The "wintest.py" file does seem to be able to turn off the Windows firewall, but it also has a bunch of other potentially nasty functions built in, including deleting whole directories, manipulating VMs and modifying IP addresses. Since it's apparently for testing, and isn't for Linux, I doubt if it could cause my Linux Samba any trouble. People who build and run Samba on Windows should be careful, and of course read the documentation.
On Wed, 30 Mar 2016 19:00:46 -0700 Al Varnell <alvarn...@mac.com> wrote: > With all the name changing that happened in the new database, I don’t > think I can come close to guessing how old the signature might be. > > It is in Extended Signature Format (.ndb) looking for an ASCII text > file (normalized) with any offset and an ASCII string of: > > netsh firewall set_opmode mode = disable > > except that I substituted an underscore “_" for one space to prevent > a copy from this e-mail from being identified as infected. > > I have confirmed that the wintest.py file does contain this string > and that there is no subsequent command to re-enable the firewall > > I’ll have to let those familiar with how advisable it is to disabling > the firewall on a Windows machine would be under these circumstances. > > -Al- > > On Wed, Mar 30, 2016 at 05:46 PM, Paul Kosinski wrote: > > > > The only file that was flagged as containing a virus (trojan) was > > "wintest.py" in the "wintest" directory of the Samba source code. > > This sounds like it's only a file for testing Samba (when built for > > Windows?), and, unless it's something really sneaky, shouldn't be > > able to affect a running Samba. > > > > The bug is called "BadLock", and, since Microsoft is working on it > > too, I'd guess it's an SMB protocol bug. Furthermore, some years > > ago MS was stonewalling Samba. If it were a Samba-only bug, MS > > probably wouldn't actively work on it, but rather would use it to > > tout the advantages of Windows Server. > > > > Paul Kosinski > > > > On Thu, 31 Mar 2016 10:51:55 +1100 > > Andrew McGlashan <andrew.mcglas...@affinityvision.com.au> wrote: > > > >> > >> > >> On 31/03/2016 5:32 AM, Alain Zidouemba wrote: > >>> Paul: > >>> > >>> Thanks for reporting this FP. This will be fixed momentarily. > >> > >> Is it really a false positive? > >> > >> There has been a heads up that SAMBA code has a problem and that > >> both Microsoft and Samba are working on a solution that will be > >> released on the next patch Tuesday..... > >> > >> That download could be part of this somehow, I don't know. But it > >> shouldn't blindly be considered a FP, that's for sure! > >> > >>> - Alain > >>> > >>> On Wed, Mar 30, 2016 at 2:18 PM, Paul Kosinski > >>> <clamav-us...@iment.com> wrote: > >>> > >>>> I just downloaded samba-4.4.0.tar.gz (the latest) from samba.org, > >>>> and, after downloading via HTTPS, ClamAV (0.99.1/21479) reports > >>>> that the gz file contains Win.Trojan.Qhost-106. In particular, > >>>> the single file wintest.py in the subdirectory wintest is > >>>> reported. > >> > >> Kind Regards > >> AndrewM _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
