LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Virus in SuSE linux (https://www.linuxquestions.org/questions/linux-newbie-8/virus-in-suse-linux-660516/)

nanda22 08-05-2008 12:50 AM
Virus in SuSE linux
 
Hi All,
My SuSE system got affected with Funny UST Scandal.avi.exe

How can i remove Funny UST Scandal.avi.exe virus from my pc????
Please Help me

linuxlover.chaitanya 08-05-2008 12:59 AM
I have never seen a linux pc get affected with virus. And this virus seems to have extension .exe that should not affect linux. Still you can try clamAV for this purpose.

jschiwal 08-05-2008 01:12 AM
Searching on Google, I found this information.
It is a virus infecting Win32. If you don't use wine, then your system isn't infected. Just delete any file with these names if you managed to download them.

Quote:
%Root%\Funny UST Scandal.avi.exe
%Windows%\Funny UST Scandal.exe
%Windows%\xmss.exe
%Root%\xmss.exe

nanda22 08-05-2008 01:22 AM
Hi
Thanks for quick reply, I too got astonished by seeing virus in my linux pc.
There is a continuous file transfer between my linux pc and another system which is Windows.
May be through that way it would've got afftected.
I tried to delete the "Funny UST" file, but it came back again.
Actually three files are there which are getting generated automatically howmuch ever i'm trying to delete them
Funny UST scandal.avi.exe
xmss.exe
autorun.inf

Please reply

chrism01 08-05-2008 01:26 AM
Show us the file perms etc eg:

ls -lt

and show us how you tried to remove them.
Either that didn't work or the MS side is still infected. Have you cleaned it?

linuxlover.chaitanya 08-05-2008 01:29 AM
All these files have extensions that are windows specific and should not harm linux. But as jschiwal suggested, if you run wine then may be you will have to take care. Have you tried ClamAV just to take precaution ?

nanda22 08-05-2008 03:37 AM
The output of the ls -lt before deleting 'Funny UST... ' and after deleting is as given below:

sysop@SUSECOMP:~/Events> ls -ltr
total 652
-r-xr--r-- 1 root root 229489 2007-11-16 14:45 xmss.exe
-rwxr--r-- 1 root root 229489 2007-11-16 14:45 Funny UST Scandal.avi.exe
drwxr-xr-x 4 sysop users 4096 2008-01-17 04:14 2007
-rw-r--r-- 1 root root 1064 2008-04-10 10:25 Seiscomp3_ftp_570.sh
-rw-r--r-- 1 sysop users 1057 2008-05-12 06:15 Seiscomp3_ftp.sh
-rwxr--r-- 1 sysop users 1490 2008-07-25 05:21 history
-r-xr--r-- 1 root root 144 2008-08-04 07:29 autorun.inf
-rw-r--r-- 1 sysop users 40977 2008-08-05 01:08 ev080805005145.history
-rw-r--r-- 1 sysop users 3904 2008-08-05 01:08 ev080805005145
-rw-r--r-- 1 sysop users 30363 2008-08-05 01:20 ev080805010110.history
-rw-r--r-- 1 sysop users 3368 2008-08-05 01:20 ev080805010110
-rw-r--r-- 1 sysop users 3745 2008-08-05 02:33 ev080805020101
-rw-r--r-- 1 sysop users 35808 2008-08-05 02:33 ev080805020101.history
drwxr-xr-x 10 sysop users 4096 2008-08-05 07:00 2008
sysop@SUSECOMP:~/Events> rm -f Funny\ UST\ Scandal.avi.exe autorun.inf xmss.exe
sysop@SUSECOMP:~/Events> ls -ltr
total 184
drwxr-xr-x 4 sysop users 4096 2008-01-17 04:14 2007
-rw-r--r-- 1 root root 1064 2008-04-10 10:25 Seiscomp3_ftp_570.sh
-rw-r--r-- 1 sysop users 1057 2008-05-12 06:15 Seiscomp3_ftp.sh
-rwxr--r-- 1 sysop users 1490 2008-07-25 05:21 history
-rw-r--r-- 1 sysop users 40977 2008-08-05 01:08 ev080805005145.history
-rw-r--r-- 1 sysop users 3904 2008-08-05 01:08 ev080805005145
-rw-r--r-- 1 sysop users 30363 2008-08-05 01:20 ev080805010110.history
-rw-r--r-- 1 sysop users 3368 2008-08-05 01:20 ev080805010110
-rw-r--r-- 1 sysop users 3745 2008-08-05 02:33 ev080805020101
-rw-r--r-- 1 sysop users 35808 2008-08-05 02:33 ev080805020101.history
drwxr-xr-x 10 sysop users 4096 2008-08-05 07:00 2008
sysop@SUSECOMP:~/Events> ls -ltr
total 652
-r-xr--r-- 1 root root 229489 2007-11-16 14:45 xmss.exe
-rwxr--r-- 1 root root 229489 2007-11-16 14:45 Funny UST Scandal.avi.exe
drwxr-xr-x 4 sysop users 4096 2008-01-17 04:14 2007
-rw-r--r-- 1 root root 1064 2008-04-10 10:25 Seiscomp3_ftp_570.sh
-rw-r--r-- 1 sysop users 1057 2008-05-12 06:15 Seiscomp3_ftp.sh
-rwxr--r-- 1 sysop users 1490 2008-07-25 05:21 history
-r-xr--r-- 1 root root 144 2008-08-04 07:29 autorun.inf
-rw-r--r-- 1 sysop users 40977 2008-08-05 01:08 ev080805005145.history
-rw-r--r-- 1 sysop users 3904 2008-08-05 01:08 ev080805005145
-rw-r--r-- 1 sysop users 30363 2008-08-05 01:20 ev080805010110.history
-rw-r--r-- 1 sysop users 3368 2008-08-05 01:20 ev080805010110
-rw-r--r-- 1 sysop users 3745 2008-08-05 02:33 ev080805020101
-rw-r--r-- 1 sysop users 35808 2008-08-05 02:33 ev080805020101.history
drwxr-xr-x 10 sysop users 4096 2008-08-05 07:00 2008
sysop@SUSECOMP:~/Events>

chrism01 08-05-2008 08:45 AM
Yeah, i was going to say you need to cleanup the MS system first, looks like its still installing that virus from somewhere.
The fact that they are owned by root is very bad. You should never allow systems to accept remote logins etc via root acct.

jschiwal 08-06-2008 02:13 AM
I second it about root access. If you are offering a share on the Linux machine, then the Windows machine is probably replicating itself in any drive it has write access to on the network. A common and very dangerous mistake some people make is to share the C:\ drive in Windows. Only share services you need to. Never share a system directory.

I would recommend creating a new group to match your username and make that your default group. SuSE's default of "users" being the default will allow any user to read your files.

You will probably need to reinstall Windows on that machine and disconnect it from the network until you are done. You can't reliably remove viruses any more.

I don't think it is legal in Unix/Linux to have uppercase letters in a hostname. It looks pretty sloppy as well.

nanda22 08-07-2008 12:07 AM
Hi
Thank you very much for your great help.
I've installed ClamAV, now the virus has been removed.

I've one small doubt, How can i find my outgoing IP address for Linux system

nanda22 08-07-2008 01:23 AM
I've installed ClamAV, but still that virus has not been removed.
How to disinfect the virus "Funny UST .... " using ClamAV?
Thanks in advance

junpa 08-07-2008 01:28 AM
nanda22,

visit this site: http://whatismyip.com

your linux box is not 'infected'. You need to disinfect the windows box.

So you CANNOT get rid of the problem from linux. (Re)read what jschiwal posted.

nanda22 08-07-2008 01:32 AM
Quote:
Originally Posted by junpa (Post 3239465)
nanda22,

visit this site: http://whatismyip.com
Hi Junpa,
thank you
I know about this "whatismyop.com"
but there is no internet connection to that system

junpa 08-07-2008 01:44 AM
nanda22,

well you need to give more information about your setup. Do you mean just to that site or to the internet period? You are obviously connected to the internet.

you can also try: http://www.checkip.org

or just google for "what is my ip"

Mr. C. 08-07-2008 01:55 AM
Nanda22, please don't post the same thread twice.

http://www.linuxquestions.org/questi...s-help-661053/

Please use this thread for continued conversation.


All times are GMT -5. The time now is 12:47 PM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page