You are not logged in.

#1 2024-04-07 21:12:54

archie_atlas
Member
Registered: 2021-05-08
Posts: 4

[SOLVED]Clamscan FOUND directories

I made the mistake of clicking Tor links and my laptop froze and after hard rebooting the fan doesn't stop making noise like its working hard even though no demanding processes are being run or shown with ps or bashtop. it used to be silent so I think something happened. This got me into eventually trying clamscan and I ended up finding the following directories flagged as FOUND known viruses. I don't think these are related to the Tor incident but I am curious if deleting these directories is a solution to clean them from the system.

$ grep -v -E 'OK$|Symbolic link$|Empty file$|)$' /clamscan.log | awk '{print ++i ": " $0}'
1: /home/wings/.local/share/virtualenv/wheel/house/pip-23.3.1-py3-none-any.whl: Win.Virus.Expiro-10026576-0 FOUND
2: /home/wings/.local/share/virtualenv/wheel/house/pip-22.3.1-py3-none-any.whl: Win.Virus.Expiro-10026576-0 FOUND
3: /home/wings/.local/share/virtualenv/wheel/house/pip-22.2.2-py3-none-any.whl: Win.Virus.Expiro-10026576-0 FOUND
4: /home/wings/.local/share/virtualenv/wheel/house/pip-23.0-py3-none-any.whl: Win.Virus.Expiro-10026576-0 FOUND
5: /home/wings/.virtualenvs/automation_cookbook/lib/python3.10/site-packages/pip/_vendor/distlib/w64.exe: Win.Virus.Expiro-10026576-0 FOUND
6: /home/wings/.virtualenvs/automation_cookbook/lib/python3.10/site-packages/pip/_vendor/distlib/t32.exe: Win.Virus.Expiro-10026576-0 FOUND
7: /home/wings/.virtualenvs/automation_cookbook/lib/python3.10/site-packages/pip/_vendor/distlib/t64.exe: Win.Virus.Expiro-10026576-0 FOUND
8: /home/wings/.virtualenvs/automation_cookbook/lib/python3.10/site-packages/pip/_vendor/distlib/w64-arm.exe: Win.Virus.Expiro-10026576-0 FOUND
9: /home/wings/.virtualenvs/automation_cookbook/lib/python3.10/site-packages/pip/_vendor/distlib/t64-arm.exe: Win.Virus.Expiro-10026576-0 FOUND
10: /home/wings/.virtualenvs/automation_cookbook/lib/python3.10/site-packages/pip/_vendor/distlib/w32.exe: Win.Virus.Expiro-10026576-0 FOUND
11: /home/wings/.bank_env/lib/python3.11/site-packages/pip/_vendor/distlib/w64.exe: Win.Virus.Expiro-10026576-0 FOUND
12: /home/wings/.bank_env/lib/python3.11/site-packages/pip/_vendor/distlib/t32.exe: Win.Virus.Expiro-10026576-0 FOUND
13: /home/wings/.bank_env/lib/python3.11/site-packages/pip/_vendor/distlib/t64.exe: Win.Virus.Expiro-10026576-0 FOUND
14: /home/wings/.bank_env/lib/python3.11/site-packages/pip/_vendor/distlib/w64-arm.exe: Win.Virus.Expiro-10026576-0 FOUND
15: /home/wings/.bank_env/lib/python3.11/site-packages/pip/_vendor/distlib/t64-arm.exe: Win.Virus.Expiro-10026576-0 FOUND
16: /home/wings/.bank_env/lib/python3.11/site-packages/pip/_vendor/distlib/w32.exe: Win.Virus.Expiro-10026576-0 FOUND
17: /home/wings/Files/github2022/Python3/fullstack_sec/Django-fullsec-project/.venv/lib/python3.10/site-packages/pip/_vendor/distlib/w64.exe: Win.Virus.Expiro-10026576-0 FOUND
18: /home/wings/Files/github2022/Python3/fullstack_sec/Django-fullsec-project/.venv/lib/python3.10/site-packages/pip/_vendor/distlib/t32.exe: Win.Virus.Expiro-10026576-0 FOUND
19: /home/wings/Files/github2022/Python3/fullstack_sec/Django-fullsec-project/.venv/lib/python3.10/site-packages/pip/_vendor/distlib/t64.exe: Win.Virus.Expiro-10026576-0 FOUND
20: /home/wings/Files/github2022/Python3/fullstack_sec/Django-fullsec-project/.venv/lib/python3.10/site-packages/pip/_vendor/distlib/w64-arm.exe: Win.Virus.Expiro-10026576-0 FOUND
21: /home/wings/Files/github2022/Python3/fullstack_sec/Django-fullsec-project/.venv/lib/python3.10/site-packages/pip/_vendor/distlib/t64-arm.exe: Win.Virus.Expiro-10026576-0 FOUND
22: /home/wings/Files/github2022/Python3/fullstack_sec/Django-fullsec-project/.venv/lib/python3.10/site-packages/pip/_vendor/distlib/w32.exe: Win.Virus.Expiro-10026576-0 FOUND
23: /home/wings/Desktop/.cache/pip/http/3/6/0/3/8/36038b1b90a457d67db1c1cf4e7d7b7e9f8255fca24badbbd7340cad: Win.Virus.Expiro-10026576-0 FOUND
24: /home/wings/Desktop/.cache/pip/http/5/7/f/c/f/57fcf59bf1de880e9bc3dda78306b9ff8c0f80cc04ede2d53afefbd0: Win.Virus.Expiro-10026576-0 FOUND
25: /home/wings/Desktop/.cache/pip/http/6/9/a/7/8/69a784ff69eb2a2ef3e99e2d3e6bdb710a433bdd8f3278d21abdceb4: Win.Virus.Expiro-10026576-0 FOUND
26: /home/wings/Desktop/django2023/django3byexample/.venv/lib/python3.10/site-packages/pip/_vendor/distlib/w64.exe: Win.Virus.Expiro-10026576-0 FOUND
27: /home/wings/Desktop/django2023/django3byexample/.venv/lib/python3.10/site-packages/pip/_vendor/distlib/t32.exe: Win.Virus.Expiro-10026576-0 FOUND
28: /home/wings/Desktop/django2023/django3byexample/.venv/lib/python3.10/site-packages/pip/_vendor/distlib/t64.exe: Win.Virus.Expiro-10026576-0 FOUND
29: /home/wings/Desktop/django2023/django3byexample/.venv/lib/python3.10/site-packages/pip/_vendor/distlib/w64-arm.exe: Win.Virus.Expiro-10026576-0 FOUND
30: /home/wings/Desktop/django2023/django3byexample/.venv/lib/python3.10/site-packages/pip/_vendor/distlib/t64-arm.exe: Win.Virus.Expiro-10026576-0 FOUND
31: /home/wings/Desktop/django2023/django3byexample/.venv/lib/python3.10/site-packages/pip/_vendor/distlib/w32.exe: Win.Virus.Expiro-10026576-0 FOUND
32: /usr/lib/python3.11/site-packages/virtualenv/seed/wheels/embed/pip-23.3.1-py3-none-any.whl: Win.Virus.Expiro-10026576-0 FOUND
33: /usr/lib/python3.11/site-packages/pip/_vendor/distlib/w64.exe: Win.Virus.Expiro-10026576-0 FOUND
34: /usr/lib/python3.11/site-packages/pip/_vendor/distlib/t32.exe: Win.Virus.Expiro-10026576-0 FOUND
35: /usr/lib/python3.11/site-packages/pip/_vendor/distlib/t64.exe: Win.Virus.Expiro-10026576-0 FOUND
36: /usr/lib/python3.11/site-packages/pip/_vendor/distlib/t64-arm.exe: Win.Virus.Expiro-10026576-0 FOUND
37: /usr/lib/python3.11/site-packages/pip/_vendor/distlib/w32.exe: Win.Virus.Expiro-10026576-0 FOUND
38: /usr/lib/python3.11/site-packages/pip/_vendor/distlib/w64-arm.exe: Win.Virus.Expiro-10026576-0 FOUND
39: /usr/lib/python3.11/site-packages/pipenv/patched/pip/_vendor/distlib/w64.exe: Win.Virus.Expiro-10026576-0 FOUND
40: /usr/lib/python3.11/site-packages/pipenv/patched/pip/_vendor/distlib/t32.exe: Win.Virus.Expiro-10026576-0 FOUND
41: /usr/lib/python3.11/site-packages/pipenv/patched/pip/_vendor/distlib/t64.exe: Win.Virus.Expiro-10026576-0 FOUND
42: /usr/lib/python3.11/site-packages/pipenv/patched/pip/_vendor/distlib/w32.exe: Win.Virus.Expiro-10026576-0 FOUND
43: /usr/lib/python3.11/ensurepip/_bundled/pip-22.3.1-py3-none-any.whl: Win.Virus.Expiro-10026576-0 FOUND
44:
45: ----------- SCAN SUMMARY -----------
46: Known viruses: 8690060
47: Engine version: 1.2.1
48: Scanned directories: 279914
49: Scanned files: 999297
50: Infected files: 43
51: Total errors: 1002
52: Data scanned: 76384.07 MB
53: Start Date: 2024:04:07 18:20:57
54: End Date:   2024:04:07 22:03:03

