[clamav-users] Unix.Trojan.ElkKnot FOUND

DUCARROZ Birgit birgit.ducarroz at unifr.ch
Thu May 22 08:52:02 UTC 2014 

oops, the first time I should do this. Using ubuntu, is there something 
easy like an apt-get to install, or maybe a shell script that is able to 
create md5s or sha256s?
I read this article http://forums.clamwin.com/viewtopic.php?t=4007 but 
this does not really help me.
Suggestions how to create md5 or sha256 hashes are welcome!

- Birgit


On 22. 05. 14 01:01 , Alain Zidouemba wrote:
> The new signature will be out in the next few releases.
>
> If you could, please provide the md5s or sha256s of the samples that
> alerted.
>
> Thanks,
>
> - Alain
>
> On Wednesday, May 21, 2014, DUCARROZ Birgit <birgit.ducarroz at unifr.ch>
> wrote:
>
>> Thank you a lot! When will it be replaced?
>> I had 317 "infected" files and now I don't know if they are false
>> positives or not.
>> Curiously chkrootkit gave me this:
>>
>> < You have     1 process hidden for readdir command
>>
>> < You have     1 process hidden for ps command
>>
>> < chkproc: Warning: Possible LKM Trojan installed
>>
>> but this message disappeared also one or two days later.
>> Since the most of the "infected" files are old, I wonder if they might
>> have been infected afterwards...
>>
>> - Birgit
>>
>>
>> On 21. 05. 14 22:09 , Alain Zidouemba wrote:
>>
>>> It was dropped for performance reasons. We found it be generating some
>>> false positives, such as the one you likely had. The signature
>>> Unix.Trojan.ElkKnot will be replaced with a better performing one.
>>>
>>> - Alain
>>>
>>>
>>> On Wed, May 21, 2014 at 4:07 PM, DUCARROZ Birgit
>>> <birgit.ducarroz at unifr.ch>wrote:
>>>
>>>   Why has it been dropped? Should I believe now that I have this trojan or
>>>> not?
>>>>
>>>>
>>>> On 21. 05. 14 14:31 , Alain Zidouemba wrote:
>>>>
>>>>   The signature "Unix.Trojan.ElkKnot" has been dropped from our signature
>>>>> set
>>>>> a few releases ago.
>>>>>
>>>>> - Alain
>>>>>
>>>>>
>>>>> On Wed, May 21, 2014 at 5:46 AM, DUCARROZ Birgit
>>>>> <birgit.ducarroz at unifr.ch>wrote:
>>>>>
>>>>>    Sorry, I forgot to note my question:
>>>>>
>>>>>> Does somebody know what this might be?
>>>>>> When I am scanning now the same files, this messages does not appear
>>>>>> again.
>>>>>> Actual version: ClamAV 0.97.8/19011/Wed May 21 09:48:13 2014
>>>>>>
>>>>>>
>>>>>> On 21. 05. 14 11:41 , DUCARROZ Birgit wrote:
>>>>>>
>>>>>>    Hi,
>>>>>>
>>>>>>> as of 05/13/2014 I had suddenly a lot of older files with notification
>>>>>>>
>>>>>>> Unix.Trojan.ElkKnot FOUND
>>>>>>>
>>>>>>> Regards,
>>>>>>> Birgit
>>>>>>>
>>>>>>>
>>>>>>>

More information about the clamav-users mailing list