On Aug 15, 2012, at 7:55 AM, Gene Heskett wrote: > Greets all; > > I got one of those emails from what looked like the IRS yesterday, but the > .doc file it linked to was .htm and supposedly infected my machine with > either the JS/Iframe.W!tr; Trojan-Downloader.JS.Iframe.czj or once > infected, the Trojan-Ransom.Win32.Gimemo.akxc > > I killed firefox about 1.5 seconds after the dummy download screen was > displayed.
OK. 1.5 seconds is quite a while as far as a computer is concerned; if you were running a vulnerable platform, then yeah, your system probably was compromised. > So I made a /virii directory, cd'd to / and ran: > > clamscan -r --move=/virii My first instincts would have been to take a complete backup for forensic purposes, and then reinstall the OS and restore from a prior backup. (You are taking backups of everything you care about, right?) > And moved what I would consider quite a few FP's to that directory. Several > .log files it didn't like, and one wine .dll it moved many copies of. A > partial list, not including hundreds of mozilla cache files: [ ... ] > It didn't like quite a few of clamav's own files, and had a regular party > with the spamassassin source tarballs too. These aren't false positives-- a virus scanner _should_ trigger from (unencrypted) malware signatures. > End of partial list. > > Now, how do I get it to rescan those 963 files and report the matching > signature that triggered the move? clamscan -v? > And, how do I go about bringing the engine up to 0.96.7 since it appears > that Ubuntu-10.04.4 LTS has no intention up updating it? One can build ClamAV-0.96.7 from source code, just as whoever builds the "official" Ubuntu packages would. Regards, -- -Chuck _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
