[clamav-users] Is it a real attack?
Al Varnell
alvarnell at mac.com
Fri Jan 29 01:26:24 EST 2016
All but the eicar test signature are PUA (Potentially Unwanted Application) detections. So several comments about PUA need to be made.
First be sure to read the ClamAV FAQ on PUA:
<http://www.clamav.net/documents/potentially-unwanted-applications-pua>.
PUA cannot be a False Positive, by definition (although I’ve seem at least one that should have been and was subsequently removed as being too general).
Detect PUA is normally disabled, so I’m not sure why those are showing up in your installation. If you would rather not deal with these yourself, then by all means disable it.
I doubt that anybody reading this list will be able to tell you anything more about those files. The normal approach to PUA is to examine the file and it’s source, then decide for yourself if it’s something you installed on purpose and need/want to do whatever it is you are doing with your computer or not.
-Al-
On Jan 19, 2016, at 12:10 PM, Jota Pe <jotape1960 at yahoo.com> wrote:
> ----- Mensaje reenviado -----
> De: Jota Pe <jotape1960 at yahoo.com>
> Para: "clamav-users at lists.clamav.net" <clamav-users at lists.clamav.net>
> Enviado: Domingo, 17 de enero, 2016 12:44:23
> Asunto: Is it a real attack?
>
> I performed a ClamAV scan of all my desktop PC and the result tells me about some possible infections.
> As the before mail didn't include the attachement, I copy and paste the log file:
> -----------------------------------------------------------------------------------------------
>
> ClamTk, v5.19
> Sun Jan 17 12:30:53 2016
> Definiciones de ClamAV: 4227609
> Carpetas analizadas:
> /home/jjpg/.cache/winetricks/comctl32
> /home/jjpg/.cache/winetricks/windowscodecs
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/Microsoft.NET/Framework/v1.1.4322
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/Microsoft.NET/Framework/v2.0.50727
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/Microsoft.NET/Framework/v4.0.30319
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/bin
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/lib/mono/2.0
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/lib/mono/4.0
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/lib/mono/4.5
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/winsxs/amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/winsxs/x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Audition 1.5
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Audition 1.5/en_us
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Flash Player/AddIns/airappinstaller
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Adobe AIR/Versions/1.0
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Adobe AIR/Versions/1.0/Resources
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Apple/Apple Application Support
> /home/jjpg/.wine/drive_c/Program Files (x86)/Elica56/System
> /home/jjpg/.wine/drive_c/Program Files (x86)/QuickTime
> /home/jjpg/.wine/drive_c/Program Files (x86)/QuickTime/QTSystem
> /home/jjpg/.wine/drive_c/Program Files (x86)/ZaraSoft/ZaraRadio
> /home/jjpg/.wine/drive_c/users/Public/Application Data/Apple/Installer Cache/AppleApplicationSupport 2.3.6
> /home/jjpg/.wine/drive_c/users/jjpg/Application Data/Macromedia/Flash Player/www.macromedia.com/bin/airappinstaller
> /home/jjpg/.wine/drive_c/users/jjpg/Local Settings/Temporary Internet Files/Content.IE5/OPWK71SZ
> /home/jjpg/.wine/drive_c/windows/Installer
> /home/jjpg/.wine/drive_c/windows/Microsoft.NET/Framework/v1.1.4322
> /home/jjpg/.wine/drive_c/windows/Microsoft.NET/Framework/v2.0.50727
> /home/jjpg/.wine/drive_c/windows/Microsoft.NET/Framework/v4.0.30319
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/bin
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/2.0
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/4.0
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/4.5
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/gac/Novell.Directory.Ldap/2.0.0.0__0738eb9f132ed756
> /home/jjpg/.wine/drive_c/windows/winsxs/amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef
> /home/jjpg/.wine/drive_c/windows/winsxs/x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef
> /lib/firmware/vxge
> /opt/wine-devel/lib/wine/fakedlls
> /opt/wine-devel/lib64/wine/fakedlls
> /opt/wine-staging/lib64/wine/fakedlls
> /usr/lib/mono/4.0
> /usr/lib/mono/4.5
> /usr/lib/python2.7/dist-packages/pyclamd
> /usr/lib/python3/dist-packages/pyclamd/__pycache__
> /usr/share/doc/slv2
> /usr/share/mime
> /usr/share/spamassassin
> /usr/share/wine-gecko
> /usr/share/wine/gecko
>
> Encontrados 67 posibles amenazas (283770 archivos analizado).
