ClamAV detects trojan in mint drivers

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
IoannisM
Level 1
Level 1
Posts: 23
Joined: Mon Nov 23, 2015 10:17 pm

ClamAV detects trojan in mint drivers

Post by IoannisM » Wed Jun 22, 2016 7:30 am

Dear community,

I took the time today to check my system with ClamAV and I was surprised to find this report after running clamscan on my system folder:

/usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys: Win.Trojan.Agent-1427312 FOUND

Can you provide feedback as to how a windows trojan could have sneaked into that folder? I do not run wine or mono applications, nor do I install applications from PPAs, only the official repositories. All driver updates are done via the driver manager.

-----------------------------

Here are my system specifications:

Code: Select all

System:    Host: (omitted) Kernel: 3.19.0-32-generic x86_64 (64 bit gcc: 4.8.2)
           Desktop: Cinnamon 2.8.8 (Gtk 3.10.8~8+qiana) Distro: Linux Mint 17.3 Rosa
Machine:   System: Dell product: Precision M4800 v: 00
           Mobo: Dell model: N/A Bios: Dell v: A15 date: 09/29/2015
CPU:       Quad core Intel Core i7-4710MQ (-HT-MCP-) cache: 6144 KB
           flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 19954
           clock speeds: max: 3500 MHz 1: 3379 MHz 2: 3499 MHz 3: 3373 MHz 4: 3390 MHz 5: 3358 MHz 6: 2858 MHz
           7: 3375 MHz 8: 2906 MHz
Graphics:  Card-1: Intel 4th Gen Core Processor Integrated Graphics Controller bus-ID: 00:02.0
           Card-2: NVIDIA GK107GLM [Quadro K1100M] bus-ID: 01:00.0
           Display Server: X.Org 1.15.1 drivers: intel (unloaded: fbdev,vesa) FAILED: nouveau
           Resolution: 1920x1080@60.0hz
           GLX Renderer: Mesa DRI Intel Haswell Mobile GLX Version: 3.0 Mesa 10.1.3 Direct Rendering: Yes
Audio:     Card-1 Intel 8 Series/C220 Series High Definition Audio Controller
           driver: snd_hda_intel bus-ID: 00:1b.0
           Card-2 Intel Xeon E3-1200 v3/4th Gen Core Processor HD Audio Controller
           driver: snd_hda_intel bus-ID: 00:03.0
           Sound: Advanced Linux Sound Architecture v: k3.19.0-32-generic
Network:   Card-1: Intel Ethernet Connection I217-LM driver: e1000e v: 2.3.2-k port: f080 bus-ID: 00:19.0
           IF: eth0 state: down mac: 20:47:47:cc:8f:8c
           Card-2: Intel Wireless 7260 driver: iwlwifi v: in-tree: bus-ID: 03:00.0
           IF: wlan0 state: up mac: 7c:5c:f8:0e:99:8a
Drives:    HDD Total Size: 2000.4GB (85.3% used) ID-1: /dev/sda model: ST500LM021 size: 500.1GB
           ID-2: USB /dev/sdb model: FreeAgent_Go size: 500.1GB
           ID-3: USB /dev/sdc model: External_USB_3.0 size: 1000.2GB
Partition: ID-1: / size: 74G used: 13G (18%) fs: ext4 dev: /dev/dm-0
           ID-2: /boot size: 237M used: 89M (40%) fs: ext2 dev: /dev/sda3
           ID-3: /home size: 323G used: 217G (71%) fs: ext4 dev: /dev/dm-2
           ID-4: swap-1 size: 16.00GB used: 0.00GB (0%) fs: swap dev: /dev/dm-1
RAID:      No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors:   System Temperatures: cpu: 66.0C mobo: 42.0C gpu: 38.0
           Fan Speeds (in rpm): cpu: 74460 mobo: 77640
Info:      Processes: 242 Uptime: 4:19 Memory: 1395.5/7889.4MB Init: Upstart runlevel: 2 Gcc sys: 4.8.4
           Client: Shell (bash 4.3.111) inxi: 2.2.28
Last edited by Habitual on Wed Dec 28, 2016 4:37 pm, edited 1 time in total.
Reason: code tags added for readability

Habitual
Level 13
Level 13
Posts: 4870
Joined: Sun Nov 21, 2010 8:31 pm
Location: 0.0.0.0

Re: ClamAV detects trojan in mint drivers

Post by Habitual » Wed Jun 22, 2016 7:38 am

IoannisM wrote:Dear community,

I took the time today to check my system with ClamAV and I was surprised to find this report after running clamscan on my system folder:

/usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys: Win.Trojan.Agent-1427312 FOUND

Can you provide feedback as to how a windows trojan could have sneaked into that folder? I do not run wine or mono applications, nor do I install applications from PPAs, only the official repositories. All driver updates are done via the driver manager.

