r--r-- 1 root root 308 2012-06-15 10:31 clam.exe.szdd.001 -rw-r--r-- 1 root root 6656 2012-06-15 10:31 clam-fsg.exe.001 -rw-r--r-- 1 root root 394 2012-06-15 10:31 clam.impl.zip.001 -rw-r--r-- 1 root root 1748612 2012-06-15 10:31 clam_IScab_ext.exe.001 -rw-r--r-- 1 root root 1744032 2012-06-15 10:31 clam_IScab_int.exe.001 -rw-r--r-- 1 root root 1215239 2012-06-15 10:31 clam_ISmsi_ext.exe.001 -rw-r--r-- 1 root root 1184248 2012-06-15 10:31 clam_ISmsi_int.exe.001 -rw-r--r-- 1 root root 1337 2012-06-15 10:31 clam.mail.001 -rw-r--r-- 1 root root 1024 2012-06-15 10:31 clam.newc.cpio.001 -rw-r--r-- 1 root root 47437 2012-06-15 10:31 clam-nsis.exe.001 -rw-r--r-- 1 root root 1024 2012-06-15 10:31 clam.odc.cpio.001.001 -rw-r--r-- 1 root root 16384 2012-06-15 10:31 clam.ole.doc.001 -rw-r--r-- 1 root root 7277 2012-06-15 10:31 clam.pdf.001 -rw-r--r-- 1 root root 16384 2012-06-15 10:31 clam-pespin.exe.001 -rw-r--r-- 1 root root 4096 2012-06-15 10:31 clam-petite.exe.001 -rw-r--r-- 1 root root 528 2012-06-15 10:31 clam-phish-exe.001 -rw-r--r-- 1 root root 33793 2012-06-15 10:31 clam.ppt.001 -rw-r--r-- 1 root root 596 2012-06-15 10:31 clam.sis.001 -rw-r--r-- 1 root root 486 2012-06-15 10:31 clam.tar.gz.001 -rw-r--r-- 1 root root 9738 2012-06-15 10:31 clam.tnef.001 -rw-r--r-- 1 root root 1852 2012-06-15 10:31 clam-upack.exe.001 -rw-r--r-- 1 root root 3072 2012-06-15 10:31 clam-upx.exe.001.001 -rw-r--r-- 1 root root 4096 2012-06-15 10:31 clam-wwpack.exe.001 -rw-r--r-- 1 root root 6226 2012-06-15 10:31 clam-yc.exe.001 -rw-r--r-- 1 root root 404 2012-06-15 10:31 clam.zip.001 -rw-rw-r-- 1 500 500 3769 2011-02-09 13:21 dxf-g.1.001 -rw-r--r-- 1 root root 68 2012-06-25 19:36 eicar.com.001.001 -rw-r--r-- 1 root root 5482 2012-04-22 18:31 gadget_multi.txt.001.001 -rw-r--r-- 1 root root 5482 2012-04-02 12:53 gadget_multi.txt.002.001 -rw-r--r-- 1 500 500 5482 2011-03-14 21:20 gadget_multi.txt.003 -rw-r--r-- 1 500 500 5482 2011-03-14 21:20 gadget_multi.txt.003.001 -rw-rw-r-- 1 gene gene 18286759 2012-08-15 06:30 mailfilter.log.001 -rw------- 1 root root 6043510 2012-08-15 09:28 mailfilter.log.001.001 -rw-rw-r-- 1 500 500 1196842 2011-01-23 18:01 Mail- SpamAssassin-3.3.1.tar.gz.001 -rw------- 1 root root 1196842 2012-08-15 08:50 Mail- SpamAssassin-3.3.1.tar.gz.001.001 -rw-r--r-- 1 root root 348160 2007-09-04 14:45 msvcr71.dll.001 -rw-rw-r-- 1 gene gene 348160 2003-02-21 12:42 msvcr71.dll.001.001 -rw------- 1 root root 348160 2012-08-15 09:24 msvcr71.dll.002.001 -rw-r--r-- 1 root root 799 2010-03-16 10:49 sample-spam.txt.001.001 -rw-r--r-- 1 root root 799 2010-03-16 10:49 sample-spam.txt.002.001 -rw-r--r-- 1 500 500 874306 2012-05-15 14:34 split.clam_IScab_ext.exeaa.001.001 -rw-r--r-- 1 500 500 872016 2012-05-15 14:34 split.clam_IScab_int.exeaa.001 -rw------- 1 root root 3492266 2012-08-15 09:39 Sprocketeer2.zip.001.001 -rw-rw-r-- 1 gene gene 3492266 2010-08-02 09:50 Sprocketeer2.zip.002 -rw-r--r-- 1 gene gene 1333866 2012-07-19 01:05 ubuntu irc_#linuxcnc.log.001 -rw-r--r-- 1 root root 59904 2007-09-04 14:45 zlib1.dll.001 It didn't like quite a few of clamav's own files, and had a regular party with the spamassassin source tarballs too. End of partial list. Now, how do I get it to rescan those 963 files and report the matching signature that triggered the move? And, how do I go about bringing the engine up to 0.96.7 since it appears that Ubuntu-10.04.4 LTS has no intention up updating it? Thanks all Cheers, Gene -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) My web page: <http://coyoteden.dyndns-free.com:85/gene> is up! Yow! Maybe I should have asked for my Neutron Bomb in PAISLEY -- _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