What should be a clue in journalctl to provide some information about what happened? I can't find anything of help with journalctl because I dont really know what I am looking for. Is looking suspicious connections with netstat of any help? What other command to display running services would be a good idea to look at?

Last edited by archie_atlas (2024-04-09 19:28:16)

Offline

#2 2024-04-09 00:26:29

mpan
Member
Registered: 2012-08-01
Posts: 1,228
Website

Re: [SOLVED]Clamscan FOUND directories

If you’re being affected by any malware, IMO it’s not what ClamAV detected. Reasoning below.

First of all: don’t panic. If you never downloaded and opened anything outside of Tor Browser, chances of this being an actual infection are pretty low. It would require breaking out of sandbox: this kind of vulnerability isn’t occuring often. It would also have to be yet undetected 0-day, and that is a valuable asset, often better spent on things other than mining cryptocurrencies. This doesn’t mean you didn’t fall a victim of an attack, but this possibility should be taken with cool head.

Perform a full scan, the entire “/” from another system. Scanning from a system, that is suspected of infection, is inconclusive. While most malware doesn’t hide its presence, the instances which do are likely to also make files invisible to the scanner.

If you don’t want to test, but just make sure your system is clean, the best option is to back up all your data (if you don’t already have backups) and install fresh system. Looking at your virtual envs, I suppose you might’ve been learning programming. So you also have sources, which technically are executable. I would keep your own files, but reinstall all the dependencies too.

Reasoning:
ClamAV signature naming scheme suggests it’s a Windows-only virus (sic!).

The associated logical signature is:

Win.Virus.Expiro-10026576-0;Engine:81-255,Target:1;0&1&2&3&4;53696d706c65204c61756e636865722045786563757461626c65::w;6d616b696e67207374646f757420696e686572697461626c65206661696c6564;436f70797269676874202843292053696d706c65204c61756e636865722055736572::w;53696d706c65204c61756e636865722055736572::w;636f6e74726f6c2068616e646c65722073657474696e67206661696c6564

It’s limited to PE files (Target:1), which only make it more certain these⁽¹⁾ are not executed on your machine.⁽²⁾ The signature matches anything, that contains strings “Simple Launcher Executable”, “Copyright (C) Simple Launcher User” and “Simple Launcher User” (all as UTF-16), and ASCII-encoded “control handler setting failed” and “making stdout inheritable failed”. This signature will match any file containing these.

If anything, I expect these were pulled into your virtual environments from some other sources, possibly far in the past. And a quick search reveals, that this may be a false positive: these files seem to be coming from msys2-contribs/simple_launcher. Possibly the project was used by malware, leading to being picked up as a malware signature.

____
⁽¹⁾ Doesn’t mean something else isn’t.
⁽²⁾ Unless Wine is used. But having Windows malware running through Wine and hiding its presence on Linux is very unexpected.

Last edited by mpan (2024-04-09 00:33:57)


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#3 2024-04-09 19:27:11

archie_atlas
Member
Registered: 2021-05-08
Posts: 4

Re: [SOLVED]Clamscan FOUND directories

Hi, thank you for your answer. I think you are right and I had a similar opinion about them being outdated flags from virtual env external sources, I am reinstalling all dependencies. I will deal now with how to perform the scan externally. At least after a full system upgrade the fan is no problem anymore big_smile. The links I was visiting were old (2002) Tor sites so I would assume any vulnerability used by tricksters in those years has been (hopefully) patched in most systems and web browsers by now.

Offline

Board footer

Powered by FluxBB