Earlier today to my fear and disgust I found out that I had been the "lucky" landlord of a Virus. Apparently the B****** crept in either because the Anti Virus software I am using was not fully updated. So what does a clever man do?
Luckily (hopefully) I found out while windows was booting which I aborted, so I am hoping not too much damage has been done.
On Ubuntu ClamAV is offered as both an Anti Virus Software in the personal sense as well as deamons that can be integrated into both email and HTTP (web) proxy servers in the defense of a network. This blog will concentrate on looking for and removing a virus/worm/trojan horse on a hard drive (and in this case a Windows partition)
Well as we speak I am currently screening the hard drive with ClamAV from Ubuntu as my laptop is a dual (actually triple) boot system with Windows XP and Ubuntu 9.04 Jaunty Jackalope Alpha6/Beta. (It was installed as Alpha6 but should have a Beta status, as it is updated almost daily).
So far the intruder (Trojan.Swizzor.Gen) has been found twice on the boot partition now I have to remove it, without too much damage. It might also have hid itself somewhere in the windows disguising itself from the AV-software, but I am hoping that ClamAV will get it. I hope to return to this matter with a positive report, probably tomorrow.
Update (April 16th, 7.05 am GMT+3):
The result of the scan was:
/media/ACER/i386/FONTEXT.DL_: Trojan.Swizzor.Gen FOUND
/media/ACER/WINDOWS/system32/fontext.dll: Trojan.Swizzor.Gen FOUND
/media/ACER/WINDOWS/Installer/$PatchCache$/Managed/00002119F20000000000000000F01FEC/12.0.4518/XL12CNV.EXE: W32.Virut.Gen.D-163 FOUND
/media/ACER/WINDOWS/Installer/$PatchCache$/Managed/00002119F20000000000000000F01FEC/12.0.4518/EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
/media/ACER/WINDOWS/Installer/$PatchCache$/Managed/00002119F20000000000000000F01FEC/12.0.4518/VBE6.DLL: W32.Virut.Gen.D-159 FOUND
/media/ACER/WINDOWS/Installer/$PatchCache$/Managed/00002119F20000000000000000F01FEC/12.0.6215/EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
/media/ACER/WINDOWS/Installer/$PatchCache$/Managed/00002119F20000000000000000F01FEC/12.0.6215/XL12CNV.EXE: W32.Virut.Gen.D-163 FOUND
/media/ACER/WINDOWS/Installer/15826ea.msp: W32.Virut.Gen.D-163 FOUND
/media/ACER/WINDOWS/Installer/15826fc.msp: W32.Virut.Gen.D-163 FOUND
/media/ACER/WINDOWS/Installer/1f3ab5.msp: W32.Virut.Gen.D-163 FOUND
/media/ACER/WINDOWS/Installer/1f3ac7.msp: W32.Virut.Gen.D-163 FOUND
/media/ACER/WINDOWS/Installer/2d377c4.msp: W32.Virut.Gen.D-163 FOUND
/media/ACER/WINDOWS/Installer/2d377d6.msp: W32.Virut.Gen.D-163 FOUND
/media/ACER/WINDOWS/Installer/a0f264.msp: W32.Virut.Gen.D-163 FOUND
/media/ACER/WINDOWS/Installer/a0f276.msp: W32.Virut.Gen.D-163 FOUND
/media/ACER/WINDOWS/$NtServicePackUninstall$/fontext.dll: Trojan.Swizzor.Gen FOUND
/media/ACER/WINDOWS/ServicePackFiles/i386/fontext.dll: Trojan.Swizzor.Gen FOUND
/media/ACER/Programmer/Microsoft Office/Office12/EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
/media/ACER/Programmer/Microsoft Office/Office12/excelcnv.exe: W32.Virut.Gen.D-163 FOUND
/media/ACER/.Trash-1000/files/RESTORE/k-1-3542-4232123213-7676767-8888886/BLUE.exe: Trojan.Agent-81496 FOUND
Known viruses: 539153
Engine version: 0.95.1
Scanned directories: 12009
Scanned files: 121566
Infected files: 20
Apparently ClamAV does false positives on the Trojan.Swizzor.Gen virus. I do not know what to think but I am uploading the files to an online virus scan as we speak.
However the scan also found W32.Virut.Gen.D-163 and Trojan.Agent-81496 in my files. These are viruses. I am uploading all the files reported by ClamAV to virusscan.jotti.org to verify ClamAVs claims and to confirm if they are (a) false positive(s). An update on this will follow later.
No comments:
Post a Comment