clamscan found this: BOOTx64.EFI: Win.Trojan.Agent-1428496 FOUND

Nils Kassube kassube at gmx.net
Thu Aug 25 13:47:14 UTC 2016 

Joel Rees wrote:
> I'm trying to analyze a friends MSWindows 8 machine that is
> misbehaving. I booted up a liveUSB of ubuntu 14.04 and found certain
> information that I thought was reassuring.
> 
> Then I took the liveUSB home and scanned it with clamscan on my home
> box. Found this:
> >  /media/Ubuntu 14.04 ja amd64/EFI/BOOT/BOOTx64.EFI:
> >  Win.Trojan.Agent-1428496 FOUND

Did you insert the USB stick while Windows was running on the 
misbehaving machine? If you only used it with Linux, I would assume it 
is a false positive.

> I would be interested, if anyone has a liveusb and clamscan handy, on
> the results of a clamscan and a "gpg --print-mds" on your efi boot
> file at
> 
> >  amd64/EFI/BOOT/BOOTx64.EFI
> 
> although I must assume the message digests ought to be different
> unless you have a Japanese 14.04 from just before April 22 2014.

I don't have clamscan installed, but the BOOTx64.EFI of the Ubuntu 14.04 
image seems to be the same as yours.

> gpg --print-mds gives this:
> 
> -------------------------
> /media/ride/efimalw/BOOTx64.EFI:    MD5 = 70 95 61 93 24 A9 FB 78  64
> 22 D7 42 7C 05 64 05
/mnt/EFI/BOOT/BOOTx64.EFI:    MD5 = 70 95 61 93 24 A9 FB 78  64 22 D7 42 
7C 05 64 05

> /media/ride/efimalw/BOOTx64.EFI:   SHA1 = 4A5C 6E0B 61E9 1432 7057
> 4D41 FF83 B054 613A 1763
/mnt/EFI/BOOT/BOOTx64.EFI:   SHA1 = 4A5C 6E0B 61E9 1432 7057  4D41 FF83 
B054 613A 1763

> /media/ride/efimalw/BOOTx64.EFI: RMD160 = 939D EE8B 340F E60D 5615
> 615E 7526 300F 98AC D16E
/mnt/EFI/BOOT/BOOTx64.EFI: RMD160 = 939D EE8B 340F E60D 5615  615E 7526 
300F 98AC D16E

> /media/ride/efimalw/BOOTx64.EFI: SHA224 = D60E3D22 9800A2CE 97278C29
> 19BB9848 66EBC379 7634922F 957C9B27
/mnt/EFI/BOOT/BOOTx64.EFI: SHA224 = D60E3D22 9800A2CE 97278C29 19BB9848 
66EBC379 7634922F 957C9B27

> /media/ride/efimalw/BOOTx64.EFI: SHA256 = B6058875 CA3D3CC2 BD8925E1
> 255942EC A445C81C 0F93619C 4BAB5508 ECC56B92
/mnt/EFI/BOOT/BOOTx64.EFI: SHA256 = B6058875 CA3D3CC2 BD8925E1 255942EC 
A445C81C 0F93619C 4BAB5508 ECC56B92

> /media/ride/efimalw/BOOTx64.EFI: SHA384 = 735D543F FE1D3CE7 FEFBB38A
> 1AC23128 FCBC47A6 79A75C78 3CA1C91F B1BDB7C5 3E70BDBB 7505CD46
> 1A0C1C41 37255129
/mnt/EFI/BOOT/BOOTx64.EFI: SHA384 = 735D543F FE1D3CE7 FEFBB38A 1AC23128 
FCBC47A6 79A75C78 3CA1C91F B1BDB7C5 3E70BDBB 7505CD46 1A0C1C41 37255129

> /media/ride/efimalw/BOOTx64.EFI: SHA512 = 986E5B79 39EC83E4 9F2B03B4
> EF9996CB 2540EDB7 92D63198 5907FFAF EDE06AFF 38770556 743793BD
> 914BCE99 6060BB73 1863B084 A2B8B538 649A80D5 7E0CBDFA
/mnt/EFI/BOOT/BOOTx64.EFI: SHA512 = 986E5B79 39EC83E4 9F2B03B4 EF9996CB 
2540EDB7 92D63198 5907FFAF EDE06AFF 38770556 743793BD 914BCE99 6060BB73 
1863B084 A2B8B538 649A80D5 7E0CBDFA


Nils

More information about the ubuntu-users mailing list