ClamAV identifies 3ivx.dll as virus!?!?

Questions about codecs, DVD playback, web plugins...
Forum rules
Before you post please read this

ClamAV identifies 3ivx.dll as virus!?!?

Postby gumbeto on Tue Jan 08, 2013 3:12 pm

Hi,

I just run clamscan and it found the file /usr/lib/codecs/3ivx.dll to be a trojan

Code: Select all
$ clamscan /usr/lib/codecs/3ivx.dll
/usr/lib/codecs/3ivx.dll: Win.Trojan.Fakesmoke-33 FOUND


I confirmed it also with an online scanner: http://tinyurl.com/a6c4dw6

Also
Code: Select all
$ file /usr/lib/codecs/3ivx.dll
/usr/lib/codecs/3ivx.dll: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows


I searched with apt-file, but couldn't find any package containing this file.

Does anyone have an explanation for this? What the hell is a dll doing in my linux? and how did it get there? And is this really a virus? All I found was this... :?
gumbeto
Level 1
Level 1
 
Posts: 13
Joined: Mon Dec 24, 2012 9:23 pm

Linux Mint is funded by ads and donations.
 

Re: ClamAV identifies 3ivx.dll as virus!?!?

Postby xenopeek on Tue Jan 08, 2013 3:31 pm

This file comes from w32codecs package. If you have Wine, I suggest you not use it to run Windows programs till you have sorted this out. Suggest you check the md5sum of this file and the version of the package you installed, and share the output here. You can do this with:
Code: Select all
md5sum /usr/lib/codecs/3ivx.dll

Code: Select all
dpkg-query -Wf '${Version}\n' w32codecs

No use comparing the md5sum of the file if you have a different version of the package. On Linux Mint 14 I have the following version:
Code: Select all
1:20110131-0.1medibuntu3

The md5sum of the file is:
Code: Select all
b6c2afc47ba576f72a5c780006782585
Forum Rules | IRC Channel Rules
Image
Arch Linux / 64-bit / Gnome Shell
User avatar
xenopeek
Level 21
Level 21
 
Posts: 13700
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: ClamAV identifies 3ivx.dll as virus!?!?

Postby mank_in on Tue Jan 08, 2013 9:26 pm

I think this is false positive detection by Clam AV.
I check the file with virustotal.com , the result is : https://www.virustotal.com/file/d4273c4 ... /analysis/
Image
Sorry for my bad English , I am Indonesian.
User avatar
mank_in
Level 6
Level 6
 
Posts: 1346
Joined: Wed Nov 16, 2011 2:29 pm
Location: Bali

Re: ClamAV identifies 3ivx.dll as virus!?!?

Postby xenopeek on Wed Jan 09, 2013 3:10 am

Awesome, good find. The SHA256 of a file you can check with sha256sum.
Forum Rules | IRC Channel Rules
Image
Arch Linux / 64-bit / Gnome Shell
User avatar
xenopeek
Level 21
Level 21
 
Posts: 13700
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: ClamAV identifies 3ivx.dll as virus!?!?

Postby gumbeto on Wed Jan 09, 2013 6:41 am

Yes, most likely this is a false positive. I do have the same md5 as you and that means that anyone with the same version of w32codecs would have this 3ivx.dll file flagged as a virus by clamav... Therefore, what I am surprised with is that there is very little on the web concerning this! I had expected to find other people with the same question :shock: This is what alerted me. I guess anti-virus really aren't popular with linux users :P http://www.gnu.org/fun/jokes/evilmalware.html

In any case, I will make sure I don't get this into windows.

Still, there is something that's puzzling me: why are these dlls installed with w32codecs? how are they used?

Anyway, thanks for your replies!
gumbeto
Level 1
Level 1
 
Posts: 13
Joined: Mon Dec 24, 2012 9:23 pm

Re: ClamAV identifies 3ivx.dll as virus!?!?

Postby xenopeek on Wed Jan 09, 2013 7:16 am

Package description:
This package contain video codecs for popular proprietary formats not natively supported by mplayer.
.
ATI VCR-2 video codec.
Cinepak video codec
DivX ;-) video codec, ver. 3.11
DivX ;-) video codec, ver. 4.x
Indeo Video 3.2/4.1/5.0/4.1 quick/5.0 quick codecs.
Intel 263 video codec.
Microsoft MPEG-4 video codec, beta version 3.0.0.2700
Morgan Multimedia Motion JPEG video codec.
QuickTime
RealAudio
RealVideo 8
RealVideo 9
Windows Media Video 9
.
And more...

GNOME MPlayer will probably run these files for playing back multimedia files of these types. (A codec dll file will probably not use the Windows API itself much, so with some tricks these can probably be run on Linux without Wine?) Oh, and the smilies were really in the package description :wink:
Forum Rules | IRC Channel Rules
Image
Arch Linux / 64-bit / Gnome Shell
User avatar
xenopeek
Level 21
Level 21
 
Posts: 13700
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: ClamAV identifies 3ivx.dll as virus!?!?

Postby gumbeto on Wed Jan 09, 2013 9:32 am

Thanks. It's how they use the dll that got me wondering, but after all wine does it, so there must be a way :) Probably with a wrapper and a mimimal api to replace needed windows api stuff?

According to wikipedia "[MPlayer] can use Windows DLLs directly with the help of a DLL loader forked from avifile (which itself forked its loader from the Wine project)."
gumbeto
Level 1
Level 1
 
Posts: 13
Joined: Mon Dec 24, 2012 9:23 pm

Linux Mint is funded by ads and donations.
 

Return to Sound, Multimedia, & Codecs

Who is online

Users browsing this forum: No registered users and 5 guests