ClamAV detects trojan in mint drivers

[IoannisM]

Dear community,

I took the time today to check my system with ClamAV and I was surprised to find this report after running clamscan on my system folder:

/usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys: Win.Trojan.Agent-1427312 FOUND

Can you provide feedback as to how a windows trojan could have sneaked into that folder? I do not run wine or mono applications, nor do I install applications from PPAs, only the official repositories. All driver updates are done via the driver manager.

-----------------------------

Here are my system specifications:

Code: Select all

System:    Host: (omitted) Kernel: 3.19.0-32-generic x86_64 (64 bit gcc: 4.8.2)
           Desktop: Cinnamon 2.8.8 (Gtk 3.10.8~8+qiana) Distro: Linux Mint 17.3 Rosa
Machine:   System: Dell product: Precision M4800 v: 00
           Mobo: Dell model: N/A Bios: Dell v: A15 date: 09/29/2015
CPU:       Quad core Intel Core i7-4710MQ (-HT-MCP-) cache: 6144 KB
           flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 19954
           clock speeds: max: 3500 MHz 1: 3379 MHz 2: 3499 MHz 3: 3373 MHz 4: 3390 MHz 5: 3358 MHz 6: 2858 MHz
           7: 3375 MHz 8: 2906 MHz
Graphics:  Card-1: Intel 4th Gen Core Processor Integrated Graphics Controller bus-ID: 00:02.0
           Card-2: NVIDIA GK107GLM [Quadro K1100M] bus-ID: 01:00.0
           Display Server: X.Org 1.15.1 drivers: intel (unloaded: fbdev,vesa) FAILED: nouveau
           Resolution: 1920x1080@60.0hz
           GLX Renderer: Mesa DRI Intel Haswell Mobile GLX Version: 3.0 Mesa 10.1.3 Direct Rendering: Yes
Audio:     Card-1 Intel 8 Series/C220 Series High Definition Audio Controller
           driver: snd_hda_intel bus-ID: 00:1b.0
           Card-2 Intel Xeon E3-1200 v3/4th Gen Core Processor HD Audio Controller
           driver: snd_hda_intel bus-ID: 00:03.0
           Sound: Advanced Linux Sound Architecture v: k3.19.0-32-generic
Network:   Card-1: Intel Ethernet Connection I217-LM driver: e1000e v: 2.3.2-k port: f080 bus-ID: 00:19.0
           IF: eth0 state: down mac: 20:47:47:cc:8f:8c
           Card-2: Intel Wireless 7260 driver: iwlwifi v: in-tree: bus-ID: 03:00.0
           IF: wlan0 state: up mac: 7c:5c:f8:0e:99:8a
Drives:    HDD Total Size: 2000.4GB (85.3% used) ID-1: /dev/sda model: ST500LM021 size: 500.1GB
           ID-2: USB /dev/sdb model: FreeAgent_Go size: 500.1GB
           ID-3: USB /dev/sdc model: External_USB_3.0 size: 1000.2GB
Partition: ID-1: / size: 74G used: 13G (18%) fs: ext4 dev: /dev/dm-0
           ID-2: /boot size: 237M used: 89M (40%) fs: ext2 dev: /dev/sda3
           ID-3: /home size: 323G used: 217G (71%) fs: ext4 dev: /dev/dm-2
           ID-4: swap-1 size: 16.00GB used: 0.00GB (0%) fs: swap dev: /dev/dm-1
RAID:      No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors:   System Temperatures: cpu: 66.0C mobo: 42.0C gpu: 38.0
           Fan Speeds (in rpm): cpu: 74460 mobo: 77640
Info:      Processes: 242 Uptime: 4:19 Memory: 1395.5/7889.4MB Init: Upstart runlevel: 2 Gcc sys: 4.8.4
           Client: Shell (bash 4.3.111) inxi: 2.2.28

[Habitual]

Dear community,

I took the time today to check my system with ClamAV and I was surprised to find this report after running clamscan on my system folder:

/usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys: Win.Trojan.Agent-1427312 FOUND

Can you provide feedback as to how a windows trojan could have sneaked into that folder? I do not run wine or mono applications, nor do I install applications from PPAs, only the official repositories. All driver updates are done via the driver manager.

-----------------------------

Code: Select all

Here are my system specifications:

System:    Host: (omitted) Kernel: 3.19.0-32-generic x86_64 (64 bit gcc: 4.8.2)
           Desktop: Cinnamon 2.8.8 (Gtk 3.10.8~8+qiana) Distro: Linux Mint 17.3 Rosa
Machine:   System: Dell product: Precision M4800 v: 00
           Mobo: Dell model: N/A Bios: Dell v: A15 date: 09/29/2015
CPU:       Quad core Intel Core i7-4710MQ (-HT-MCP-) cache: 6144 KB
           flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 19954
           clock speeds: max: 3500 MHz 1: 3379 MHz 2: 3499 MHz 3: 3373 MHz 4: 3390 MHz 5: 3358 MHz 6: 2858 MHz
           7: 3375 MHz 8: 2906 MHz
Graphics:  Card-1: Intel 4th Gen Core Processor Integrated Graphics Controller bus-ID: 00:02.0
           Card-2: NVIDIA GK107GLM [Quadro K1100M] bus-ID: 01:00.0
           Display Server: X.Org 1.15.1 drivers: intel (unloaded: fbdev,vesa) FAILED: nouveau
           Resolution: 1920x1080@60.0hz
           GLX Renderer: Mesa DRI Intel Haswell Mobile GLX Version: 3.0 Mesa 10.1.3 Direct Rendering: Yes
Audio:     Card-1 Intel 8 Series/C220 Series High Definition Audio Controller
           driver: snd_hda_intel bus-ID: 00:1b.0
           Card-2 Intel Xeon E3-1200 v3/4th Gen Core Processor HD Audio Controller
           driver: snd_hda_intel bus-ID: 00:03.0
           Sound: Advanced Linux Sound Architecture v: k3.19.0-32-generic
Network:   Card-1: Intel Ethernet Connection I217-LM driver: e1000e v: 2.3.2-k port: f080 bus-ID: 00:19.0
           IF: eth0 state: down mac: 20:47:47:cc:8f:8c
           Card-2: Intel Wireless 7260 driver: iwlwifi v: in-tree: bus-ID: 03:00.0
           IF: wlan0 state: up mac: 7c:5c:f8:0e:99:8a
Drives:    HDD Total Size: 2000.4GB (85.3% used) ID-1: /dev/sda model: ST500LM021 size: 500.1GB
           ID-2: USB /dev/sdb model: FreeAgent_Go size: 500.1GB
           ID-3: USB /dev/sdc model: External_USB_3.0 size: 1000.2GB
Partition: ID-1: / size: 74G used: 13G (18%) fs: ext4 dev: /dev/dm-0
           ID-2: /boot size: 237M used: 89M (40%) fs: ext2 dev: /dev/sda3
           ID-3: /home size: 323G used: 217G (71%) fs: ext4 dev: /dev/dm-2
           ID-4: swap-1 size: 16.00GB used: 0.00GB (0%) fs: swap dev: /dev/dm-1
RAID:      No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors:   System Temperatures: cpu: 66.0C mobo: 42.0C gpu: 38.0
           Fan Speeds (in rpm): cpu: 74460 mobo: 77640
Info:      Processes: 242 Uptime: 4:19 Memory: 1395.5/7889.4MB Init: Upstart runlevel: 2 Gcc sys: 4.8.4
           Client: Shell (bash 4.3.111) inxi: 2.2.28

Those aren't "Mint Drivers". "!This program cannot be run in DOS mode."

Code: Select all

strings /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys | less

Straight outa Redmond.

Here also Linux Mint 17.1 Rebecca
virustotal says only ClamAV found it.

I'm going with False-Positive.

[IoannisM]

I apologize for calling a sys file in a drivers subfolder of the linuxmint folder "mint drivers".

[Habitual]

No worries!!!
Still False-Positive. So neener.

[Mute Ant]

It is easy to make malware files 'disappear' in an ext4 file system with just one chance to run with root privilege, and very easy to craft a deb package to give it that chance. If ClamAV can't or won't quarantine it, I suggest you 7-zip-encrypt it in place with a password and manually shred the original, until you find out where it came from.

[Habitual]

It is easy to make malware files 'disappear' in an ext4 file system with just one chance to run with root privilege, and very easy to craft a deb package to give it that chance. If ClamAV can't or won't quarantine it, I suggest you 7-zip-encrypt it in place with a password and manually shred the original, until you find out where it came from.

Since we both have that file, it can be reasoned it came from Mint.

Anybody else have /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys

Code: Select all

md5sum /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
b89bcf0a25aeb3b47030ac83287f894a  /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys

I'm not about to panic. zip/pass/shred - what a load of hooey.
That's my opinion.

[DanielR]

[...]
Anybody else have /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys

Code: Select all

md5sum /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
b89bcf0a25aeb3b47030ac83287f894a  /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys

I'm not about to panic. zip/pass/shred - what a load of hooey.
That's my opinion.

LM13 32-Bit:

Code: Select all

md5sum /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
b89bcf0a25aeb3b47030ac83287f894a  /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys

However, why does Mint include Windows driver?

BTW, after having been thoroughly fed up with ClamAV constantly reporting false positives, I purged ClamAV from my system. I'm still alive and so is my LM13 installation ...

[Fred Barclay]

I have the driver too in a LMDE 2 MATE 64-bit system (reinstalled just a few days ago).

Code: Select all

fred@<redacted> ~ $ md5sum /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
b89bcf0a25aeb3b47030ac83287f894a  /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys

EDIT:
Virus Total only detects a trojan with ClamAV... the other scanners say it's safe:
https://www.virustotal.com/en/file/deba ... 466616652/
Almost definitely a false positive.

[BG405]

Never run ClamAV but do have this file on the Dell.

Code: Select all

brian@SERVER /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5 $ ls -a
.  ..  bcmwl5.inf  bcmwl5.sys

Very much doubt it's anything to worry about.

[Schultz]

I have it too (on Mint 17.3 Mate 64 bit).

[JeremyB]

Never run ClamAV but do have this file on the Dell.

Code: Select all

brian@SERVER /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5 $ ls -a
.  ..  bcmwl5.inf  bcmwl5.sys

Very much doubt it's anything to worry about.

I agree. It must be part of some ndiswrapper package as ndiswrapper uses windows sys and inf files for wifi

[kurzwell]

I just discovered the same issue on a scan and re-confirmed that ClamAV is the only one to flag this file on VirusTotal. Thanks for the info.

[Habitual]

Code: Select all

dpkg -S /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
mintwifi: /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys

mintwifi > ndiswrapper.
Good catch.

[George Stamford]

I guess the OP didn't see all the other posts telling everyone that Windows viruses don't affect Linux systems and that Clam AV is not needed on any Linux system? The ONLY reasonn for checking any part of Linux is to check a file that you will be using in Windows.

[Habitual]

I guess the OP didn't see all the other posts telling everyone that Windows viruses don't affect Linux systems and that Clam AV is not needed on any Linux system? The ONLY reasonn for checking any part of Linux is to check a file that you will be using in Windows.

and why people feel the need to scan "/" with it is beyond me.
It's a "thing". Useless as floppies.

I thought it more important that the question of "where did it come from?" be answered.
hence:

Code: Select all

dpkg -S /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
mintwifi: /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys

Get you some!

[George Stamford]

I still use floppies!

My Yamaha midi keyboard uses them to read pre-recorded midi songs so I can have my own private live music concerts. Yamaha PSR 550.

[Fred Barclay]

I guess the OP didn't see all the other posts telling everyone that Windows viruses don't affect Linux systems and that Clam AV is not needed on any Linux system? The ONLY reasonn for checking any part of Linux is to check a file that you will be using in Windows.

Well, in defense of the OP (though I totally agree that searching for Windows viruses in desktop Linux is a waste of time and can be risky)...

1. He was proactive in securing his system. Though he took the wrong way of doing it, he still tried and didn't adopt a laissez-faire attitude.

2. He didn't panic and start deleting things. Several of us in this thread can probably remember other threads (one relatively recently) in which the poster was convinced that he was infected and started deleting some very important files.

3. He asked! This is what I'm happiest to see: the OP had a mistaken assumption, but he asked for help and advice here.

4. He avoids Wine, mono, and PPAs.

[mkiker2089]

Forgive bumping an older thread. I'm new here. May I toss two questions on

1- does Clam really even look for Linux viruses. Reading around it seems to me like Clam is only useful to make sure your windows partitions are clean. I'm told Avast is similar. They will fill your Linux, Android, and Apple machines with their own addware and really only look for Windows viruses.

2- that said I do have a family member that was hit on her MacBook with that same DNS changer that hit Windows users. I can't remember how it was getting in and my research is a bit spotty. That said Linux is supposedly safer but Macs are supposed to be safe as well. While the need for an antivirus is almost nonexistent wouldn't it be nice to have one just in case. Mayne not a TSR one but one we could schedule to check things out on a weekly basis?

Third, yes I know I said 2, does anyone have an opinion on Avast? I used it for years on my Android device because it didn't get in the way and had nice bonus features. That was until it started treating me like an idiot and giving me warning about choices I made. Now on my Windows 7 machine I'm starting to see false positives and at least once it's hijacked my browser because it says Google isn't a trusted source and insists on adding Yahoo to the Chrome and Firefox startup.

[Habitual]

Forgive bumping an older thread. I'm new here. May I toss two questions on

1- does Clam really even look for Linux viruses. Reading around it seems to me like Clam is only useful to make sure your windows partitions are clean. I'm told Avast is similar. They will fill your Linux, Android, and Apple machines with their own addware and really only look for Windows viruses.

ClamAV doesn't clean. Its job is to scan for Windows viruses on Linux Servers and is useless to desktop Linux users.
"They can fix"? Isn't that the Products Function? Useless at teats on a boar hog.

I can't remember how it was getting in and my research is a bit spotty.

Yeah, TSR gave that away.
What is the common-denominator in all these "I read somewhere..." instances? The user. Very Common to report the disastrous (I haz visitz)

Third, yes I know I said 2, does anyone have an opinion on Avast? I used it for years on my Android device because it didn't get in the way and had nice bonus features.

So glad you asked.
<insert AV Product Here> is unnecessary on the Linux desktop.
Yeah, I can imagine what you got for those "bonus features". #Siphoned

Just my opinion.

[gnjepar]

I heavily interact with MS systems, so do many other people that use GNU/Linux systems. I most certainly want to keep my data clean.

So, what AV to use if Clam reports so many false positives?