>
> /usr/share/mime/mime.cache PUA.Win.Exploit.CVE_2012_0110
> /usr/share/wine-gecko/wine_gecko-2.21-x86_64.msi PUA.Win32.Packer.PrivateExeProte-7
> /usr/lib/python2.7/dist-packages/pyclamd/pyclamd.pyc Eicar-Test-Signature-1
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/winsxs/x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef/comctl32.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/winsxs/amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef/comctl32.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/bin/MonoPosixHelper-x86_64.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/lib/mono/4.0/mscorlib.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/lib/mono/2.0/mscorlib.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/lib/mono/4.5/mscorlib.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/mono/mono-2.0/lib/mono/4.5/monop.exe PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/Microsoft.NET/Framework/v1.1.4322/mscorlib.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll PUA.Win32.Packer.PrivateExeProte-7
> /usr/share/wine-gecko/wine_gecko-2.21-x86.msi PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.local/share/wineprefixes/vc2010express/drive_c/windows/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.cache/winetricks/comctl32/cc32inst.exe PUA.Win32.Packer.Winzip-1
> /home/jjpg/.cache/winetricks/windowscodecs/wic_x86_enu.exe PUA.Win32.Packer.Msvcpp
> /home/jjpg/.wine/drive_c/users/jjpg/Application Data/Macromedia/Flash Player/www.macromedia.com/bin/airappinstaller/airappinstaller.exe PUA.Win32.Packer.SetupExeSection
> /home/jjpg/.wine/drive_c/users/jjpg/Local Settings/Temporary Internet Files/Content.IE5/OPWK71SZ/update[1] PUA.Win32.Packer.SetupExeSection
> /home/jjpg/.wine/drive_c/users/jjpg/Local Settings/Temporary Internet Files/Content.IE5/OPWK71SZ/update[0] PUA.Win32.Packer.SetupExeSection
> /home/jjpg/.wine/drive_c/users/Public/Application Data/Apple/Installer Cache/AppleApplicationSupport 2.3.6/AppleApplicationSupport.msi PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/windows/winsxs/x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef/comctl32.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/windows/winsxs/amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef/comctl32.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/bin/MonoPosixHelper-x86_64.dll PUA.Win32.Packer.PrivateExeProte-7
> /usr/share/doc/slv2/jquery.js PUA.HTML.Exploit.CVE_2014_0322
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/4.0/mscorlib.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/2.0/mscorlib.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/gac/Novell.Directory.Ldap/2.0.0.0__0738eb9f132ed756/Novell.Directory.Ldap.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/4.5/mscorlib.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/windows/mono/mono-2.0/lib/mono/4.5/monop.exe PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/windows/Installer/8ff4.msi PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/windows/Installer/8d09.msi PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/windows/Microsoft.NET/Framework/v1.1.4322/mscorlib.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/windows/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll PUA.Win32.Packer.PrivateExeProte-7
> /usr/share/spamassassin/72_active.cf PUA.Phishing.Bank
> /home/jjpg/.wine/drive_c/Program Files (x86)/Elica56/System/borlndmm.dll PUA.Win32.Packer.BorlandDelphi-13
