LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-23-2009, 02:21 AM   #1
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 14.04
Posts: 1,340

Rep: Reputation: 42
undead viruses


I run my laptop on Ubuntu. Here in the college library, I use my pen drive to store things I download on their comp (Win XP). Must have picked up a virus.
jwgkvsq.vmx
I'm not very worried, as I presume it can't touch Linux.
The virus checker on this machine tells me every time I plug the pen drive in, that it has a virus. When I go home, I plug it into my computer and delete the whole directory recycled, put there by the virus checker.

But when I come back the library comp tells me I have it again on the pen drive.

I delete it as root, and presume it is gone. How does it survive? Can there be more copies of it on the pen drive, somehow unseen? I generally have show hidden files ticked, so I know what is on my comp.
The fact that I'm in China, and the anti virus is in Chinese is not very helpful---- I can't read what it says!

Any suggs?
 
Old 04-23-2009, 02:32 AM   #2
hemantm
LQ Newbie
 
Registered: Feb 2006
Distribution: OpenSuse, Ubuntu, Debian, Fedora
Posts: 26

Rep: Reputation: 16
You can try taking a backup of the useful data from the pen drive, format the pen drive and restore the data from the backup., though running a good antivirus would have been a better option.
 
Old 04-23-2009, 04:36 AM   #3
cloud9repo
Member
 
Registered: Oct 2008
Location: Middle TN
Posts: 134

Rep: Reputation: 19
Quote:
Originally Posted by Pedroski View Post
I run my laptop on Ubuntu. Here in the college library, I use my pen drive to store things I download on their comp (Win XP). Must have picked up a virus.
jwgkvsq.vmx
I'm not very worried, as I presume it can't touch Linux.
The virus checker on this machine tells me every time I plug the pen drive in, that it has a virus. When I go home, I plug it into my computer and delete the whole directory recycled, put there by the virus checker.

But when I come back the library comp tells me I have it again on the pen drive.

I delete it as root, and presume it is gone. How does it survive? Can there be more copies of it on the pen drive, somehow unseen? I generally have show hidden files ticked, so I know what is on my comp.
The fact that I'm in China, and the anti virus is in Chinese is not very helpful---- I can't read what it says!

Any suggs?
Heuristic Piece Wise. It's infected with subsequent code other inert files. A triggering event re-assembles.
 
Old 04-23-2009, 04:54 AM   #4
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 14.04
Posts: 1,340

Original Poster
Rep: Reputation: 42
And to get rid of it?

Re-format?
Do you know this particular beast? What does it do apart from get on my nerves?
 
Old 04-23-2009, 05:53 AM   #5
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
Pen drive uses FAT so the virus could have marked itself as a system file, in which case no (Windows-based) AV software will be able to remove it (as the OS will prevent the delete operation). Use the attrib command to remove any attributes, or just (re)format the thing if there's no data that needs to be salvaged.
 
Old 04-23-2009, 06:14 AM   #6
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
Now that I think about it, you can boot off a pen drive too, so you should really repartition before reformatting, just in case the MBR has also been corrupted.

I once encountered a boot sector virus that encrypted the FAT table itself. Remove the virus and the whole disk became unreadable. Leave it there and your system ran really slowly but it ran, as did the botnet software, anywho...
 
Old 04-23-2009, 06:33 AM   #7
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 14.04
Posts: 1,340

Original Poster
Rep: Reputation: 42
Oh well, going down for a re-partition then. Little bastard thingy. Does it actually do anything then?
 
Old 04-23-2009, 06:58 AM   #8
bitpicker
Member
 
Registered: Jul 2003
Location: Germany
Distribution: Xubuntu, Ubuntu
Posts: 416
Blog Entries: 14

Rep: Reputation: 35
According to this page this file is probably connected to the Conficker (Kido, Downadup) worm. In essence, your stick may be able to infect Windows systems with that malware, which is currently the most successful and dangerous piece of malware extant. You should really delete all partitions on that stick and then rebuild it.

Robin
 
Old 04-23-2009, 07:19 AM   #9
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
You might also want to inform the library that their computers are infected. It probably is no surprise to them, but they really should do something about it. Like not run Windows, but they probably wouldn't like that suggestion.
 
Old 04-23-2009, 07:32 AM   #10
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
You should use dd to zero the drive then format it again.
 
Old 04-23-2009, 11:43 PM   #11
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 14.04
Posts: 1,340

Original Poster
Rep: Reputation: 42
!0 million to one, it will be reinfected at the library. But if I format it ext3 or so, Win XP in the library won't read it!

Didn't get that bit about dd, can you elaborate?
 
Old 04-24-2009, 12:01 AM   #12
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
According to McAfee, it is the downadup (conficr) worm.
http://threatinfo.trendmicro.com/vin...M_AUTORUN.CHN;

I don't like what you said about the chinese language removal tool. Did you fall for scare-ware which may itself contain malware? Linux isn't immune from people who run trojan'ed download installers. Rely on your package manager and only use vetted code.

If you have an older pendrive, reformat it using a live distro, and insert it in the computer in the library. If it gets the malware on it, then it is the library computer that is the cause.
 
Old 04-24-2009, 03:44 AM   #13
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 14.04
Posts: 1,340

Original Poster
Rep: Reputation: 42
I do have chkrootkit.
I have set it in motion several times. It finds nothing.
What was that with dd? Do you know?

Live disk is good: I have Knoppix 6. Just it talks so much, and I'm not blind!
 
Old 04-24-2009, 04:34 AM   #14
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Code:
# zero the drive
dd if=/dev/zero of=/dev/sd#
where 'of=' points to the USB drive. Be careful not to zero your HDD, it's very easy to put in sda instead of sdb and the like. This is a dangerous command, so be careful.

Then you can use fdisk or cfdisk to re-partition the USB drive. As for the library, I usually upload to gmail from the library, no need for the primitive USB stick method.
 
Old 04-24-2009, 05:02 AM   #15
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 14.04
Posts: 1,340

Original Poster
Rep: Reputation: 42
Thanks, I'll kill the beast now!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
undead distribution kudzu Linux - Distributions 1 10-14-2004 12:16 PM
When it comes to Viruses......??? unixfreak Linux - Security 3 08-27-2004 03:51 AM
viruses need help citizen_x Linux - Security 6 04-29-2004 11:57 PM
Viruses teyesahr Linux - Newbie 2 09-09-2003 11:55 AM
undead linux salparadise Linux - Newbie 8 03-28-2003 09:47 AM


All times are GMT -5. The time now is 10:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration