LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices

Reply
 
LinkBack Search this Thread
Old 05-09-2013, 09:17 AM   #1
elarsen
Member
 
Registered: Oct 2009
Distribution: Linux Mint (mate) 13
Posts: 64

Rep: Reputation: 8
help with a nasty virus/mail ware bug


Can a windows virus that is on the hd cache be put on a ubuntu hd cache. The fallowing has my story.

My wife received a nasty virus on her laptop. The symptom is she was unable to get it out of safe mode. She had to restart the laptop, and when it booted up it said win did not shut down properly. Well it has gotten to the point that the only way to get it past boot. Is to have it shut down for a period amount of time. When I restart the laptop it either can not go past boot, but if it can it just hangs their.

Well I wondered what will happen if I plug the Ethernet cable in. Well that is when it infected my win desktop. Then my desktop started to do the same thing. I scanned for virus and mail ware, and nothing came up. So I zeroed out the hard drive with seatools, took out the cmos battery, and reset my cmos. I did the ecaxt same thing to my ubuntu machine. Well it looks like I did not get rid of it. So I am thinking the bug must of attached itself to the hard drive cache. I am wondering if my Ubuntu machine has the same thing? I hate to replace the hard drive, and when I connect it to my net work it would effect my win desktop. The ubuntu machine is acting fine.
 
Old 05-09-2013, 09:27 AM   #2
guyonearth
Member
 
Registered: Jun 2012
Location: USA
Distribution: SolydX
Posts: 399

Rep: Reputation: 82
No Windows virus can run on Linux, two completely different systems. The runtime DLLs that it would need are not there. If it's in the MBR it may mean a new hard drive, zeroing it out won't work. A low-level format might. Hard to offer more without know what virus it is.


...
 
Old 05-09-2013, 09:34 AM   #3
thebombzen
Member
 
Registered: Dec 2010
Location: Noneya Business
Distribution: Linux Mint
Posts: 56

Rep: Reputation: 5
Quote:
Originally Posted by guyonearth View Post
If it's in the MBR it may mean a new hard drive, zeroing it out won't work.
You can wipe the Master Boot Record partition table using a tool such as gparted (or the command-line equivalent parted). This won't require a new hard drive, but it will erase all content on the drive.
 
Old 05-09-2013, 10:34 AM   #4
elarsen
Member
 
Registered: Oct 2009
Distribution: Linux Mint (mate) 13
Posts: 64

Original Poster
Rep: Reputation: 8
Quote:
Originally Posted by guyonearth View Post
No Windows virus can run on Linux, two completely different systems. The runtime DLLs that it would need are not there. If it's in the MBR it may mean a new hard drive, zeroing it out won't work. A low-level format might. Hard to offer more without know what virus it is.


...
Could the virus be stored on it, and when my windows access the samba share? Could it re-get the virus?
 
Old 05-09-2013, 10:39 AM   #5
elarsen
Member
 
Registered: Oct 2009
Distribution: Linux Mint (mate) 13
Posts: 64

Original Poster
Rep: Reputation: 8
Quote:
Originally Posted by thebombzen View Post
You can wipe the Master Boot Record partition table using a tool such as gparted (or the command-line equivalent parted). This won't require a new hard drive, but it will erase all content on the drive.

I will try it when I get home. Some one hear at work said it may be a bad hard drive. I know that their is a tool on Ubuntu that can check the S.M.A.R.T. to see if their is any bad sectors. Can't remember what it is called.
 
Old 05-09-2013, 10:48 AM   #6
elarsen
Member
 
Registered: Oct 2009
Distribution: Linux Mint (mate) 13
Posts: 64

Original Poster
Rep: Reputation: 8
I was thinking. Could a bug write itself to a cable modem? I know it could write itself to a router.
 
Old 05-09-2013, 01:58 PM   #7
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Slack14_64_Multilib
Posts: 2,725
Blog Entries: 3

Rep: Reputation: 627Reputation: 627Reputation: 627Reputation: 627Reputation: 627Reputation: 627
Routers have interfaces you can reach.
Cable modems are less "friendly", so I'm saying "no" here. I could be wrong.
If nothing boots, then I suspect the MBR got scrambled.
 
Old 05-09-2013, 02:08 PM   #8
elarsen
Member
 
Registered: Oct 2009
Distribution: Linux Mint (mate) 13
Posts: 64

Original Poster
Rep: Reputation: 8
I ran out of time while I was writing this originally, and could not proofread what I put down. I forgot to mention. I re installed windows. It acted fine until I started to do the updates. Then it started to do the same symptoms. When I ran IE to get chrome and my other software. The pc just froze. Earlier I did re set my router by putting a paperclip in the reset button hole. I did run a program to supposedly fix the MBR from the installation cd. So if gparted does not fix the issue. I am guessing it may be hanging around my cable modem. Hopefully the cable modem has a reset option like the router. Well two more hours until I get home. Hopefully my wife does not need mt to do something. I will keep you all posted.
 
Old 05-09-2013, 06:48 PM   #9
guyonearth
Member
 
Registered: Jun 2012
Location: USA
Distribution: SolydX
Posts: 399

Rep: Reputation: 82
Quote:
Originally Posted by elarsen View Post
I ran out of time while I was writing this originally, and could not proofread what I put down. I forgot to mention. I re installed windows. It acted fine until I started to do the updates. Then it started to do the same symptoms. When I ran IE to get chrome and my other software. The pc just froze. Earlier I did re set my router by putting a paperclip in the reset button hole. I did run a program to supposedly fix the MBR from the installation cd. So if gparted does not fix the issue. I am guessing it may be hanging around my cable modem. Hopefully the cable modem has a reset option like the router. Well two more hours until I get home. Hopefully my wife does not need mt to do something. I will keep you all posted.
Unless your modem runs Windows, what you're describing is impossible. I've never heard of a virus that can target Windows that also targets embedded systems like a router. Since routers and modems don't have hard drives, replicating a virus to one would be difficult, to say the least. It's more likely that a compromised system would change DNS settings on a router that was not secured properly to something malicious. Does your router/modem have a hard password set? It would also be unlikely you would get a virus off a Samba share unless it was already embedded in a program or file of some kind, or an e-mail attachment that could be executed. As far as your hard drive, it's possible you have or had a rootkit in the MBR. This will load before the OS and can do all kinds of things. They can range from hard to very hard to remove without specialized software, and can be impossible to detect with the system running without knowing what to look for. I'm not aware of any Linux rootkits in the wild, but anything is possible these days, it seems.

Last edited by guyonearth; 05-09-2013 at 06:57 PM.
 
Old 05-09-2013, 08:22 PM   #10
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5
Posts: 16,086

Rep: Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995
I'd recommend asking the Mods via the Report button to move this to Security for deeper analysis/answers.
This
Quote:
It acted fine until I started to do the updates
is interesting. It implies your updates are coming from a 'bad' src.
 
Old 05-09-2013, 11:29 PM   #11
EDDY1
Senior Member
 
Registered: Mar 2010
Location: Oakland,Ca
Distribution: DebianSqueeze, winsxp, wins7, Debian wheezy, LFS 7.2
Posts: 4,658

Rep: Reputation: 408Reputation: 408Reputation: 408Reputation: 408Reputation: 408
Get hiren's boot cd it has plenty of AV tools that run from cd, also if you refomat hdd from live-cd any virus is already eliminated so there would be no reason to run Av from live-cd all though if paranoid you can. I just had a wins computer with the Alura virus which is quite difficult to get rid of.
I had to run bit defender from live-cd to cure it.
 
Old 05-10-2013, 07:30 AM   #12
elarsen
Member
 
Registered: Oct 2009
Distribution: Linux Mint (mate) 13
Posts: 64

Original Poster
Rep: Reputation: 8
I believe it is the hard drive. I ran a handful of updates at a time, and it was fine. Then when I continued to do the updates. I ran into my situation. When I checked the SMART from ubuntu boot cd. It said it was not activated. However it was activated in the BIOS. So I believe that it is trying to write something to a bad sector causing my issue.

I just found out that my wife's laptop was dropped a couple of times. So it was coincidence that both of them crapped out about the same time. Making me think that it was a virus.

Thank you all for helping.

Last edited by elarsen; 05-10-2013 at 07:34 AM.
 
Old 05-11-2013, 07:50 PM   #13
elarsen
Member
 
Registered: Oct 2009
Distribution: Linux Mint (mate) 13
Posts: 64

Original Poster
Rep: Reputation: 8
ok folks. I thought I had this nipped in the butt. However I do not. A person at work lent me a hard drive until I can get mine replaced. I installed the windows updates just fine, and it ran fine. Until shortly after I put the window machine on my Lan. Then shortly after it started to act up. I went to change the screen saver, and my mouse went really slow. Then the pc locked up.

I have a fresh install of Ubuntu on my server. I ran rkhunter, and it said it was ok. However it had a warning. The warning was Hidden directory found: '/dev/.udev' and 'dev/.initramfs' I did remove both of the directories. Then continued to reboot. Ran rkhunter again and it came up with the found directories. Ummm before the reboot it also found some files that I was successful of getting rid of.

Last edited by elarsen; 05-12-2013 at 09:54 AM.
 
Old 05-13-2013, 08:44 AM   #14
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Slack14_64_Multilib
Posts: 2,725
Blog Entries: 3

Rep: Reputation: 627Reputation: 627Reputation: 627Reputation: 627Reputation: 627Reputation: 627
stop deleting stuff.
Read the screen, carefully.
update rkhunter
 
Old 05-13-2013, 08:46 AM   #15
guyonearth
Member
 
Registered: Jun 2012
Location: USA
Distribution: SolydX
Posts: 399

Rep: Reputation: 82
If your saying that your security software running on a Unix filesystem found rootkits, I find that highly suspect. I'm not aware of any rootkits running in the wild that affect Linux. Most of the ones that have been shown are proof-of-concept more than anything. The only way you could be infected would be if your install media was infected, or your software sources were infected. I also fail to see how it would affect Windows, unless you in fact have multiple infections for both systems. There are rootkits that affect firmware and BIOS chips, that can actually survive hard drive replacements and system reinstalls.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: A Nasty md/raid bug LXer Syndicated Linux News 0 06-20-2012 12:31 AM
LXer: This week at LWN: A nasty file corruption bug - fixed LXer Syndicated Linux News 0 01-04-2007 03:21 PM
A linux virus / very odd bug? xconspirisist Linux - Security 11 12-19-2004 11:17 AM
Virus mail sanjibgupta Linux - Security 10 06-18-2004 03:42 AM
anti-virus firewall for Slack-Ware 9.1 DropSig Linux - Software 2 05-17-2004 10:40 PM


All times are GMT -5. The time now is 09:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration