[clamav-users] Is it a real attack?

Al Varnell alvarnell at mac.com
Fri Jan 29 01:26:24 EST 2016


All but the eicar test signature are PUA (Potentially Unwanted Application) detections.  So several comments about PUA need to be made.

First be sure to read the ClamAV FAQ on PUA:
<http://www.clamav.net/documents/potentially-unwanted-applications-pua>.

PUA cannot be a False Positive, by definition (although I’ve seem at least one that should have been and was subsequently removed as being too general).

Detect PUA is normally disabled, so I’m not sure why those are showing up in your installation.  If you would rather not deal with these yourself, then by all means disable it.

I doubt that anybody reading this list will be able to tell you anything more about those files.  The normal approach to PUA is to examine the file and it’s source, then decide for yourself if it’s something you installed on purpose and need/want to do whatever it is you are doing with your computer or not.

-Al-

On Jan 19, 2016, at 12:10 PM, Jota Pe <jotape1960 at yahoo.com> wrote:

>     ----- Mensaje reenviado -----
> De: Jota Pe <jotape1960 at yahoo.com>
> Para: "clamav-users at lists.clamav.net" <clamav-users at lists.clamav.net> 
> Enviado: Domingo, 17 de enero, 2016 12:44:23
> Asunto: Is it a real attack?
> 
> I performed a ClamAV scan of all my desktop PC and the result tells me about some possible infections.
> As the before mail didn't include the attachement, I copy and paste the log file:
> -----------------------------------------------------------------------------------------------
> 
> ClamTk, v5.19
> Sun Jan 17 12:30:53 2016
> Definiciones de ClamAV: 4227609
> Carpetas analizadas:
> /home/jjpg/.cache/winetricks/comctl32
> /home/jjpg/.cache/winetricks/windowscodecs
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/Microsoft.NET/Framework/v1.1.4322
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/Microsoft.NET/Framework/v2.0.50727
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/Microsoft.NET/Framework/v4.0.30319
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/bin
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/lib/mono/2.0
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/lib/mono/4.0
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/lib/mono/4.5
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/winsxs/amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/winsxs/x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Audition 1.5
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Audition 1.5/en_us
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Flash Player/AddIns/airappinstaller
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Adobe AIR/Versions/1.0
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Adobe AIR/Versions/1.0/Resources
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Apple/Apple Application Support
> /home/jjpg/.wine/drive_c/Program Files (x86)/Elica56/System
> /home/jjpg/.wine/drive_c/Program Files (x86)/QuickTime
> /home/jjpg/.wine/drive_c/Program Files (x86)/QuickTime/QTSystem
> /home/jjpg/.wine/drive_c/Program Files (x86)/ZaraSoft/ZaraRadio
> /home/jjpg/.wine/drive_c/users/Public/Application Data/Apple/Installer Cache/AppleApplicationSupport 2.3.6
> /home/jjpg/.wine/drive_c/users/jjpg/Application Data/Macromedia/Flash Player/www.macromedia.com/bin/airappinstaller
> /home/jjpg/.wine/drive_c/users/jjpg/Local Settings/Temporary Internet Files/Content.IE5/OPWK71SZ
> /home/jjpg/.wine/drive_c/windows/Installer
> /home/jjpg/.wine/drive_c/windows/Microsoft.NET/Framework/v1.1.4322
> /home/jjpg/.wine/drive_c/windows/Microsoft.NET/Framework/v2.0.50727
> /home/jjpg/.wine/drive_c/windows/Microsoft.NET/Framework/v4.0.30319
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/bin
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/2.0
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/4.0
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/4.5
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/gac/Novell.Directory.Ldap/2.0.0.0__0738eb9f132ed756
> /home/jjpg/.wine/drive_c/windows/winsxs/amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef
> /home/jjpg/.wine/drive_c/windows/winsxs/x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef
> /lib/firmware/vxge
> /opt/wine-devel/lib/wine/fakedlls
> /opt/wine-devel/lib64/wine/fakedlls
> /opt/wine-staging/lib64/wine/fakedlls
> /usr/lib/mono/4.0
> /usr/lib/mono/4.5
> /usr/lib/python2.7/dist-packages/pyclamd
> /usr/lib/python3/dist-packages/pyclamd/__pycache__
> /usr/share/doc/slv2
> /usr/share/mime
> /usr/share/spamassassin
> /usr/share/wine-gecko
> /usr/share/wine/gecko
> 
> Encontrados 67 posibles amenazas (283770 archivos analizado).
> 
> /usr/share/mime/mime.cache                                                                                                                                                       PUA.Win.Exploit.CVE_2012_0110          
> /usr/share/wine-gecko/wine_gecko-2.21-x86_64.msi                                                                                                                                 PUA.Win32.Packer.PrivateExeProte-7     
> /usr/lib/python2.7/dist-packages/pyclamd/pyclamd.pyc                                                                                                                             Eicar-Test-Signature-1                 
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/winsxs/x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef/comctl32.dll        PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/winsxs/amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef/comctl32.dll      PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/bin/MonoPosixHelper-x86_64.dll                                                                  PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/lib/mono/4.0/mscorlib.dll                                                                       PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/lib/mono/2.0/mscorlib.dll                                                                       PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/lib/mono/4.5/mscorlib.dll                                                                       PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/lib/mono/4.5/monop.exe                                                                          PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/Microsoft.NET/Framework/v1.1.4322/mscorlib.dll                                                                PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll                                                               PUA.Win32.Packer.PrivateExeProte-7     
