Re: Virus Suspect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: "Michael Miles" <mmamiga6@xxxxxxxxx>
Sent: Sunday, 2010/April/18 10:03


> On 04/17/2010 07:45 PM, jdow wrote:
>> From: "Michael Miles"<mmamiga6@xxxxxxxxx>
>> Sent: Saturday, 2010/April/17 10:14
>>
>>> this is what I find with avira
>>> I'm just scanning and not doing anything with this file or files
>>>
>>>
>>>
>>> file: /home/amiga5/.wine-x86_64/drive_c/windows/twain.dll
>>>      last modified on  date: 2010-03-09  time: 14:16:14,  size: 1032 
>>> bytes
>>>      ALERT: TR/Crypt.XPACK.Gen2 ; trojan ; Is the Trojan horse
>>> TR/Crypt.XPACK.Gen2
>>>      ALERT-URL: 
>>> http://www.avira.com/en/threats?q=TR%2FCrypt%2EXPACK%2EGen2
>>>
>>>
>>>
>>>   file: /home/amiga5/.wine-x86_64/drive_c/windows/system32/dosx.exe.XXX
>>>      last modified on  date: 2010-03-09  time: 14:16:14,  size: 1032 
>>> bytes
>>>      ALERT: TR/Crypt.XPACK.Gen2 ; trojan ; Is the Trojan horse
>>> TR/Crypt.XPACK.Gen2
>>>      ALERT-URL: 
>>> http://www.avira.com/en/threats?q=TR%2FCrypt%2EXPACK%2EGen2
>>>
>>>
>>>   file: 
>>> /home/amiga5/.wine-x86_64/drive_c/windows/system32/dsound.vxd.XXX
>>>      last modified on  date: 2010-03-09  time: 14:16:14,  size: 1032 
>>> bytes
>>>      ALERT: TR/Crypt.XPACK.Gen2 ; trojan ; Is the Trojan horse
>>> TR/Crypt.XPACK.Gen2
>>>      ALERT-URL: 
>>> http://www.avira.com/en/threats?q=TR%2FCrypt%2EXPACK%2EGen2
>>>
>>>
>>>   file: 
>>> /home/amiga5/.wine-x86_64/drive_c/windows/system32/ddhelp.exe.XXX
>>>      last modified on  date: 2010-03-09  time: 14:16:14,  size: 1032 
>>> bytes
>>>      ALERT: TR/Crypt.XPACK.Gen2 ; trojan ; Is the Trojan horse
>>> TR/Crypt.XPACK.Gen2
>>>      ALERT-URL: 
>>> http://www.avira.com/en/threats?q=TR%2FCrypt%2EXPACK%2EGen2
>>>
>>>
>>> file: /home/amiga5/.wine-x86_64/drive_c/windows/system/ddeml.dll.XXX
>>>      last modified on  date: 2010-03-09  time: 14:16:14,  size: 1032 
>>> bytes
>>>      ALERT: TR/Crypt.XPACK.Gen2 ; trojan ; Is the Trojan horse
>>> TR/Crypt.XPACK.Gen2
>>>      ALERT-URL: 
>>> http://www.avira.com/en/threats?q=TR%2FCrypt%2EXPACK%2EGen2
>>>
>>>
>>> file: /home/amiga5/.wine-x86_64/drive_c/windows/winhelp.exe.XXX
>>>      last modified on  date: 2010-03-09  time: 14:16:14,  size: 1032 
>>> bytes
>>>      ALERT: TR/Crypt.XPACK.Gen2 ; trojan ; Is the Trojan horse
>>> TR/Crypt.XPACK.Gen2
>>>      ALERT-URL: 
>>> http://www.avira.com/en/threats?q=TR%2FCrypt%2EXPACK%2EGen2
>>>
>>>
>>> Are these false alerts or are they real?
>>>
>>> Considering they are all the same trojan I would suspect false alert.
>>>
>>> I could be wrong...Avira and Bitdefender both found these.... Clamav did
>>> not find any.
>>>
>> If you haven't installed an XP set of files under Wine for your 
>> winhelp.exe
>> and the like - I do believe you have been infected - somehow. What do you
>> run in your Wine? And do you know what the .XXX added to the files is?
>> Double check that they don't track back to the wine install. And if they
>> don't nukem or reinstall wine.
>>
>> Those are files with standard Windows names and .XXX suffixes. They
>> probably found their way into your wine setup. I don't know if they have
>> been unpacked and installed except for twain.dll. They all have the same
>> modified date. That is suggestive of having a malware infection. 
>> (Twain.dll
>> on a fully up to date XP Pro install is dated back in 2004/08/04 and is
>> 93k on disk.)
>>
>> {^_^}
>>
>>
> I set up win xp in wine but did not install any software other than that.
> I just did not like the way wine worked and then used Virtualbox for win
> 7 instead.
>
> I did leave the xp installation there.
>
> I have used both xp and win 7 on this machine as a native os and there
> were no infections present on Win machines.
>
> Clearly there is an infection on Fedora 12 in wine now.
> It just figures that the powers to be would incorporate windows
> vulnerabilities into Fedora through wine.
>
> I had Clamav running the entire life of Fedora 12 on this computer and
> the virus made it by there.
>
> Clam av will not even pick up these viruses now and they are still there.
>
> Avira sees them no problem.

I'd do an "rpm -qf" on each of the files and see if they are things
wine thinks it owns.

{^_^} 

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux