libtheora.so.0.3.2 AVG virus trojan Downloader.Swizzor

[fgold]

Hi I just did a windows avg antivirus scan and it reported a trojan / virus called Downloader.Swizzor on /usr/lib/libtheora.so.0.3.2 through my linux mounted drive. I wonder if I should be worried about this and should I get anti virus for my fedora 8 ? Also all my files were from the Yum or the Package Installers, so its not safe getting files from there??? Anyone else got the same problem? If you submit this file to VirusTotal online, AVG is the only one that reports the virus out of all the other scans.

[leigh123linux]

I doubt you got a virus though yum as all the packages are verified though gpg check.

[d_g_f]

I ran into the same problem this morning.
Unfortunately AVG couldn't clean it, as it reported an "error" to do so.
I deleted the file, mentioned above.
However, how do I use yum to re-install the rpm, libtheora.i386? When I try to use yum install libtheora.i386, it responds by saying it's installed. However, I do not want to remove the rpm, because of the dependencies I would break. Sigh ...

[leigh123linux]

Quote:

Originally Posted by d_g_f

I ran into the same problem this morning.
Unfortunately AVG couldn't clean it, as it reported an "error" to do so.
I deleted the file, mentioned above.
However, how do I use yum to re-install the rpm, libtheora.i386? When I try to use yum install libtheora.i386, it responds by saying it's installed. However, I do not want to remove the rpm, because of the dependencies I would break. Sigh ...

Try

Code:

su
yum install yum-utils
yumdownloader libtheora.i386
rpm -U --replacepkgs --replacefiles libtheora*rpm

P.S AVG sucks and can't be relied on

Quote:

I deleted the file, mentioned above.

What a stupid thing to do

[Janl]

See previous post for steps.

[leigh123linux]

Quote:

Originally Posted by Janl

Can probably remove it using the RPM command with the --nodeps flag to remove it without removing dependencies, and then use yum to reinstall the package. The following should do the trick.

Code:

su -
rpm -e libtheora-1.0beta2-3.fc8 --nodeps
yum install libtheora

Why use --nodeps when there is a better way ? ( see post #4 )



Please read the guidelines

http://www.fedoraforum.org/?view=guide

Quote:

When Answering Questions

1. Don't be cruel. We have all been newbies at one point and no one needs someone telling them how stupid they are.
2. Don't use jargon in your instructions if it can be avoided, newbies may not understand. If you don't have any better answer than RTFM (Read the fine manual), just be quiet.
3. Point the user to existing resources if they can provide useful information. Use community sites like fedorafaq.org and fedoraNEWS.org in your answers, searching the Red Hat bugzilla is a good idea as well.
4. Always assume the the user has a default installation unless you're told otherwise. This means that you can't tell anyone to use APT without providing instructions on how to install APT or at least link to an APT tutorial, as APT isn't included in the default installation. If you tell people to use an application outside of Core, give instructions on how to install it.
5. Always assume that the user is a newbie unless you're certain the user is not. Give detailed instructions.
6. Use proper formating, use[CODE] tags around terminal commands. You can attach files and pictures that you think might help.
7. Do things the Fedora-way. There are always more than one solution to a problem, choose the one you think will be the easiest for the user. Automatic package installation (using YUM, up2date or apt) over manual installation. RPM over source. Where possible get people to use the official Fedora Extras and the related rpm.livna.org. They are of higher quality. Don't replace any Core packages and never instruct users to do anything that might break their system, this includes using --force and --nodeps when installing an RPM. Try to think as a newbie and choose the simplest solution.
8. Explain each step of the solution. The ideal solution to a problem should be able to teach the user how to solve similar problems in the future. Teach people to fish, don't just throw them a salmon.

[d_g_f]

Quote:

Originally Posted by leigh123@linux

Try

Code:

su
yum install yum-utils
yumdownloader libtheora.i386
rpm -U --replacepkgs --replacefiles libtheora*rpm

P.S AVG sucks and can't be relied on



What a stupid thing to do

I know, I know ...
Thanks, your instructions worked and thanks leight123@linux for your help also.
BTW, I ran AVG on the libtheora.so files, and sure enought, after replacement of the libtheora.so files, it reported the infection, "Downloader.Swizzor" again. So, either there is an infection, which I am now somewhat doubting, or it's a false alarm by AVG.

What good Linux virus scan would one recommend?

Thanks

[Janl]

Actually I started the reply before you posted yours. Was just slow at submitting it. I'll go back and edit it.

[leigh123linux]

Quote:

Originally Posted by d_g_f

I know, I know ...
Thanks, your instructions worked and thanks leight123@linux for your help also.
BTW, I ran AVG on the libtheora.so files, and sure enought, after replacement of the libtheora.so files, it reported the infection, "Downloader.Swizzor" again. So, either there is an infection, which I am now somewhat doubting, or it's a false alarm by AVG.

What good Linux virus scan would one recommend?

Thanks

You could try Avast , you will need to register

http://www.avast.com/eng/download-av...x-edition.html

Code:

su
wget http://files.avast.com/files/linux/avast4workstation-1.0.8-1.i586.rpm
yum localinstall avast4workstation-1.0.8-1.i586.rpm

P.S I don't ever use antivirus as it isn't really needed as 99.9% of virus's need a windows environment to execute .

[Magnar]

I get the same result, except in my case I have 4 infected files:

Code:

[root@localhost ~]# avgscan -scan -heur /usr/lib/
AVG7 Anti-Virus command line scanner
Copyright (c) 2007 GRISOFT, s.r.o.
Program version 7.5.51, engine 442
Virus Database: Version 269.19.16/1251  2008-01-30
License type is FREE.
/usr/lib/libtheora.so.0  Virus found Downloader.Swizzor
/usr/lib/libtheora.so.0.3.2  Virus found Downloader.Swizzor
/usr/lib/gimp/2.0/plug-ins/spheredesigner  Virus found Downloader.Swizzor      
/usr/lib/vlc/access/libaccess_realrtsp_plugin.so  Virus found Downloader.Swizzor
Tested: 10891 files, 0 sectors                                   
Infections: 4
Errors: 0

Could these files really be infected? Should I do something?

[leigh123linux]

Quote:

Originally Posted by Magnar

I get the same result, except in my case I have 4 infected files:

Code:

[root@localhost ~]# avgscan -scan -heur /usr/lib/
AVG7 Anti-Virus command line scanner
Copyright (c) 2007 GRISOFT, s.r.o.
Program version 7.5.51, engine 442
Virus Database: Version 269.19.16/1251  2008-01-30
License type is FREE.
/usr/lib/libtheora.so.0  Virus found Downloader.Swizzor
/usr/lib/libtheora.so.0.3.2  Virus found Downloader.Swizzor
/usr/lib/gimp/2.0/plug-ins/spheredesigner  Virus found Downloader.Swizzor      
/usr/lib/vlc/access/libaccess_realrtsp_plugin.so  Virus found Downloader.Swizzor
Tested: 10891 files, 0 sectors                                   
Infections: 4
Errors: 0

Could these files really be infected? Should I do something?

I would leave them as they are probably a false positive .

Swizzor is a Win32 virus and won't / can't affect Linux

http://vil.nai.com/vil/content/v_136491.htm

[d_g_f]

Quote:

Originally Posted by Magnar

I get the same result, except in my case I have 4 infected files:

Code:

[root@localhost ~]# avgscan -scan -heur /usr/lib/
AVG7 Anti-Virus command line scanner
Copyright (c) 2007 GRISOFT, s.r.o.
Program version 7.5.51, engine 442
Virus Database: Version 269.19.16/1251  2008-01-30
License type is FREE.
/usr/lib/libtheora.so.0  Virus found Downloader.Swizzor
/usr/lib/libtheora.so.0.3.2  Virus found Downloader.Swizzor
/usr/lib/gimp/2.0/plug-ins/spheredesigner  Virus found Downloader.Swizzor      
/usr/lib/vlc/access/libaccess_realrtsp_plugin.so  Virus found Downloader.Swizzor
Tested: 10891 files, 0 sectors                                   
Infections: 4
Errors: 0

Could these files really be infected? Should I do something?

I forgot to mention also, I did get the same result of:

/usr/lib/gimp/2.0/plug-ins/spheredesigner as an infection you indicated.

Also, thanks Leigh123@linux for your suggestion as to Virus Scanner for Linux.

[Alex Ultra]

I've heard (can't remember where exactly, but most likely from PC World or PC Magazine) that AVG's free edition was rather bad (or worse than others) about false positives, in that it finds more false positives than other utilities. Generally, though they used to be good and relatively reliable, anymore the 'free' utilities are becoming less reliable than the paid-for services. If you've got Windows, PCM recommends Norton Internet Security 2008... if you want to pay for it. -.-? It's their current favorite, but personally I'd rather just use Linux. I still swap to Windows for gaming, but Linux just doesn't get virus-ified like Windows does. Or Spam-ified, or spy-fied, or wormed, or most of the other nasties that are coming out for Windows faster than the high-bill security firms can deal with them.

At any rate, ya AVG Free is known to pick up false positives. Google 'AVG false positives' and you'll see threads from all over the web complaining about it. Good program, but like anything it's not perfect. ^_^?

[d_g_f]

Thanks Alex.

I used to use (paid) the subscription to Norton's but didn't like it since it was a huge memory hog. Though it was good, I didn't like it.

Yes, I do realize about the false positives and I am trying out "AVAST" for Linux now. It's nice but the free version doesn't seem to have some command line options (remotely) I wish it did have.

I don't mind paying for software if it's well constructed and *NOT* a memory hog. :-)

Thanks again,

Dan