LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 08-05-2008, 12:50 AM   #1
nanda22
Member
 
Registered: Mar 2008
Posts: 58

Rep: Reputation: 15
Virus in SuSE linux


Hi All,
My SuSE system got affected with Funny UST Scandal.avi.exe

How can i remove Funny UST Scandal.avi.exe virus from my pc????
Please Help me
 
Old 08-05-2008, 12:59 AM   #2
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,627

Rep: Reputation: Disabled
I have never seen a linux pc get affected with virus. And this virus seems to have extension .exe that should not affect linux. Still you can try clamAV for this purpose.
 
Old 08-05-2008, 01:12 AM   #3
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Searching on Google, I found this information.
It is a virus infecting Win32. If you don't use wine, then your system isn't infected. Just delete any file with these names if you managed to download them.

Quote:
%Root%\Funny UST Scandal.avi.exe
%Windows%\Funny UST Scandal.exe
%Windows%\xmss.exe
%Root%\xmss.exe
 
Old 08-05-2008, 01:22 AM   #4
nanda22
Member
 
Registered: Mar 2008
Posts: 58

Original Poster
Rep: Reputation: 15
Hi
Thanks for quick reply, I too got astonished by seeing virus in my linux pc.
There is a continuous file transfer between my linux pc and another system which is Windows.
May be through that way it would've got afftected.
I tried to delete the "Funny UST" file, but it came back again.
Actually three files are there which are getting generated automatically howmuch ever i'm trying to delete them
Funny UST scandal.avi.exe
xmss.exe
autorun.inf

Please reply
 
Old 08-05-2008, 01:26 AM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,289

Rep: Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034
Show us the file perms etc eg:

ls -lt

and show us how you tried to remove them.
Either that didn't work or the MS side is still infected. Have you cleaned it?
 
Old 08-05-2008, 01:29 AM   #6
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,627

Rep: Reputation: Disabled
All these files have extensions that are windows specific and should not harm linux. But as jschiwal suggested, if you run wine then may be you will have to take care. Have you tried ClamAV just to take precaution ?
 
Old 08-05-2008, 03:37 AM   #7
nanda22
Member
 
Registered: Mar 2008
Posts: 58

Original Poster
Rep: Reputation: 15
The output of the ls -lt before deleting 'Funny UST... ' and after deleting is as given below:

sysop@SUSECOMP:~/Events> ls -ltr
total 652
-r-xr--r-- 1 root root 229489 2007-11-16 14:45 xmss.exe
-rwxr--r-- 1 root root 229489 2007-11-16 14:45 Funny UST Scandal.avi.exe
drwxr-xr-x 4 sysop users 4096 2008-01-17 04:14 2007
-rw-r--r-- 1 root root 1064 2008-04-10 10:25 Seiscomp3_ftp_570.sh
-rw-r--r-- 1 sysop users 1057 2008-05-12 06:15 Seiscomp3_ftp.sh
-rwxr--r-- 1 sysop users 1490 2008-07-25 05:21 history
-r-xr--r-- 1 root root 144 2008-08-04 07:29 autorun.inf
-rw-r--r-- 1 sysop users 40977 2008-08-05 01:08 ev080805005145.history
-rw-r--r-- 1 sysop users 3904 2008-08-05 01:08 ev080805005145
-rw-r--r-- 1 sysop users 30363 2008-08-05 01:20 ev080805010110.history
-rw-r--r-- 1 sysop users 3368 2008-08-05 01:20 ev080805010110
-rw-r--r-- 1 sysop users 3745 2008-08-05 02:33 ev080805020101
-rw-r--r-- 1 sysop users 35808 2008-08-05 02:33 ev080805020101.history
drwxr-xr-x 10 sysop users 4096 2008-08-05 07:00 2008
sysop@SUSECOMP:~/Events> rm -f Funny\ UST\ Scandal.avi.exe autorun.inf xmss.exe
sysop@SUSECOMP:~/Events> ls -ltr
total 184
drwxr-xr-x 4 sysop users 4096 2008-01-17 04:14 2007
-rw-r--r-- 1 root root 1064 2008-04-10 10:25 Seiscomp3_ftp_570.sh
-rw-r--r-- 1 sysop users 1057 2008-05-12 06:15 Seiscomp3_ftp.sh
-rwxr--r-- 1 sysop users 1490 2008-07-25 05:21 history
-rw-r--r-- 1 sysop users 40977 2008-08-05 01:08 ev080805005145.history
-rw-r--r-- 1 sysop users 3904 2008-08-05 01:08 ev080805005145
-rw-r--r-- 1 sysop users 30363 2008-08-05 01:20 ev080805010110.history
-rw-r--r-- 1 sysop users 3368 2008-08-05 01:20 ev080805010110
-rw-r--r-- 1 sysop users 3745 2008-08-05 02:33 ev080805020101
-rw-r--r-- 1 sysop users 35808 2008-08-05 02:33 ev080805020101.history
drwxr-xr-x 10 sysop users 4096 2008-08-05 07:00 2008
sysop@SUSECOMP:~/Events> ls -ltr
total 652
-r-xr--r-- 1 root root 229489 2007-11-16 14:45 xmss.exe
-rwxr--r-- 1 root root 229489 2007-11-16 14:45 Funny UST Scandal.avi.exe
drwxr-xr-x 4 sysop users 4096 2008-01-17 04:14 2007
-rw-r--r-- 1 root root 1064 2008-04-10 10:25 Seiscomp3_ftp_570.sh
-rw-r--r-- 1 sysop users 1057 2008-05-12 06:15 Seiscomp3_ftp.sh
-rwxr--r-- 1 sysop users 1490 2008-07-25 05:21 history
-r-xr--r-- 1 root root 144 2008-08-04 07:29 autorun.inf
-rw-r--r-- 1 sysop users 40977 2008-08-05 01:08 ev080805005145.history
-rw-r--r-- 1 sysop users 3904 2008-08-05 01:08 ev080805005145
-rw-r--r-- 1 sysop users 30363 2008-08-05 01:20 ev080805010110.history
-rw-r--r-- 1 sysop users 3368 2008-08-05 01:20 ev080805010110
-rw-r--r-- 1 sysop users 3745 2008-08-05 02:33 ev080805020101
-rw-r--r-- 1 sysop users 35808 2008-08-05 02:33 ev080805020101.history
drwxr-xr-x 10 sysop users 4096 2008-08-05 07:00 2008
sysop@SUSECOMP:~/Events>
 
Old 08-05-2008, 08:45 AM   #8
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,289

Rep: Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034
Yeah, i was going to say you need to cleanup the MS system first, looks like its still installing that virus from somewhere.
The fact that they are owned by root is very bad. You should never allow systems to accept remote logins etc via root acct.
 
Old 08-06-2008, 02:13 AM   #9
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I second it about root access. If you are offering a share on the Linux machine, then the Windows machine is probably replicating itself in any drive it has write access to on the network. A common and very dangerous mistake some people make is to share the C:\ drive in Windows. Only share services you need to. Never share a system directory.

I would recommend creating a new group to match your username and make that your default group. SuSE's default of "users" being the default will allow any user to read your files.

You will probably need to reinstall Windows on that machine and disconnect it from the network until you are done. You can't reliably remove viruses any more.

I don't think it is legal in Unix/Linux to have uppercase letters in a hostname. It looks pretty sloppy as well.
 
Old 08-07-2008, 12:07 AM   #10
nanda22
Member
 
Registered: Mar 2008
Posts: 58

Original Poster
Rep: Reputation: 15
Hi
Thank you very much for your great help.
I've installed ClamAV, now the virus has been removed.

I've one small doubt, How can i find my outgoing IP address for Linux system
 
Old 08-07-2008, 01:23 AM   #11
nanda22
Member
 
Registered: Mar 2008
Posts: 58

Original Poster
Rep: Reputation: 15
I've installed ClamAV, but still that virus has not been removed.
How to disinfect the virus "Funny UST .... " using ClamAV?
Thanks in advance
 
Old 08-07-2008, 01:28 AM   #12
junpa
Member
 
Registered: Aug 2008
Location: Northern Hemisphere
Distribution: Slackware, OpenVMS, fbsd
Posts: 50

Rep: Reputation: 16
nanda22,

visit this site: http://whatismyip.com

your linux box is not 'infected'. You need to disinfect the windows box.

So you CANNOT get rid of the problem from linux. (Re)read what jschiwal posted.

Last edited by junpa; 08-07-2008 at 01:33 AM. Reason: OP reposted virus recurrence
 
Old 08-07-2008, 01:32 AM   #13
nanda22
Member
 
Registered: Mar 2008
Posts: 58

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by junpa View Post
nanda22,

visit this site: http://whatismyip.com
Hi Junpa,
thank you
I know about this "whatismyop.com"
but there is no internet connection to that system
 
Old 08-07-2008, 01:44 AM   #14
junpa
Member
 
Registered: Aug 2008
Location: Northern Hemisphere
Distribution: Slackware, OpenVMS, fbsd
Posts: 50

Rep: Reputation: 16
nanda22,

well you need to give more information about your setup. Do you mean just to that site or to the internet period? You are obviously connected to the internet.

you can also try: http://www.checkip.org

or just google for "what is my ip"
 
Old 08-07-2008, 01:55 AM   #15
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Nanda22, please don't post the same thread twice.

http://www.linuxquestions.org/questi...s-help-661053/

Please use this thread for continued conversation.
 
  


Reply

Tags
linux, suse, virus


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best anti-virus for SuSe rdabra Linux - Software 2 12-14-2005 02:26 PM
Anti virus for SUSE 9.3 fireedo Suse/Novell 3 05-06-2005 01:19 AM
The firewall and virus scanners that come with Suse SlowMindThinkin Suse/Novell 3 11-11-2004 05:23 PM
Boot virus or Anti-Virus? AVG Free Anti-Virus Software problems SparceMatrix Linux - Security 9 08-02-2004 02:35 PM


All times are GMT -5. The time now is 07:31 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration