Re: [clamav-users] Bitcoin : Chainstate : Virii
On 06/11/2014 09:31 AM, Al Varnell wrote: According to the forum link you gave us you should "set your scanner to ignore sst files, which are not executable and cannot catch a virus.” -Al- _ - in case of interest, Carlos Robinson, on the opensuse list, kindly explained : It is an indirect threat to Windows users only, who*need* to run an antivirus full-time, who may be*confused* by the messages about having a virus in the bitcoin folders, and may be tempted to delete those files or allow the antivirus to do so, mistakenly, or to remove or disable the antivirus globally. As the link says, disable testing of that particular type of file, or that type of file in that particular directory. Those files do not even contain any virus. They just contain certain strings, like text, that happen to be the particular sequence of bytes that antivirus use to detect certain viruses. Meaning: suppose the virus "I'M VERY BAD" contains somewhere in hte code the text "ImVeRyBaD". An antivirus that scans a file and sees the string "ImVeRyBaD" says “WARNING! That file contains the virus "I'M VERY BAD". You should triple destroy that file immediately! Life danger!” And the file in question could be just a plain text file or an email in where somebody tells another guy that he saw the alias "ImVeRyBaD" painted in a wall in the street. So, somebody is playing jokes, and intentionally inserting those known trigger strings into those bitcoin files, to make them trigger the antivirus warning, on purpose, to stir the pot or have a laugh at you, or whatever. The files themselves are perfectly safe, they contain no virus. Disclaimer: any occurrence of "ImVeRyBaD" in real life is coincidental and non intentional. The author makes no claim to the existence of such a malware or alias, nor is there any intentional correlation to any such person living or dead, etc etc etc. :- -- Cheers / Saludos, ... thank you ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bitcoin : Chainstate : Virii
On 06/11/2014 09:31 AM, Al Varnell wrote: According to the forum link you gave us you should "set your scanner to ignore sst files, which are not executable and cannot catch a virus.” -Al- _ - in case of interest, Carlos Robinson, on the opensuse list, kindly explained : It is an indirect threat to Windows users only, who*need* to run an antivirus full-time, who may be*confused* by the messages about having a virus in the bitcoin folders, and may be tempted to delete those files or allow the antivirus to do so, mistakenly, or to remove or disable the antivirus globally. As the link says, disable testing of that particular type of file, or that type of file in that particular directory. Those files do not even contain any virus. They just contain certain strings, like text, that happen to be the particular sequence of bytes that antivirus use to detect certain viruses. Meaning: suppose the virus "I'M VERY BAD" contains somewhere in hte code the text "ImVeRyBaD". An antivirus that scans a file and sees the string "ImVeRyBaD" says “WARNING! That file contains the virus "I'M VERY BAD". You should triple destroy that file immediately! Life danger!” And the file in question could be just a plain text file or an email in where somebody tells another guy that he saw the alias "ImVeRyBaD" painted in a wall in the street. So, somebody is playing jokes, and intentionally inserting those known trigger strings into those bitcoin files, to make them trigger the antivirus warning, on purpose, to stir the pot or have a laugh at you, or whatever. The files themselves are perfectly safe, they contain no virus. Disclaimer: any occurrence of "ImVeRyBaD" in real life is coincidental and non intentional. The author makes no claim to the existence of such a malware or alias, nor is there any intentional correlation to any such person living or dead, etc etc etc. :- -- Cheers / Saludos, ... thank you ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bitcoin : Chainstate : Virii
On Tue, Jun 10, 2014 at 11:24 PM, ellanios82 wrote: > > On 06/11/2014 01:52 AM, Joel Esler (jesler) wrote: >> What is your question here? > __ > > - it seems that about 6 to 8 virus signatures have been injected into > bitcoin's chainstate, and that they are now probably permanently built into > the chainstate : > > - is this a threat, or, can these alerts be safely ignored ? > > .. > > thank you Ellan, According to the forum link you gave us you should "set your scanner to ignore sst files, which are not executable and cannot catch a virus.” -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bitcoin : Chainstate : Virii
On 06/11/2014 01:52 AM, Joel Esler (jesler) wrote: What is your question here? __ - it seems that about 6 to 8 virus signatures have been injected into bitcoin's chainstate, and that they are now probably permanently built into the chainstate : - is this a threat, or, can these alerts be safely ignored ? .. thank you regards Ellan ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bitcoin : Chainstate : Virii [SEC=UNOFFICIAL]
He’s been unsubscribed. On Jun 10, 2014, at 6:57 PM, Alan Langley wrote: > UNOFFICIAL > Hi Joel, > > I've tried a couple of times to unsubscribe from the clamav-users list as it > is no longer required - I'm still receiving the emails - I thought you might > have the power to remove my address from the list. > > Cheers > Alan Langley > > Systems Administrator, Storage, Backup and Recovery ICT Infrastructure > Support and Systems Executive and Information Services > > Room 32 Mitchell > > -Original Message- > From: clamav-users-boun...@lists.clamav.net > [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Joel Esler > (jesler) > Sent: Wednesday, 11 June 2014 8:52 AM > To: ClamAV users ML > Subject: Re: [clamav-users] Bitcoin : Chainstate : Virii > > Thanks Ellan. > > What is your question here? > > -- > Joel Esler > Open Source Manager > Threat Intelligence Team Lead > Vulnerability Research Team > > On Jun 10, 2014, at 10:49 AM, ellanios82 > mailto:ellanio...@gmail.com>> wrote: > > Hello List > > > i notice link : > > https://bitcointalk.org/index.php?topic=574691.0 > > > > notice remarks : > "Just tell your antivirus program to ignore the folder > /Users/username/Library/Application Support/Bitcoin" > > "This is a huge mistake! " > > "Just imagine: a unknown virus download some viruses to this directory. The > folder is ignore by the virus scanner, so _valid_ viruses are not recognized, > they can do whatever they want to do." > > "And you do not realize that your wallet is stolen." > > "So the devs sould somehow handle this!" > > Elbandi > > "The 'devs' can't handle this as the signatures are part of the blockchain. > And they're there to stay." > .. > > regards > Ellan > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > > UNOFFICIAL > > > If you have received this transmission in error please notify us immediately > by return e-mail and delete all copies. If this e-mail or any attachments > have been sent to you in error, that error does not constitute waiver of any > confidentiality, privilege or copyright in respect of information in the > e-mail or attachments. > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bitcoin : Chainstate : Virii [SEC=UNOFFICIAL]
On Jun 10, 2014, at 3:57 PM, Alan Langley wrote: > UNOFFICIAL > Hi Joel, > > I've tried a couple of times to unsubscribe from the clamav-users list as it > is no longer required - I'm still receiving the emails - I thought you might > have the power to remove my address from the list. [ ... ] You should have the power to unsubscribe yourself here: http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Regards, -- -Chuck ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bitcoin : Chainstate : Virii [SEC=UNOFFICIAL]
UNOFFICIAL Hi Joel, I've tried a couple of times to unsubscribe from the clamav-users list as it is no longer required - I'm still receiving the emails - I thought you might have the power to remove my address from the list. Cheers Alan Langley Systems Administrator, Storage, Backup and Recovery ICT Infrastructure Support and Systems Executive and Information Services Room 32 Mitchell -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Joel Esler (jesler) Sent: Wednesday, 11 June 2014 8:52 AM To: ClamAV users ML Subject: Re: [clamav-users] Bitcoin : Chainstate : Virii Thanks Ellan. What is your question here? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team On Jun 10, 2014, at 10:49 AM, ellanios82 mailto:ellanio...@gmail.com>> wrote: Hello List i notice link : https://bitcointalk.org/index.php?topic=574691.0 notice remarks : "Just tell your antivirus program to ignore the folder /Users/username/Library/Application Support/Bitcoin" "This is a huge mistake! " "Just imagine: a unknown virus download some viruses to this directory. The folder is ignore by the virus scanner, so _valid_ viruses are not recognized, they can do whatever they want to do." "And you do not realize that your wallet is stolen." "So the devs sould somehow handle this!" Elbandi "The 'devs' can't handle this as the signatures are part of the blockchain. And they're there to stay." .. regards Ellan ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml UNOFFICIAL If you have received this transmission in error please notify us immediately by return e-mail and delete all copies. If this e-mail or any attachments have been sent to you in error, that error does not constitute waiver of any confidentiality, privilege or copyright in respect of information in the e-mail or attachments. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bitcoin : Chainstate : Virii
Thanks Ellan. What is your question here? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team On Jun 10, 2014, at 10:49 AM, ellanios82 mailto:ellanio...@gmail.com>> wrote: Hello List i notice link : https://bitcointalk.org/index.php?topic=574691.0 notice remarks : "Just tell your antivirus program to ignore the folder /Users/username/Library/Application Support/Bitcoin" "This is a huge mistake! " "Just imagine: a unknown virus download some viruses to this directory. The folder is ignore by the virus scanner, so _valid_ viruses are not recognized, they can do whatever they want to do." "And you do not realize that your wallet is stolen." "So the devs sould somehow handle this!" Elbandi "The 'devs' can't handle this as the signatures are part of the blockchain. And they're there to stay." .. regards Ellan ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] Bitcoin : Chainstate : Virii
Hello List i notice link : https://bitcointalk.org/index.php?topic=574691.0 notice remarks : "Just tell your antivirus program to ignore the folder /Users/username/Library/Application Support/Bitcoin" "This is a huge mistake! " "Just imagine: a unknown virus download some viruses to this directory. The folder is ignore by the virus scanner, so _valid_ viruses are not recognized, they can do whatever they want to do." "And you do not realize that your wallet is stolen." "So the devs sould somehow handle this!" Elbandi "The 'devs' can't handle this as the signatures are part of the blockchain. And they're there to stay." .. regards Ellan ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav does not recognize virus?!
We are looking into it. Thanks, - Alain On Tue, Jun 10, 2014 at 10:07 AM, ungifted wrote: > On Tue, 10 Jun 2014 09:28:58 -0400 > Alain Zidouemba wrote: > > > Thanks for reporting this, ungifted. We'll release a signature shortly. > > Thanks. > > Why submission form have checkbox "Notify me", but I never got any > notifications? > I use clamav since 2004. > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav does not recognize virus?!
On Tue, 10 Jun 2014 09:28:58 -0400 Alain Zidouemba wrote: > Thanks for reporting this, ungifted. We'll release a signature shortly. Thanks. Why submission form have checkbox "Notify me", but I never got any notifications? I use clamav since 2004. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bitcoin : Chainstate : clamav today detects 6 infected files with names like : 512719.sst
Can you provide with the detection names? What are the MD5s or SHA256s of the files? Please upload them here: http://www.clamav.net/lang/en/sendvirus/ - Alain On Tue, Jun 10, 2014 at 9:59 AM, ellanios82 wrote: > Hello List > > > - today, clamscan detects 6 bitcoin chainstate files as being infected > > > > Dear Alain Zidouemba : may i upload all 6 or do you prefer just two ?? > > . > > thanks > Ellan > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] Bitcoin : Chainstate : clamav today detects 6 infected files with names like : 512719.sst [2]: is BITCOIN a known vector ?
Hello List - seems this is known as "Gergana.9" : is BITCOIN a known vector ? ... - today, clamscan detects 6 bitcoin chainstate files as being infected thanks Ellan ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] Bitcoin : Chainstate : clamav today detects 6 infected files with names like : 512719.sst
Hello List - today, clamscan detects 6 bitcoin chainstate files as being infected Dear Alain Zidouemba : may i upload all 6 or do you prefer just two ?? . thanks Ellan ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav does not recognize virus?!
