[ubuntu-jp:5576] Re: clamscan found this: BOOTx64.EFI: Win.Trojan.Agent-1428496 FOUND

2016年 8月 26日 (金) 02:04:24 UTC

英語のリストに投稿しました：

https://lists.ubuntu.com/archives/ubuntu-users/2016-August/287082.html

内容は、友人の MSWindows 8機が行儀悪くして、僕がそのパソコンの中身を調べることにしています。 ubuntu 14.04日本語版の
LiveUSB を起動さして、文章が

On Thu, Aug 25, 2016 at 9:32 AM, Joel Rees <joel.rees ＠ gmail.com> wrote:
> I'm trying to analyze a friends MSWindows 8 machine that is
> misbehaving. I booted up a liveUSB of ubuntu 14.04 and found certain
> information that I thought was reassuring.
>
> Then I took the liveUSB home and scanned it with clamscan on my home
> box. Found this:
>
>>  /media/Ubuntu 14.04 ja amd64/EFI/BOOT/BOOTx64.EFI: Win.Trojan.Agent-1428496 FOUND
>
> I built the live USB back in April 2014, apparently.
>
> On virustotal, I found this
>
>>  https://www.virustotal.com/en/file/ca85b6bbc2633bd00d427765b92b55de21e1ec27fe44611b541bc2c9f187bc9f/analysis/
>
> which says this is suspected of being a generic backdoor. Reading the
> explanation does not reveal anything about the specific suspicions,
> and there is no confirmation.
>
> The file I have does not match the SHA256 signature shown.
>
> This particular signature shows up in the May 29, 2016 publications
>
>>  http://www.gossamer-threads.com/lists/clamav/virusdb/66319
>
> Other matches on the web include a post on a site in German which, if
> google translate handles it at all well, seems to ignore it, a French
> site that doesn't seem to conclude anything, and a Spanish site that
> just says it looks suspicious.
>
> I would be interested, if anyone has a liveusb and clamscan handy, on
> the results of a clamscan and a "gpg --print-mds" on your efi boot
> file at
>
>>  amd64/EFI/BOOT/BOOTx64.EFI
>
> although I must assume the message digests ought to be different
> unless you have a Japanese 14.04 from just before April 22 2014.
>
> gpg --print-mds gives this:
>
> -------------------------
> /media/ride/efimalw/BOOTx64.EFI:    MD5 = 70 95 61 93 24 A9 FB 78  64
> 22 D7 42 7C 05 64 05
> /media/ride/efimalw/BOOTx64.EFI:   SHA1 = 4A5C 6E0B 61E9 1432 7057
> 4D41 FF83 B054 613A 1763
> /media/ride/efimalw/BOOTx64.EFI: RMD160 = 939D EE8B 340F E60D 5615
> 615E 7526 300F 98AC D16E
> /media/ride/efimalw/BOOTx64.EFI: SHA224 = D60E3D22 9800A2CE 97278C29
> 19BB9848 66EBC379 7634922F 957C9B27
> /media/ride/efimalw/BOOTx64.EFI: SHA256 = B6058875 CA3D3CC2 BD8925E1
> 255942EC A445C81C 0F93619C 4BAB5508 ECC56B92
> /media/ride/efimalw/BOOTx64.EFI: SHA384 = 735D543F FE1D3CE7 FEFBB38A
> 1AC23128 FCBC47A6 79A75C78 3CA1C91F B1BDB7C5 3E70BDBB 7505CD46
> 1A0C1C41 37255129
> /media/ride/efimalw/BOOTx64.EFI: SHA512 = 986E5B79 39EC83E4 9F2B03B4
> EF9996CB 2540EDB7 92D63198 5907FFAF EDE06AFF 38770556 743793BD
> 914BCE99 6060BB73 1863B084 A2B8B538 649A80D5 7E0CBDFA
> --------------------------
>
> In the meantime, I'm going to check the installer I think I installed
> the liveUSB from against the current installer, etc.
>
> (I really didn't want to have to do another install to decide whether
> my friend's machine had a self-replicating backdoor on it, but it
> looks like I will have to.)
>
> --
> Joel Rees
>
> I'm imagining I'm a novelist:
> http://joel-rees-economics.blogspot.com/2016/06/econ101-novel-toc.html


-- 
Joel Rees

I'm imagining I'm a novelist:
http://joel-rees-economics.blogspot.com/2016/06/econ101-novel-toc.html