PDA

View Full Version : libtheora.so.0.3.2 AVG virus trojan Downloader.Swizzor


fgold
30th January 2008, 09:43 AM
Hi I just did a windows avg antivirus scan and it reported a trojan / virus called Downloader.Swizzor on /usr/lib/libtheora.so.0.3.2 through my linux mounted drive. I wonder if I should be worried about this and should I get anti virus for my fedora 8 ? Also all my files were from the Yum or the Package Installers, so its not safe getting files from there??? Anyone else got the same problem? If you submit this file to VirusTotal online, AVG is the only one that reports the virus out of all the other scans.

leigh123linux
30th January 2008, 10:13 AM
I doubt you got a virus though yum as all the packages are verified though gpg check.

d_g_f
30th January 2008, 03:50 PM
I ran into the same problem this morning.
Unfortunately AVG couldn't clean it, as it reported an "error" to do so.
I deleted the file, mentioned above.
However, how do I use yum to re-install the rpm, libtheora.i386? When I try to use yum install libtheora.i386, it responds by saying it's installed. However, I do not want to remove the rpm, because of the dependencies I would break. Sigh ...

leigh123linux
30th January 2008, 04:10 PM
I ran into the same problem this morning.
Unfortunately AVG couldn't clean it, as it reported an "error" to do so.
I deleted the file, mentioned above.
However, how do I use yum to re-install the rpm, libtheora.i386? When I try to use yum install libtheora.i386, it responds by saying it's installed. However, I do not want to remove the rpm, because of the dependencies I would break. Sigh ...

Try

su
yum install yum-utils
yumdownloader libtheora.i386
rpm -U --replacepkgs --replacefiles libtheora*rpm


P.S AVG sucks and can't be relied on

I deleted the file, mentioned above.

What a stupid thing to do :(

Janl
30th January 2008, 04:17 PM
See previous post for steps.

leigh123linux
30th January 2008, 04:24 PM
Can probably remove it using the RPM command with the --nodeps flag to remove it without removing dependencies, and then use yum to reinstall the package. The following should do the trick.su -
rpm -e libtheora-1.0beta2-3.fc8 --nodeps
yum install libtheora

Why use --nodeps when there is a better way ? ( see post #4 )



Please read the guidelines ;)

http://www.fedoraforum.org/?view=guide


When Answering Questions

1. Don't be cruel. We have all been newbies at one point and no one needs someone telling them how stupid they are.
2. Don't use jargon in your instructions if it can be avoided, newbies may not understand. If you don't have any better answer than RTFM (Read the fine manual), just be quiet.
3. Point the user to existing resources if they can provide useful information. Use community sites like fedorafaq.org and fedoraNEWS.org in your answers, searching the Red Hat bugzilla is a good idea as well.
4. Always assume the the user has a default installation unless you're told otherwise. This means that you can't tell anyone to use APT without providing instructions on how to install APT or at least link to an APT tutorial, as APT isn't included in the default installation. If you tell people to use an application outside of Core, give instructions on how to install it.
5. Always assume that the user is a newbie unless you're certain the user is not. Give detailed instructions.
6. Use proper formating, use[CODE] tags around terminal commands. You can attach files and pictures that you think might help.
7. Do things the Fedora-way. There are always more than one solution to a problem, choose the one you think will be the easiest for the user. Automatic package installation (using YUM, up2date or apt) over manual installation. RPM over source. Where possible get people to use the official Fedora Extras and the related rpm.livna.org. They are of higher quality. Don't replace any Core packages and never instruct users to do anything that might break their system, this includes using --force and --nodeps when installing an RPM. Try to think as a newbie and choose the simplest solution.
8. Explain each step of the solution. The ideal solution to a problem should be able to teach the user how to solve similar problems in the future. Teach people to fish, don't just throw them a salmon.

d_g_f
30th January 2008, 04:29 PM
Try

su
yum install yum-utils
yumdownloader libtheora.i386
rpm -U --replacepkgs --replacefiles libtheora*rpm


P.S AVG sucks and can't be relied on



What a stupid thing to do :(
I know, I know ...
Thanks, your instructions worked and thanks leight123@linux for your help also.
BTW, I ran AVG on the libtheora.so files, and sure enought, after replacement of the libtheora.so files, it reported the infection, "Downloader.Swizzor" again. So, either there is an infection, which I am now somewhat doubting, or it's a false alarm by AVG.

What good Linux virus scan would one recommend?

Thanks

Janl
30th January 2008, 04:30 PM
Actually I started the reply before you posted yours. Was just slow at submitting it. I'll go back and edit it.

leigh123linux
30th January 2008, 04:55 PM
I know, I know ...
Thanks, your instructions worked and thanks leight123@linux for your help also.
BTW, I ran AVG on the libtheora.so files, and sure enought, after replacement of the libtheora.so files, it reported the infection, "Downloader.Swizzor" again. So, either there is an infection, which I am now somewhat doubting, or it's a false alarm by AVG.

