LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   undead viruses (http://www.linuxquestions.org/questions/linux-security-4/undead-viruses-721085/)

Pedroski 04-23-2009 02:21 AM

undead viruses
 
I run my laptop on Ubuntu. Here in the college library, I use my pen drive to store things I download on their comp (Win XP). Must have picked up a virus.
jwgkvsq.vmx
I'm not very worried, as I presume it can't touch Linux.
The virus checker on this machine tells me every time I plug the pen drive in, that it has a virus. When I go home, I plug it into my computer and delete the whole directory recycled, put there by the virus checker.

But when I come back the library comp tells me I have it again on the pen drive.

I delete it as root, and presume it is gone. How does it survive? Can there be more copies of it on the pen drive, somehow unseen? I generally have show hidden files ticked, so I know what is on my comp.
The fact that I'm in China, and the anti virus is in Chinese is not very helpful---- I can't read what it says!

Any suggs?

hemantm 04-23-2009 02:32 AM

You can try taking a backup of the useful data from the pen drive, format the pen drive and restore the data from the backup., though running a good antivirus would have been a better option.

cloud9repo 04-23-2009 04:36 AM

Quote:

Originally Posted by Pedroski (Post 3518049)
I run my laptop on Ubuntu. Here in the college library, I use my pen drive to store things I download on their comp (Win XP). Must have picked up a virus.
jwgkvsq.vmx
I'm not very worried, as I presume it can't touch Linux.
The virus checker on this machine tells me every time I plug the pen drive in, that it has a virus. When I go home, I plug it into my computer and delete the whole directory recycled, put there by the virus checker.

But when I come back the library comp tells me I have it again on the pen drive.

I delete it as root, and presume it is gone. How does it survive? Can there be more copies of it on the pen drive, somehow unseen? I generally have show hidden files ticked, so I know what is on my comp.
The fact that I'm in China, and the anti virus is in Chinese is not very helpful---- I can't read what it says!

Any suggs?

Heuristic Piece Wise. It's infected with subsequent code other inert files. A triggering event re-assembles.

Pedroski 04-23-2009 04:54 AM

And to get rid of it?

Re-format?
Do you know this particular beast? What does it do apart from get on my nerves?

Crito 04-23-2009 05:53 AM

Pen drive uses FAT so the virus could have marked itself as a system file, in which case no (Windows-based) AV software will be able to remove it (as the OS will prevent the delete operation). Use the attrib command to remove any attributes, or just (re)format the thing if there's no data that needs to be salvaged.

Crito 04-23-2009 06:14 AM

Now that I think about it, you can boot off a pen drive too, so you should really repartition before reformatting, just in case the MBR has also been corrupted.

I once encountered a boot sector virus that encrypted the FAT table itself. Remove the virus and the whole disk became unreadable. Leave it there and your system ran really slowly but it ran, as did the botnet software, anywho...

Pedroski 04-23-2009 06:33 AM

Oh well, going down for a re-partition then. Little bastard thingy. Does it actually do anything then?

bitpicker 04-23-2009 06:58 AM

According to this page this file is probably connected to the Conficker (Kido, Downadup) worm. In essence, your stick may be able to infect Windows systems with that malware, which is currently the most successful and dangerous piece of malware extant. You should really delete all partitions on that stick and then rebuild it.

Robin

Hangdog42 04-23-2009 07:19 AM

You might also want to inform the library that their computers are infected. It probably is no surprise to them, but they really should do something about it. Like not run Windows, but they probably wouldn't like that suggestion.

H_TeXMeX_H 04-23-2009 07:32 AM

You should use dd to zero the drive then format it again.

Pedroski 04-23-2009 11:43 PM

!0 million to one, it will be reinfected at the library. But if I format it ext3 or so, Win XP in the library won't read it!

Didn't get that bit about dd, can you elaborate?

jschiwal 04-24-2009 12:01 AM

According to McAfee, it is the downadup (conficr) worm.
http://threatinfo.trendmicro.com/vin...M_AUTORUN.CHN;

I don't like what you said about the chinese language removal tool. Did you fall for scare-ware which may itself contain malware? Linux isn't immune from people who run trojan'ed download installers. Rely on your package manager and only use vetted code.

If you have an older pendrive, reformat it using a live distro, and insert it in the computer in the library. If it gets the malware on it, then it is the library computer that is the cause.

Pedroski 04-24-2009 03:44 AM

I do have chkrootkit.
I have set it in motion several times. It finds nothing.
What was that with dd? Do you know?

Live disk is good: I have Knoppix 6. Just it talks so much, and I'm not blind!

H_TeXMeX_H 04-24-2009 04:34 AM

Code:

# zero the drive
dd if=/dev/zero of=/dev/sd#

where 'of=' points to the USB drive. Be careful not to zero your HDD, it's very easy to put in sda instead of sdb and the like. This is a dangerous command, so be careful.

Then you can use fdisk or cfdisk to re-partition the USB drive. As for the library, I usually upload to gmail from the library, no need for the primitive USB stick method.

Pedroski 04-24-2009 05:02 AM

Thanks, I'll kill the beast now!


All times are GMT -5. The time now is 09:58 AM.