> /home/jjpg/.wine/drive_c/Program Files (x86)/Elica56/System/Elica.exe PUA.Win32.Packer.BorlandDelphi-14
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Audition 1.5/en_us/multitap.dll PUA.Win32.Packer.Starforce-1
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Audition 1.5/en_us/sweeper.dll PUA.Win32.Packer.Starforce-1
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Audition 1.5/en_us/para.dll PUA.Win32.Packer.Starforce-1
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Audition 1.5/Audition.exe PUA.Win32.Packer.Upx-28
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Audition 1.5/Voc.flt PUA.Win32.Packer.CreativeAudioFi
> /home/jjpg/.wine/drive_c/Program Files (x86)/Adobe/Flash Player/AddIns/airappinstaller/airappinstaller.exe PUA.Win32.Packer.SetupExeSection
> /home/jjpg/.wine/drive_c/Program Files (x86)/ZaraSoft/ZaraRadio/ZaraRadio.exe PUA.Win32.Packer.Devcpp
> /home/jjpg/.wine/drive_c/Program Files (x86)/QuickTime/QTSystem/QuickTimeUpdateHelper.exe PUA.Win32.Packer.SetupExeSection
> /usr/share/wine/gecko/wine_gecko-2.21-x86.msi PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/Program Files (x86)/QuickTime/PictureViewer.exe PUA.Packed.Armadillo-1
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Apple/Apple Application Support/libicuuc.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Apple/Apple Application Support/libicuin.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Apple/Apple Application Support/icudt46.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Adobe AIR/Versions/1.0/Resources/airappinstaller.exe PUA.Win32.Packer.SetupExeSection
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Adobe AIR/Versions/1.0/Resources/WebKit.dll PUA.Win32.Packer.PrivateExeProte-7
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Adobe AIR/Versions/1.0/Resources/Adobe AIR Updater.exe PUA.Win32.Packer.SetupExeSection
> /home/jjpg/.wine/drive_c/Program Files (x86)/Common Files/Adobe AIR/Versions/1.0/Adobe AIR Application Installer.exe PUA.Win32.Packer.SetupExeSection
> /opt/wine-devel/lib64/wine/fakedlls/comctl32.dll PUA.Win32.Packer.PrivateExeProte-7
> /opt/wine-devel/lib64/wine/fakedlls/clock.exe PUA.Win32.Packer.PrivateExeProte-7
> /usr/lib/python3/dist-packages/pyclamd/__pycache__/pyclamd.cpython-35.pyc Eicar-Test-Signature-1
> /opt/wine-devel/lib64/wine/fakedlls/user32.dll PUA.Win32.Packer.PrivateExeProte-7
> /opt/wine-devel/lib/wine/fakedlls/comctl32.dll PUA.Win32.Packer.PrivateExeProte-7
> /opt/wine-devel/lib/wine/fakedlls/clock.exe PUA.Win32.Packer.PrivateExeProte-7
> /opt/wine-devel/lib/wine/fakedlls/user32.dll PUA.Win32.Packer.PrivateExeProte-7
> /opt/wine-staging/lib64/wine/fakedlls/comctl32.dll PUA.Win32.Packer.PrivateExeProte-7
> /opt/wine-staging/lib64/wine/fakedlls/clock.exe PUA.Win32.Packer.PrivateExeProte-7
> /opt/wine-staging/lib64/wine/fakedlls/user32.dll PUA.Win32.Packer.PrivateExeProte-7
> /usr/lib/python3/dist-packages/pyclamd/__pycache__/pyclamd.cpython-34.pyc Eicar-Test-Signature-1
> /usr/lib/mono/4.0/mscorlib.dll PUA.Win32.Packer.PrivateExeProte-7
> /usr/lib/mono/4.5/mscorlib.dll PUA.Win32.Packer.PrivateExeProte-7
>
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> How many? ???
> Is it a real attack? or False positive? ???
> Thanks a lot for your time!!!
> Greetings and Blessings from Chile!!!!!!!
> Juan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160128/e47e62aa/attachment.bin>
More information about the clamav-users
mailing list