> /usr/share/wine-gecko/wine_gecko-2.21-x86.msi                                                                                                                                    PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll                                                               PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.cache/winetricks/comctl32/cc32inst.exe                                                                                                                               PUA.Win32.Packer.Winzip-1              
> /home/jjpg/.cache/winetricks/windowscodecs/wic_x86_enu.exe                                                                                                                       PUA.Win32.Packer.Msvcpp                
> /home/jjpg/.wine/drive_c/users/jjpg/Application Data/Macromedia/Flash Player/www.macromedia.com/bin/airappinstaller/airappinstaller.exe                                          PUA.Win32.Packer.SetupExeSection       
> /home/jjpg/.wine/drive_c/users/jjpg/Local Settings/Temporary Internet Files/Content.IE5/OPWK71SZ/update[1]                                                                       PUA.Win32.Packer.SetupExeSection       
> /home/jjpg/.wine/drive_c/users/jjpg/Local Settings/Temporary Internet Files/Content.IE5/OPWK71SZ/update[0]                                                                       PUA.Win32.Packer.SetupExeSection       
> /home/jjpg/.wine/drive_c/users/Public/Application Data/Apple/Installer Cache/AppleApplicationSupport 2.3.6/AppleApplicationSupport.msi                                           PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/windows/winsxs/x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef/comctl32.dll                                          PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/windows/winsxs/amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef/comctl32.dll                                        PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/bin/MonoPosixHelper-x86_64.dll                                                                                                    PUA.Win32.Packer.PrivateExeProte-7     
> /usr/share/doc/slv2/jquery.js                                                                                                                                                    PUA.HTML.Exploit.CVE_2014_0322         
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/4.0/mscorlib.dll                                                                                                         PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/2.0/mscorlib.dll                                                                                                         PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/gac/Novell.Directory.Ldap/2.0.0.0__0738eb9f132ed756/Novell.Directory.Ldap.dll                                            PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/4.5/mscorlib.dll                                                                                                         PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/4.5/monop.exe                                                                                                            PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/windows/Installer/8ff4.msi                                                                                                                              PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/windows/Installer/8d09.msi                                                                                                                              PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/windows/Microsoft.NET/Framework/v1.1.4322/mscorlib.dll                                                                                                  PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll                                                                                                 PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/windows/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll                                                                                                 PUA.Win32.Packer.PrivateExeProte-7     
> /usr/share/spamassassin/72_active.cf                                                                                                                                             PUA.Phishing.Bank                      
> /home/jjpg/.wine/drive_c/Program Files (x86)/Elica56/System/borlndmm.dll                                                                                                         PUA.Win32.Packer.BorlandDelphi-13      
> /home/jjpg/.wine/drive_c/Program Files (x86)/Elica56/System/Elica.exe                                                                                                            PUA.Win32.Packer.BorlandDelphi-14      
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Audition 1.5/en_us/multitap.dll                                                                                               PUA.Win32.Packer.Starforce-1           
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Audition 1.5/en_us/sweeper.dll                                                                                                PUA.Win32.Packer.Starforce-1           
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Audition 1.5/en_us/para.dll                                                                                                   PUA.Win32.Packer.Starforce-1           