Thanks for reporting this, ungifted. We'll release a signature shortly. - Alain On Tue, Jun 10, 2014 at 4:29 AM, ungifted wrote: > On Tue, 10 Jun 2014 09:41:34 +0300 > Henri Salo wrote: > > > On Tue, Jun 10, 2014 at 08:22:39AM +0200, Frank Rust wrote: > > > why does clamav not recognize any virus? > > > Any advice? > > > > http://www.clamav.net/lang/en/sendvirus/ > > Black hole for me even with checked "Notify me". > > > For example: I have file Shipping details.exe > I submit it (19.May.2014) to clamav, drweb, symantec. > > clamav - silence (as always) and today: > > Shipping details.exe: OK > > --- SCAN SUMMARY --- > Known viruses: 5247083 > Engine version: 0.98.1 > > drweb > ticket opened notification 19 may 10:44 > ticket closed 19 may 13:35 (Trojan.PWS.Panda.4795) > > symatec > ticket opened notification. And silence (as always), but detected then as > Trojan.Zbot > > > https://www.virustotal.com/ru/file/87edb192a67ad4ed3aa5f5de79cfcb074f1a375b731bb05cb4a4848fe9fd3fcf/analysis/1402387884/ > > ps. I will submit it again, now > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav does not recognize virus?!
On Tue, 10 Jun 2014 01:36:24 -0700 Al Varnell wrote: > > On Tue, Jun 10, 2014 at 01:29 AM, ungifted wrote: > > > > On Tue, 10 Jun 2014 09:41:34 +0300 > > Henri Salo wrote: > > > >> On Tue, Jun 10, 2014 at 08:22:39AM +0200, Frank Rust wrote: > >>> why does clamav not recognize any virus? > >>> Any advice? > >> > >> http://www.clamav.net/lang/en/sendvirus/ > > > > Black hole for me even with checked "Notify me". > > > > > > For example: I have file Shipping details.exe > > I submit it (19.May.2014) to clamav, drweb, symantec. > > > > clamav - silence (as always) and today: > > > > Shipping details.exe: OK > > Post the MD5 of the file you uploaded to make it easier for them to find and > give you a status. $ gpg --print-md md5 /tmp/Shipping\ details.exe /tmp/Shipping details.exe: DD F5 E8 E5 C5 68 70 D5 BC 4C 7A D9 1E 49 0F 24 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav does not recognize virus?!
On Tue, Jun 10, 2014 at 01:29 AM, ungifted wrote: > > On Tue, 10 Jun 2014 09:41:34 +0300 > Henri Salo wrote: > >> On Tue, Jun 10, 2014 at 08:22:39AM +0200, Frank Rust wrote: >>> why does clamav not recognize any virus? >>> Any advice? >> >> http://www.clamav.net/lang/en/sendvirus/ > > Black hole for me even with checked "Notify me". > > > For example: I have file Shipping details.exe > I submit it (19.May.2014) to clamav, drweb, symantec. > > clamav - silence (as always) and today: > > Shipping details.exe: OK Post the MD5 of the file you uploaded to make it easier for them to find and give you a status. -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav does not recognize virus?!
On Tue, 10 Jun 2014 09:41:34 +0300 Henri Salo wrote: > On Tue, Jun 10, 2014 at 08:22:39AM +0200, Frank Rust wrote: > > why does clamav not recognize any virus? > > Any advice? > > http://www.clamav.net/lang/en/sendvirus/ Black hole for me even with checked "Notify me". For example: I have file Shipping details.exe I submit it (19.May.2014) to clamav, drweb, symantec. clamav - silence (as always) and today: Shipping details.exe: OK --- SCAN SUMMARY --- Known viruses: 5247083 Engine version: 0.98.1 drweb ticket opened notification 19 may 10:44 ticket closed 19 may 13:35 (Trojan.PWS.Panda.4795) symatec ticket opened notification. And silence (as always), but detected then as Trojan.Zbot https://www.virustotal.com/ru/file/87edb192a67ad4ed3aa5f5de79cfcb074f1a375b731bb05cb4a4848fe9fd3fcf/analysis/1402387884/ ps. I will submit it again, now ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
