Linux Mint Forums

[gumbeto]

Hi,

I just run clamscan and it found the file /usr/lib/codecs/3ivx.dll to be a trojan

Code: Select all

$ clamscan /usr/lib/codecs/3ivx.dll
/usr/lib/codecs/3ivx.dll: Win.Trojan.Fakesmoke-33 FOUND

I confirmed it also with an online scanner: http://tinyurl.com/a6c4dw6

Also

Code: Select all

$ file /usr/lib/codecs/3ivx.dll
/usr/lib/codecs/3ivx.dll: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

I searched with apt-file, but couldn't find any package containing this file.

Does anyone have an explanation for this? What the hell is a dll doing in my linux? and how did it get there? And is this really a virus? All I found was this...

[xenopeek]

This file comes from w32codecs package. If you have Wine, I suggest you not use it to run Windows programs till you have sorted this out. Suggest you check the md5sum of this file and the version of the package you installed, and share the output here. You can do this with:

Code: Select all

md5sum /usr/lib/codecs/3ivx.dll

Code: Select all

dpkg-query -Wf '${Version}\n' w32codecs

No use comparing the md5sum of the file if you have a different version of the package. On Linux Mint 14 I have the following version:

Code: Select all

1:20110131-0.1medibuntu3

The md5sum of the file is:

Code: Select all

b6c2afc47ba576f72a5c780006782585

[mank_in]

I think this is false positive detection by Clam AV.
I check the file with virustotal.com , the result is : https://www.virustotal.com/file/d4273c4 ... /analysis/

[xenopeek]

Awesome, good find. The SHA256 of a file you can check with sha256sum.

[gumbeto]

Yes, most likely this is a false positive. I do have the same md5 as you and that means that anyone with the same version of w32codecs would have this 3ivx.dll file flagged as a virus by clamav... Therefore, what I am surprised with is that there is very little on the web concerning this! I had expected to find other people with the same question This is what alerted me. I guess anti-virus really aren't popular with linux users http://www.gnu.org/fun/jokes/evilmalware.html

In any case, I will make sure I don't get this into windows.

Still, there is something that's puzzling me: why are these dlls installed with w32codecs? how are they used?

Anyway, thanks for your replies!

[xenopeek]

Package description:

This package contain video codecs for popular proprietary formats not natively supported by mplayer.
.
ATI VCR-2 video codec.
Cinepak video codec
DivX video codec, ver. 3.11
DivX video codec, ver. 4.x
Indeo Video 3.2/4.1/5.0/4.1 quick/5.0 quick codecs.
Intel 263 video codec.
Microsoft MPEG-4 video codec, beta version 3.0.0.2700
Morgan Multimedia Motion JPEG video codec.
QuickTime
RealAudio
RealVideo 8
RealVideo 9
Windows Media Video 9
.
And more...

GNOME MPlayer will probably run these files for playing back multimedia files of these types. (A codec dll file will probably not use the Windows API itself much, so with some tricks these can probably be run on Linux without Wine?) Oh, and the smilies were really in the package description

[gumbeto]

Thanks. It's how they use the dll that got me wondering, but after all wine does it, so there must be a way Probably with a wrapper and a mimimal api to replace needed windows api stuff?

According to wikipedia "[MPlayer] can use Windows DLLs directly with the help of a DLL loader forked from avifile (which itself forked its loader from the Wine project)."