clamscan found this: BOOTx64.EFI: Win.Trojan.Agent-1428496 FOUND
Joel Rees
joel.rees at gmail.com
Thu Aug 25 00:32:24 UTC 2016
I'm trying to analyze a friends MSWindows 8 machine that is
misbehaving. I booted up a liveUSB of ubuntu 14.04 and found certain
information that I thought was reassuring.
Then I took the liveUSB home and scanned it with clamscan on my home
box. Found this:
> /media/Ubuntu 14.04 ja amd64/EFI/BOOT/BOOTx64.EFI: Win.Trojan.Agent-1428496 FOUND
I built the live USB back in April 2014, apparently.
On virustotal, I found this
> https://www.virustotal.com/en/file/ca85b6bbc2633bd00d427765b92b55de21e1ec27fe44611b541bc2c9f187bc9f/analysis/
which says this is suspected of being a generic backdoor. Reading the
explanation does not reveal anything about the specific suspicions,
and there is no confirmation.
The file I have does not match the SHA256 signature shown.
This particular signature shows up in the May 29, 2016 publications
> http://www.gossamer-threads.com/lists/clamav/virusdb/66319
Other matches on the web include a post on a site in German which, if
google translate handles it at all well, seems to ignore it, a French
site that doesn't seem to conclude anything, and a Spanish site that
just says it looks suspicious.
I would be interested, if anyone has a liveusb and clamscan handy, on
the results of a clamscan and a "gpg --print-mds" on your efi boot
file at
> amd64/EFI/BOOT/BOOTx64.EFI
although I must assume the message digests ought to be different
unless you have a Japanese 14.04 from just before April 22 2014.
gpg --print-mds gives this:
-------------------------
/media/ride/efimalw/BOOTx64.EFI: MD5 = 70 95 61 93 24 A9 FB 78 64
22 D7 42 7C 05 64 05
/media/ride/efimalw/BOOTx64.EFI: SHA1 = 4A5C 6E0B 61E9 1432 7057
4D41 FF83 B054 613A 1763
/media/ride/efimalw/BOOTx64.EFI: RMD160 = 939D EE8B 340F E60D 5615
615E 7526 300F 98AC D16E
/media/ride/efimalw/BOOTx64.EFI: SHA224 = D60E3D22 9800A2CE 97278C29
19BB9848 66EBC379 7634922F 957C9B27
/media/ride/efimalw/BOOTx64.EFI: SHA256 = B6058875 CA3D3CC2 BD8925E1
255942EC A445C81C 0F93619C 4BAB5508 ECC56B92
/media/ride/efimalw/BOOTx64.EFI: SHA384 = 735D543F FE1D3CE7 FEFBB38A
1AC23128 FCBC47A6 79A75C78 3CA1C91F B1BDB7C5 3E70BDBB 7505CD46
1A0C1C41 37255129
/media/ride/efimalw/BOOTx64.EFI: SHA512 = 986E5B79 39EC83E4 9F2B03B4
EF9996CB 2540EDB7 92D63198 5907FFAF EDE06AFF 38770556 743793BD
914BCE99 6060BB73 1863B084 A2B8B538 649A80D5 7E0CBDFA
--------------------------
In the meantime, I'm going to check the installer I think I installed
the liveUSB from against the current installer, etc.
(I really didn't want to have to do another install to decide whether
my friend's machine had a self-replicating backdoor on it, but it
looks like I will have to.)
--
Joel Rees
I'm imagining I'm a novelist:
http://joel-rees-economics.blogspot.com/2016/06/econ101-novel-toc.html
More information about the ubuntu-users
mailing list