Trojan identified by ClamTK.

[sleeper12]

You will need to download the Iso from your country & put it on a dvd or bootable flash drive. You can then try it in a live session before installing to see if it works well for you or not:
https://linuxmint.com/edition.php?id=271

[ricardogroetaers]

The detected file is js.coinminer.generic-7156523-0.

Thank you, Sleeper-12. Two of the engines (out of the 59) used by VirusTotal confirm this to be malware:
ClamAV Js.Coinminer.Generic-7156523-0
Sangfor Engine Zero Malware.Generic-HTML.Save.0e6b3802

Is this something that it would be safe to ignore? Otherwise, what action should be taken?

I did some research.
This guy is a cryptocurrency miner.
It usually infects Windows systems.
If it infects Linux systems, I don't know.
But it can infect your browser.
The symptoms you describe in the initial post of the topic are typical.
It uses its processor and its circuit or video card when it is active.
It may be that your ad blocker is malicious or has been infected or the malware has been installed by other means.

[deepakdeshp]

You may want to rethink using AV on Linux. They are needed on Windows, but not Linux. (Yes, it's true.)

https://easylinuxtipsproject.blogspot.c ... urity.html

There are almost no viruses on Linux ,in the wild so I second this.

[sleeper12]

If there is still doubt, it can be checked on Hybrid Analysis:
https://www.hybrid-analysis.com/

[dmburkus]

A long reply, sorry. And thank you to everyone who has taken the time to write.

Thank you very much, Ricardogroetaers, for the updated information on the trojan. It seems that I probably transferred the trojan to my Windows machine when moving a file, because similar symptoms have been showing up there -- though none of the malware scans have thrown up anything (I ran TronScan last Sunday and none of the scans in that bundle came up with anything). I neither own cryptocurrency, nor have any of my banking information on either of my machines, so there is no worry there, I guess. But both are running slowly, and both are showing odd mouse behavior. Might I trouble you to give me the link to information on this trojan, as well as to the removal information (for the Windows machine if nowhere else).

I suppose it was only a matter of time before the Ad Blocker became infected -- after all, I guess it is biting into various site's revenue. On top of everything else that is happening, I really do not need this kind of bs.


Now, to other comments: Deepakdeshp commented on "'Schultz wrote: / Wed Mar 31, 2021 8:53 am / You may want to rethink using AV on Linux. They are needed on Windows, but not Linux. (Yes, it's true.)' There are almost no viruses on Linux, in the wild so I second this."

Well, even though I have done everything on the list (in the quoted blog), it would seem that something has gotten into my machine. Since, even after uninstalling the AdBlocker Ultimate, the symptoms remain...what should I do? Will installing the new version (assuming it works on this machine) solve the problem? I would assume the firewall is turned on (I certainly never turned it off), but...if it is something that I have to do deliberately, I have not done so and do not know how to do that.


Sleeper-12, I already removed the AdBlocker Ultimate. I am running ClamTk again now, to see if the file(s) are still on the PC; and, if so, I will submit it to Hybrid-Analysis.


And finally, with regard to your comments on the download of the new version of the operating system: since a torrent is available for the program Linux Mint 19.2 "Tina" - Xfce (64-bit), I decided it was best to let Tixati deal with it. I guess it will be downloaded sooner or later (2 hours, it says now). After that I will burn it to a DVD and run that (the machine is set to boot from DVDs first, and I am afraid to screw something up if I go into the Bios).

After I download it and either get it burned onto a disk or moved onto a USB drive, I will try running it and see what happens. I will comment on here one way or the other (and probably have other questions to ask at that time -- if you don't mind).


Thank you all, once again, for your help! I really, really appreciate your kindness!

[RIH]

Rather than using a dubious virus detector you might want to consider using Firejail to protect your machine..

https://firejail.wordpress.com

[dmburkus]

Hybrid-analysis states "no specific threat. Labeled as: Unavailable."

Meanwhile, the Linux Mint 19.2 "Tina" - Xfce (64-bit) has finished downloading. I will see about burning it to a disk, and then try to run the program on this PC. I will post the results afterward.

Can anyone give me some feedback on the Firejail Security Sandbox that RIH recommended?

Thank you, again, for your help.

[deepakdeshp]

https://howtoinstall.co/en/firejail
I have not installed any AV application on my present Mint 20.1 . Been using it since 5.5 years without any incident.

Good luck for your search.

[Hoser Rob]

... I will remove AdBlocker Ultimate, and replace it with Ublock Origin....

And as I suggested before install the nocoin browser extension too. This should prevent this happening in the future. It was quite obviously a bitcoin browser hack from the name. You'd think they'd be more imaginative.

[dmburkus]

Ok, I am running Linux Mint 19.2 "Tina" - Xfce (64-bit) from the .iso burned onto a dvd. It seems to be running smoothly. Is there anything I should do to test whether this machine can handle this version of Linux Mint -- or, is the fact that I am able to run Firefox without issue proof enough that this old machine is up to it?

I do notice that the mouse is still not behaving properly, so far as highlighting text is concerned, but other than that, it seems fine (of course no other programs are running now, because nothing has been installed).

I am going to be shutting down now. Been a busy day today, and I have a long day scheduled tomorrow. I will check my mail in the morning, but I do not know if I will be able to do much more than that.

One question, however: I bought a new hard drive, and I am thinking of installing Linux Mint onto that. My question is would it be safe to attach this old drive as a D: drive, and then move that data over to the new one (I am thinking mostly about a couple of Tixati files, one of which is in the process of downloading, and has been for the past two weeks, so I would like to not have to start all over)? If not -- if, for example, there is a danger of somehow contaminating the new installation with whatever was on the old drive -- I may hold off installing the new version of the operating system until that file is finished.

Be that as it may, I likely will not be able to take this machine apart and switch the hard drives until the weekend, so it might be best to hold off asking any more questions until then.

Thank you all, once again, for your help.

[vvv511]

That looks like a cryptocurrency miner. It will use the resources of your machine to mine cryptocurrency in the background while you have your browser open, that's probably why your computer is slow. However, your computer could also be slow for any other reason that you still haven't figured out. I took a look at the AdBlocker Ultimate page and as it is recommended by Mozilla and there aren't any recent bad reviews or complaints I assumed it was a recent malware but I found this review two months ago that will lead to a Malwarebytes thread from 2017 of someone having the same problem as you.

The conclusion it that it is a false positive. There are another complaints with different ad blockers(#1,#2), so your AV detects these domains in the filters lists and thinks they are malware. If your system is slow there's probably another reason, unless your system is already infected from a different source. Check your running processes and see if you can find anything suspicious running in the background.

[karlchen]

You may want to rethink using AV on Linux. They are needed on Windows, but not Linux. (Yes, it's true.)

Though basically, it is true, it is really a funny idea to tell ClamAV is of no use on Linux in one of the rare cases, where ClamAV has correctly identified a malicious Firefox extension. - Which will very likely work under Firefox on Windows as well as under Firefox on Linux.

[karlchen]

ClamAV Js.Coinminer.Generic-7156523-0
Sangfor Engine Zero Malware.Generic-HTML.Save.0e6b3802

Yes, I would say it is safe to ignore.

Sorry, but I have to disagree. Malware should not be ignored in any case.
Even if the remaining supported lifetime of LM 18.1 is only roundabout 4 weeks.
In this specific case, a Firefox browser extension, it should even be relatively simple to identify the extension and uninstall it.
Plus clear the complete Firefox cache on Firefox exit.
And if you want to make more sure it is gone, empty the directory tree $HOME/.cache/mozilla, when Firefox has been shut down.

[karlchen]

Hi, folks.

In case you google e.g. for Cryptominer in Adblocker extension, you will be reminded that there were / are websites that will make your browser run crypto-mining scripts, as soon as you visit their webpages.
Means, no permanent extension needed. So AdBlocker may or may not be involved.
Problem is that lots of users for reasons, which I will never understand, will not configure their browsers to clear the stupid cache completely on exit.
If the case is kept across sessions and if you have configured your browser to start up and restore your previously open tabs, then it is imaginable that, even without a malicious extension, this is sufficient to re-connect to the secretly mining page on every browser startup.

From my point of view analyzing this would have been the job in this thread, not suggesting to ignore the issue, because the Mint release in use will reach EOL in a few weeks. True, it will. But whatever has given Firefox the crypto-mining extension or scripts, which it executed, will be still around, even after the thread starter has dutifully upgraded to Mint 19.2.

Karl
--
Any point of view expressed in this post is purely my own private point of view as a forum user.

[sleeper12]

....From my point of view analyzing this would have been the job in this thread, not suggesting to ignore the issue, because the Mint release in use will reach EOL in a few weeks. True it will. But whatever has given Firefox the crypto-mining extension or scripts, which it executed, will be still around, even after the thread starter has dutifully upgraded to Mint 19.2.

Karl

Well, I wondered about that as well. Only reason I said it could be ignored was I thought upgrading to Mint 19.2 with a new Firefox would solve the problem. But, you're saying the malware will still come along even with a clean install? If that's the case, it's news to me.

[karlchen]

Hi, sleeper12.

No, I did not say that the malware will come back (inevitably). It might. Irrespective of OS release version.

In case it is a webpage, which embeds the crypto-miner in its webpage code, then the same webpage code will be presented to any browser running on any OS release. I.e. such a webpage would also try to make a Firefox 87.0 running on LM 20.1 execute its crypto-mining code.

It does not matter whether your Firefox 87.0 is running on top of LM 20.1, 20, 19.x or only 18.1. It is the same old Firefox on all of them.

In case the crypto-mining code should be brought along by a seemingly legitimate Firefox extension, again the same extension might be executed by Firefox 87.0 on any Linux Mint release.

(Yes, the same up-to-date browser versions are running on all of my LM systems, 18.1 / 19.2 / 19.3. Applies to Firefox as well as other browsers.)

What gets my goat in this forum frequently is that whenever a user, who still uses an LM release, which is going to reach EOSL soon, reports a not so complicated problem, this user will inevitably be told not to spend any time on solving the problem, but to install a newer LM release instead. No matter how trivial the problem solution may really be.

Best regards,
Karl

[sleeper12]

Karl,

Ok, thanks for clarifying that. So, what is the solution now before the OP does a clean install of Mint 19.2 (if he decides to do so)?

Sorry, I now see what you said before:

"In this specific case, a Firefox browser extension, it should even be relatively simple to identify the extension and uninstall it.
Plus clear the complete Firefox cache on Firefox exit.
And if you want to make more sure it is gone, empty the directory tree $HOME/.cache/mozilla, when Firefox has been shut down."

[karlchen]

Hi, sleeper12.

In this specific case, ClamAV, which is really not the most sophisticated AV software, had already taken care of the relevant files initiailly, before the problem had been recreated in order to be able to verify on Virustotal what precisely the suspected malware might be.
In this specific case, clearing the Firefox cache seems to be sufficient.
In case the old AdBlocker extenstion had been involved, uninstalling it, and maybe replacing it by a different Adblocker may be advisable.

By the way, Firefox 87.0 (and before, not sure since which version precisely) offers to block crypto-miner code.
It can be found under Preferencies => Privacy and Security. The default setting is "blocking crypto-miners on"
So perhaps it is worth making sure that this setting has been enabled.

This applies to Firefox on any LM release. - I mention so, because a lot of users, including myself, will restore the backed up Firefox profile from the previous system on the newly installed release. - In case blocking crypto-miners if off now then it would be off as well on the newer LM release, as soon as the old Firefox profile has been restored.

Best regards,
Karl

[sleeper12]

Unless I'm mistaken, wouldn't a clean install do all that anyway (assuming you didn't restore the backed up Firefox profile from the previous system)? Sorry to belabor this, just trying to learn.

[ricardogroetaers]

A Might I trouble you to give me the link to information on this trojan, as well as to the removal information (for the Windows machine if nowhere else).

Some links, have fun:
https://www.myantispyware.com/2017/12/2 ... val-guide/
https://www.pcrisk.pt/guias-de-remocao/ ... er-malware
https://www.malware-board.com/pt/remove ... de-excluir
https://semvirus.pt/win32-coinminer/
https://www.microsoft.com/en-us/wdsi/th ... /CoinMiner