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Audition 1.5/Audition.exe                                                                                                     PUA.Win32.Packer.Upx-28                
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Audition 1.5/Voc.flt                                                                                                          PUA.Win32.Packer.CreativeAudioFi       
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Flash Player/AddIns/airappinstaller/airappinstaller.exe                                                                       PUA.Win32.Packer.SetupExeSection       
> /home/jjpg/.wine/drive_c/Program Files (x86)/ZaraSoft/ZaraRadio/ZaraRadio.exe                                                                                                    PUA.Win32.Packer.Devcpp                
> /home/jjpg/.wine/drive_c/Program Files (x86)/QuickTime/QTSystem/QuickTimeUpdateHelper.exe                                                                                        PUA.Win32.Packer.SetupExeSection       
> /usr/share/wine/gecko/wine_gecko-2.21-x86.msi                                                                                                                                    PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/Program Files (x86)/QuickTime/PictureViewer.exe                                                                                                         PUA.Packed.Armadillo-1                 
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Apple/Apple Application Support/libicuuc.dll                                                                           PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Apple/Apple Application Support/libicuin.dll                                                                           PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Apple/Apple Application Support/icudt46.dll                                                                            PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Adobe AIR/Versions/1.0/Resources/airappinstaller.exe                                                                   PUA.Win32.Packer.SetupExeSection       
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Adobe AIR/Versions/1.0/Resources/WebKit.dll                                                                            PUA.Win32.Packer.PrivateExeProte-7     
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Adobe AIR/Versions/1.0/Resources/Adobe AIR Updater.exe                                                                 PUA.Win32.Packer.SetupExeSection       
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Adobe AIR/Versions/1.0/Adobe AIR Application Installer.exe                                                             PUA.Win32.Packer.SetupExeSection       
> /opt/wine-devel/lib64/wine/fakedlls/comctl32.dll                                                                                                                                 PUA.Win32.Packer.PrivateExeProte-7     
> /opt/wine-devel/lib64/wine/fakedlls/clock.exe                                                                                                                                    PUA.Win32.Packer.PrivateExeProte-7     
> /usr/lib/python3/dist-packages/pyclamd/__pycache__/pyclamd.cpython-35.pyc                                                                                                        Eicar-Test-Signature-1                 
> /opt/wine-devel/lib64/wine/fakedlls/user32.dll                                                                                                                                   PUA.Win32.Packer.PrivateExeProte-7     
> /opt/wine-devel/lib/wine/fakedlls/comctl32.dll                                                                                                                                   PUA.Win32.Packer.PrivateExeProte-7     
> /opt/wine-devel/lib/wine/fakedlls/clock.exe                                                                                                                                      PUA.Win32.Packer.PrivateExeProte-7     
> /opt/wine-devel/lib/wine/fakedlls/user32.dll                                                                                                                                     PUA.Win32.Packer.PrivateExeProte-7     
> /opt/wine-staging/lib64/wine/fakedlls/comctl32.dll                                                                                                                               PUA.Win32.Packer.PrivateExeProte-7     
> /opt/wine-staging/lib64/wine/fakedlls/clock.exe                                                                                                                                  PUA.Win32.Packer.PrivateExeProte-7     
> /opt/wine-staging/lib64/wine/fakedlls/user32.dll                                                                                                                                 PUA.Win32.Packer.PrivateExeProte-7     
> /usr/lib/python3/dist-packages/pyclamd/__pycache__/pyclamd.cpython-34.pyc                                                                                                        Eicar-Test-Signature-1                 
> /usr/lib/mono/4.0/mscorlib.dll                                                                                                                                                   PUA.Win32.Packer.PrivateExeProte-7     
> /usr/lib/mono/4.5/mscorlib.dll                                                                                                                                                   PUA.Win32.Packer.PrivateExeProte-7     
> 
> 
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> How many? ???
> Is it a real attack? or False positive? ???
> Thanks a lot for your time!!!
> Greetings and Blessings from Chile!!!!!!!
> Juan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160128/e47e62aa/attachment.bin>


More information about the clamav-users mailing list