What good Linux virus scan would one recommend?

Thanks

You could try Avast , you will need to register

http://www.avast.com/eng/download-avast-for-linux-edition.html


su
wget http://files.avast.com/files/linux/avast4workstation-1.0.8-1.i586.rpm
yum localinstall avast4workstation-1.0.8-1.i586.rpm


P.S I don't ever use antivirus as it isn't really needed as 99.9% of virus's need a windows environment to execute .

Magnar
30th January 2008, 08:03 PM
I get the same result, except in my case I have 4 infected files:

[root@localhost ~]# avgscan -scan -heur /usr/lib/
AVG7 Anti-Virus command line scanner
Copyright (c) 2007 GRISOFT, s.r.o.
Program version 7.5.51, engine 442
Virus Database: Version 269.19.16/1251 2008-01-30
License type is FREE.
/usr/lib/libtheora.so.0 Virus found Downloader.Swizzor
/usr/lib/libtheora.so.0.3.2 Virus found Downloader.Swizzor
/usr/lib/gimp/2.0/plug-ins/spheredesigner Virus found Downloader.Swizzor
/usr/lib/vlc/access/libaccess_realrtsp_plugin.so Virus found Downloader.Swizzor
Tested: 10891 files, 0 sectors
Infections: 4
Errors: 0


Could these files really be infected? Should I do something?

leigh123linux
30th January 2008, 08:08 PM
I get the same result, except in my case I have 4 infected files:

[root@localhost ~]# avgscan -scan -heur /usr/lib/
AVG7 Anti-Virus command line scanner
Copyright (c) 2007 GRISOFT, s.r.o.
Program version 7.5.51, engine 442
Virus Database: Version 269.19.16/1251 2008-01-30
License type is FREE.
/usr/lib/libtheora.so.0 Virus found Downloader.Swizzor
/usr/lib/libtheora.so.0.3.2 Virus found Downloader.Swizzor
/usr/lib/gimp/2.0/plug-ins/spheredesigner Virus found Downloader.Swizzor
/usr/lib/vlc/access/libaccess_realrtsp_plugin.so Virus found Downloader.Swizzor
Tested: 10891 files, 0 sectors
Infections: 4
Errors: 0


Could these files really be infected? Should I do something?

I would leave them as they are probably a false positive .

Swizzor is a Win32 virus and won't / can't affect Linux ;)

http://vil.nai.com/vil/content/v_136491.htm

d_g_f
30th January 2008, 09:25 PM
I get the same result, except in my case I have 4 infected files:

[root@localhost ~]# avgscan -scan -heur /usr/lib/
AVG7 Anti-Virus command line scanner
Copyright (c) 2007 GRISOFT, s.r.o.
Program version 7.5.51, engine 442
Virus Database: Version 269.19.16/1251 2008-01-30
License type is FREE.
/usr/lib/libtheora.so.0 Virus found Downloader.Swizzor
/usr/lib/libtheora.so.0.3.2 Virus found Downloader.Swizzor
/usr/lib/gimp/2.0/plug-ins/spheredesigner Virus found Downloader.Swizzor
/usr/lib/vlc/access/libaccess_realrtsp_plugin.so Virus found Downloader.Swizzor
Tested: 10891 files, 0 sectors
Infections: 4
Errors: 0


Could these files really be infected? Should I do something?
I forgot to mention also, I did get the same result of:

/usr/lib/gimp/2.0/plug-ins/spheredesigner as an infection you indicated.

Also, thanks Leigh123@linux for your suggestion as to Virus Scanner for Linux.

Alex Ultra
31st January 2008, 02:44 PM
I've heard (can't remember where exactly, but most likely from PC World or PC Magazine) that AVG's free edition was rather bad (or worse than others) about false positives, in that it finds more false positives than other utilities. Generally, though they used to be good and relatively reliable, anymore the 'free' utilities are becoming less reliable than the paid-for services. If you've got Windows, PCM recommends Norton Internet Security 2008... if you want to pay for it. -.-? It's their current favorite, but personally I'd rather just use Linux. I still swap to Windows for gaming, but Linux just doesn't get virus-ified like Windows does. Or Spam-ified, or spy-fied, or wormed, or most of the other nasties that are coming out for Windows faster than the high-bill security firms can deal with them.

At any rate, ya AVG Free is known to pick up false positives. Google 'AVG false positives' and you'll see threads from all over the web complaining about it. Good program, but like anything it's not perfect. ^_^?

d_g_f
31st January 2008, 06:27 PM
Thanks Alex.

I used to use (paid) the subscription to Norton's but didn't like it since it was a huge memory hog. Though it was good, I didn't like it.

Yes, I do realize about the false positives and I am trying out "AVAST" for Linux now. It's nice but the free version doesn't seem to have some command line options (remotely) I wish it did have.

I don't mind paying for software if it's well constructed and *NOT* a memory hog. :-)

Thanks again,

Dan