Page 1 of 1
ClamAV identifies 3ivx.dll as virus!?!?
Posted: Tue Jan 08, 2013 3:12 pm
by gumbeto
Hi,
I just run clamscan and it found the file /usr/lib/codecs/3ivx.dll to be a trojan
Code: Select all
$ clamscan /usr/lib/codecs/3ivx.dll
/usr/lib/codecs/3ivx.dll: Win.Trojan.Fakesmoke-33 FOUND
I confirmed it also with an online scanner:
http://tinyurl.com/a6c4dw6
Also
Code: Select all
$ file /usr/lib/codecs/3ivx.dll
/usr/lib/codecs/3ivx.dll: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
I searched with apt-file, but couldn't find any package containing this file.
Does anyone have an explanation for this? What the hell is a dll doing in my linux? and how did it get there? And is this really a virus? All I found was
this...
Re: ClamAV identifies 3ivx.dll as virus!?!?
Posted: Tue Jan 08, 2013 3:31 pm
by xenopeek
This file comes from w32codecs package. If you have Wine, I suggest you not use it to run Windows programs till you have sorted this out. Suggest you check the md5sum of this file and the version of the package you installed, and share the output here. You can do this with:
Code: Select all
dpkg-query -Wf '${Version}\n' w32codecs
No use comparing the md5sum of the file if you have a different version of the package. On Linux Mint 14 I have the following version:
The md5sum of the file is:
Re: ClamAV identifies 3ivx.dll as virus!?!?
Posted: Tue Jan 08, 2013 9:26 pm
by mank_in
I think this is false positive detection by Clam AV.
I check the file with virustotal.com , the result is :
https://www.virustotal.com/file/d4273c4 ... /analysis/
Re: ClamAV identifies 3ivx.dll as virus!?!?
Posted: Wed Jan 09, 2013 3:10 am
by xenopeek
Awesome, good find. The SHA256 of a file you can check with sha256sum.
Re: ClamAV identifies 3ivx.dll as virus!?!?
Posted: Wed Jan 09, 2013 6:41 am
by gumbeto
Yes, most likely this is a false positive. I do have the same md5 as you and that means that anyone with the same version of w32codecs would have this 3ivx.dll file flagged as a virus by clamav... Therefore, what I am surprised with is that there is very little on the web concerning this! I had expected to find other people with the same question
This is what alerted me. I guess anti-virus really aren't popular with linux users
http://www.gnu.org/fun/jokes/evilmalware.html
In any case, I will make sure I don't get this into windows.
Still, there is something that's puzzling me: why are these dlls installed with w32codecs? how are they used?
Anyway, thanks for your replies!
Re: ClamAV identifies 3ivx.dll as virus!?!?
Posted: Wed Jan 09, 2013 7:16 am
by xenopeek
Package description:
This package contain video codecs for popular proprietary formats not natively supported by mplayer.
.
ATI VCR-2 video codec.
Cinepak video codec
DivX
video codec, ver. 3.11
DivX
video codec, ver. 4.x
Indeo Video 3.2/4.1/5.0/4.1 quick/5.0 quick codecs.
Intel 263 video codec.
Microsoft MPEG-4 video codec, beta version 3.0.0.2700
Morgan Multimedia Motion JPEG video codec.
QuickTime
RealAudio
RealVideo 8
RealVideo 9
Windows Media Video 9
.
And more...
GNOME MPlayer will probably run these files for playing back multimedia files of these types. (A codec dll file will probably not use the Windows API itself much, so with some tricks these can probably be run on Linux without Wine?) Oh, and the smilies were really in the package description
Re: ClamAV identifies 3ivx.dll as virus!?!?
Posted: Wed Jan 09, 2013 9:32 am
by gumbeto
Thanks. It's how they use the dll that got me wondering, but after all wine does it, so there must be a way
Probably with a wrapper and a mimimal api to replace needed windows api stuff?
According to wikipedia "[MPlayer] can use Windows DLLs directly with the help of a DLL loader forked from avifile (which itself forked its loader from the Wine project)."