clamscan found this: BOOTx64.EFI: Win.Trojan.Agent-1428496 FOUND

Joel Rees joel.rees at gmail.com
Thu Aug 25 23:16:24 UTC 2016 

On Thu, Aug 25, 2016 at 10:47 PM, Nils Kassube <kassube at gmx.net> wrote:
> Joel Rees wrote:
>> I'm trying to analyze a friends MSWindows 8 machine that is
>> misbehaving. I booted up a liveUSB of ubuntu 14.04 and found certain
>> information that I thought was reassuring.
>>
>> Then I took the liveUSB home and scanned it with clamscan on my home
>> box. Found this:
>> >  /media/Ubuntu 14.04 ja amd64/EFI/BOOT/BOOTx64.EFI:
>> >  Win.Trojan.Agent-1428496 FOUND
>
> Did you insert the USB stick while Windows was running on the
> misbehaving machine? If you only used it with Linux, I would assume it
> is a false positive.

Unfortunately, my fingers were not fast enough the first time.

>> I would be interested, if anyone has a liveusb and clamscan handy, on
>> the results of a clamscan and a "gpg --print-mds" on your efi boot
>> file at
>>
>> >  amd64/EFI/BOOT/BOOTx64.EFI
>>
>> although I must assume the message digests ought to be different
>> unless you have a Japanese 14.04 from just before April 22 2014.
>
> I don't have clamscan installed, but the BOOTx64.EFI of the Ubuntu 14.04
> image seems to be the same as yours.
>
>> gpg --print-mds gives this:
>>
>> -------------------------
>> /media/ride/efimalw/BOOTx64.EFI:    MD5 = 70 95 61 93 24 A9 FB 78  64
>> 22 D7 42 7C 05 64 05
> /mnt/EFI/BOOT/BOOTx64.EFI:    MD5 = 70 95 61 93 24 A9 FB 78  64 22 D7 42
> 7C 05 64 05
>
>> /media/ride/efimalw/BOOTx64.EFI:   SHA1 = 4A5C 6E0B 61E9 1432 7057
>> 4D41 FF83 B054 613A 1763
> /mnt/EFI/BOOT/BOOTx64.EFI:   SHA1 = 4A5C 6E0B 61E9 1432 7057  4D41 FF83
> B054 613A 1763
> [...]

Is that one of the currently downloadable images?

On the one hand, I would love an excuse to stop checking all the
positives that are coming up on the scan and just go ahead with the
wipe and re-install.

Twelve positives yesterday from Program Files, the first five were
probably false. It was past nine at that point so I packed it up and
promised to come back today.

(Actually, with solid evidence, I might try to get her off of
MSWindows and onto Ubuntu, or at least MacOS.

But I need to find her a replacement for the nengajo standard, Fudeoh.
Mostly, it's a postcard creator with an address database for mailmerge
printing, highly integrated, and able to bunches of stuff with a
single button push.

Need to take this on to the Japanese Ubuntu list.)

On the other hand, she's getting along in age. She doesn't really need
the stress, if we can avoid it.

Thanks.

Joel Rees

More information about the ubuntu-users mailing list