LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   General (http://www.linuxquestions.org/questions/general-10/)
-   -   help with a nasty virus/mail ware bug (http://www.linuxquestions.org/questions/general-10/help-with-a-nasty-virus-mail-ware-bug-4175461280/)

elarsen 05-09-2013 09:17 AM

help with a nasty virus/mail ware bug
 
Can a windows virus that is on the hd cache be put on a ubuntu hd cache. The fallowing has my story.

My wife received a nasty virus on her laptop. The symptom is she was unable to get it out of safe mode. She had to restart the laptop, and when it booted up it said win did not shut down properly. Well it has gotten to the point that the only way to get it past boot. Is to have it shut down for a period amount of time. When I restart the laptop it either can not go past boot, but if it can it just hangs their.

Well I wondered what will happen if I plug the Ethernet cable in. Well that is when it infected my win desktop. Then my desktop started to do the same thing. I scanned for virus and mail ware, and nothing came up. So I zeroed out the hard drive with seatools, took out the cmos battery, and reset my cmos. I did the ecaxt same thing to my ubuntu machine. Well it looks like I did not get rid of it. So I am thinking the bug must of attached itself to the hard drive cache. I am wondering if my Ubuntu machine has the same thing? I hate to replace the hard drive, and when I connect it to my net work it would effect my win desktop. The ubuntu machine is acting fine.

guyonearth 05-09-2013 09:27 AM

No Windows virus can run on Linux, two completely different systems. The runtime DLLs that it would need are not there. If it's in the MBR it may mean a new hard drive, zeroing it out won't work. A low-level format might. Hard to offer more without know what virus it is.


...

thebombzen 05-09-2013 09:34 AM

Quote:

Originally Posted by guyonearth (Post 4947897)
If it's in the MBR it may mean a new hard drive, zeroing it out won't work.

You can wipe the Master Boot Record partition table using a tool such as gparted (or the command-line equivalent parted). This won't require a new hard drive, but it will erase all content on the drive.

elarsen 05-09-2013 10:34 AM

Quote:

Originally Posted by guyonearth (Post 4947897)
No Windows virus can run on Linux, two completely different systems. The runtime DLLs that it would need are not there. If it's in the MBR it may mean a new hard drive, zeroing it out won't work. A low-level format might. Hard to offer more without know what virus it is.


...

Could the virus be stored on it, and when my windows access the samba share? Could it re-get the virus?

elarsen 05-09-2013 10:39 AM

Quote:

Originally Posted by thebombzen (Post 4947905)
You can wipe the Master Boot Record partition table using a tool such as gparted (or the command-line equivalent parted). This won't require a new hard drive, but it will erase all content on the drive.


I will try it when I get home. Some one hear at work said it may be a bad hard drive. I know that their is a tool on Ubuntu that can check the S.M.A.R.T. to see if their is any bad sectors. Can't remember what it is called.

elarsen 05-09-2013 10:48 AM

I was thinking. Could a bug write itself to a cable modem? I know it could write itself to a router.

Habitual 05-09-2013 01:58 PM

Routers have interfaces you can reach.
Cable modems are less "friendly", so I'm saying "no" here. I could be wrong.
If nothing boots, then I suspect the MBR got scrambled.

elarsen 05-09-2013 02:08 PM

I ran out of time while I was writing this originally, and could not proofread what I put down. I forgot to mention. I re installed windows. It acted fine until I started to do the updates. Then it started to do the same symptoms. When I ran IE to get chrome and my other software. The pc just froze. Earlier I did re set my router by putting a paperclip in the reset button hole. I did run a program to supposedly fix the MBR from the installation cd. So if gparted does not fix the issue. I am guessing it may be hanging around my cable modem. Hopefully the cable modem has a reset option like the router. Well two more hours until I get home. Hopefully my wife does not need mt to do something. I will keep you all posted.

guyonearth 05-09-2013 06:48 PM

Quote:

Originally Posted by elarsen (Post 4948085)
I ran out of time while I was writing this originally, and could not proofread what I put down. I forgot to mention. I re installed windows. It acted fine until I started to do the updates. Then it started to do the same symptoms. When I ran IE to get chrome and my other software. The pc just froze. Earlier I did re set my router by putting a paperclip in the reset button hole. I did run a program to supposedly fix the MBR from the installation cd. So if gparted does not fix the issue. I am guessing it may be hanging around my cable modem. Hopefully the cable modem has a reset option like the router. Well two more hours until I get home. Hopefully my wife does not need mt to do something. I will keep you all posted.

Unless your modem runs Windows, what you're describing is impossible. I've never heard of a virus that can target Windows that also targets embedded systems like a router. Since routers and modems don't have hard drives, replicating a virus to one would be difficult, to say the least. It's more likely that a compromised system would change DNS settings on a router that was not secured properly to something malicious. Does your router/modem have a hard password set? It would also be unlikely you would get a virus off a Samba share unless it was already embedded in a program or file of some kind, or an e-mail attachment that could be executed. As far as your hard drive, it's possible you have or had a rootkit in the MBR. This will load before the OS and can do all kinds of things. They can range from hard to very hard to remove without specialized software, and can be impossible to detect with the system running without knowing what to look for. I'm not aware of any Linux rootkits in the wild, but anything is possible these days, it seems.

chrism01 05-09-2013 08:22 PM

I'd recommend asking the Mods via the Report button to move this to Security for deeper analysis/answers.
This
Quote:

It acted fine until I started to do the updates
is interesting. It implies your updates are coming from a 'bad' src.

EDDY1 05-09-2013 11:29 PM

Get hiren's boot cd it has plenty of AV tools that run from cd, also if you refomat hdd from live-cd any virus is already eliminated so there would be no reason to run Av from live-cd all though if paranoid you can. I just had a wins computer with the Alura virus which is quite difficult to get rid of.
I had to run bit defender from live-cd to cure it.

elarsen 05-10-2013 07:30 AM

I believe it is the hard drive. I ran a handful of updates at a time, and it was fine. Then when I continued to do the updates. I ran into my situation. When I checked the SMART from ubuntu boot cd. It said it was not activated. However it was activated in the BIOS. So I believe that it is trying to write something to a bad sector causing my issue.

I just found out that my wife's laptop was dropped a couple of times. So it was coincidence that both of them crapped out about the same time. Making me think that it was a virus.

Thank you all for helping.

elarsen 05-11-2013 07:50 PM

ok folks. I thought I had this nipped in the butt. However I do not. A person at work lent me a hard drive until I can get mine replaced. I installed the windows updates just fine, and it ran fine. Until shortly after I put the window machine on my Lan. Then shortly after it started to act up. I went to change the screen saver, and my mouse went really slow. Then the pc locked up.

I have a fresh install of Ubuntu on my server. I ran rkhunter, and it said it was ok. However it had a warning. The warning was Hidden directory found: '/dev/.udev' and 'dev/.initramfs' I did remove both of the directories. Then continued to reboot. Ran rkhunter again and it came up with the found directories. Ummm before the reboot it also found some files that I was successful of getting rid of.

Habitual 05-13-2013 08:44 AM

stop deleting stuff.
Read the screen, carefully.
update rkhunter

guyonearth 05-13-2013 08:46 AM

If your saying that your security software running on a Unix filesystem found rootkits, I find that highly suspect. I'm not aware of any rootkits running in the wild that affect Linux. Most of the ones that have been shown are proof-of-concept more than anything. The only way you could be infected would be if your install media was infected, or your software sources were infected. I also fail to see how it would affect Windows, unless you in fact have multiple infections for both systems. There are rootkits that affect firmware and BIOS chips, that can actually survive hard drive replacements and system reinstalls.


All times are GMT -5. The time now is 03:54 AM.