On Sat, 13 Dec 2003 06:11:29 +0100, Olaf Mueller wrote: > checking my filesystem with antivir (H+BEDV Datentechnik GmbH, > AntiVir / Linux Version 2.0.9-6, VDF version: 6.23.0.9 created 12 Dec > 2003) runs into the following alert. Antivir says that the files > /usr/share/locale/<pt_BR,fr,de,cs>/LC_MESSAGES/net-tools.mo are > infected with trojan horse "TR/HackToolX.RK.1". > > So I get a fresh RPM file "net-tools-1.60-20.1" from > http://rpmfind.net/linux/rpm2html/search.php?query=net-tools, > extract one of the net-tools.mo files from RPM and checked it with > antivir. And I was very surpriesed to see that antivir found in this > new rpm- file a trojan horse too! > > So, is this only a fake from antivir or is there really a trojan horse > in the net-tools-1.60-20.1.i386.rpm files on http://rpmfind.net/? > > Is there any descriptin available about what "TR/HackToolX.RK.1" > exactly do? Note that virus-detection tools sometimes are mistaken if they search for a short virus fingerprint (e.g. a specific sequence of bytes) which can appear in a arbitrary data file. They assume they've found something, but actually the search was just sloppy. Btw, it's sort of pointless to hide a trojan horse in a localization data file, because it would need malicious code elsewhere to make use of the modified .mo file. --
Attachment:
pgpqu1o0DEjgI.pgp
Description: PGP signature