-----------------------------

Code: Select all

Here are my system specifications:

System:    Host: (omitted) Kernel: 3.19.0-32-generic x86_64 (64 bit gcc: 4.8.2)
           Desktop: Cinnamon 2.8.8 (Gtk 3.10.8~8+qiana) Distro: Linux Mint 17.3 Rosa
Machine:   System: Dell product: Precision M4800 v: 00
           Mobo: Dell model: N/A Bios: Dell v: A15 date: 09/29/2015
CPU:       Quad core Intel Core i7-4710MQ (-HT-MCP-) cache: 6144 KB
           flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 19954
           clock speeds: max: 3500 MHz 1: 3379 MHz 2: 3499 MHz 3: 3373 MHz 4: 3390 MHz 5: 3358 MHz 6: 2858 MHz
           7: 3375 MHz 8: 2906 MHz
Graphics:  Card-1: Intel 4th Gen Core Processor Integrated Graphics Controller bus-ID: 00:02.0
           Card-2: NVIDIA GK107GLM [Quadro K1100M] bus-ID: 01:00.0
           Display Server: X.Org 1.15.1 drivers: intel (unloaded: fbdev,vesa) FAILED: nouveau
           Resolution: 1920x1080@60.0hz
           GLX Renderer: Mesa DRI Intel Haswell Mobile GLX Version: 3.0 Mesa 10.1.3 Direct Rendering: Yes
Audio:     Card-1 Intel 8 Series/C220 Series High Definition Audio Controller
           driver: snd_hda_intel bus-ID: 00:1b.0
           Card-2 Intel Xeon E3-1200 v3/4th Gen Core Processor HD Audio Controller
           driver: snd_hda_intel bus-ID: 00:03.0
           Sound: Advanced Linux Sound Architecture v: k3.19.0-32-generic
Network:   Card-1: Intel Ethernet Connection I217-LM driver: e1000e v: 2.3.2-k port: f080 bus-ID: 00:19.0
           IF: eth0 state: down mac: 20:47:47:cc:8f:8c
           Card-2: Intel Wireless 7260 driver: iwlwifi v: in-tree: bus-ID: 03:00.0
           IF: wlan0 state: up mac: 7c:5c:f8:0e:99:8a
Drives:    HDD Total Size: 2000.4GB (85.3% used) ID-1: /dev/sda model: ST500LM021 size: 500.1GB
           ID-2: USB /dev/sdb model: FreeAgent_Go size: 500.1GB
           ID-3: USB /dev/sdc model: External_USB_3.0 size: 1000.2GB
Partition: ID-1: / size: 74G used: 13G (18%) fs: ext4 dev: /dev/dm-0
           ID-2: /boot size: 237M used: 89M (40%) fs: ext2 dev: /dev/sda3
           ID-3: /home size: 323G used: 217G (71%) fs: ext4 dev: /dev/dm-2
           ID-4: swap-1 size: 16.00GB used: 0.00GB (0%) fs: swap dev: /dev/dm-1
RAID:      No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors:   System Temperatures: cpu: 66.0C mobo: 42.0C gpu: 38.0
           Fan Speeds (in rpm): cpu: 74460 mobo: 77640
Info:      Processes: 242 Uptime: 4:19 Memory: 1395.5/7889.4MB Init: Upstart runlevel: 2 Gcc sys: 4.8.4
           Client: Shell (bash 4.3.111) inxi: 2.2.28
Those aren't "Mint Drivers". "!This program cannot be run in DOS mode."

Code: Select all

strings /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys | less
Straight outa Redmond.

Here also Linux Mint 17.1 Rebecca
virustotal says only ClamAV found it.

I'm going with False-Positive.

IoannisM
Level 1
Level 1
Posts: 23
Joined: Mon Nov 23, 2015 10:17 pm

Re: ClamAV detects trojan in mint drivers

Post by IoannisM » Wed Jun 22, 2016 7:50 am

I apologize for calling a sys file in a drivers subfolder of the linuxmint folder "mint drivers".

Habitual
Level 13
Level 13
Posts: 4870
Joined: Sun Nov 21, 2010 8:31 pm
Location: 0.0.0.0

Re: ClamAV detects trojan in mint drivers

Post by Habitual » Wed Jun 22, 2016 8:23 am

No worries!!!
Still False-Positive. So neener. :lol:

Mute Ant
Level 14
Level 14
Posts: 5135
Joined: Tue Sep 03, 2013 7:45 pm
Location: Norfolk UK

Re: ClamAV detects trojan in mint drivers

Post by Mute Ant » Wed Jun 22, 2016 11:54 am

It is easy to make malware files 'disappear' in an ext4 file system with just one chance to run with root privilege, and very easy to craft a deb package to give it that chance. If ClamAV can't or won't quarantine it, I suggest you 7-zip-encrypt it in place with a password and manually shred the original, until you find out where it came from.
While you're waiting, read the free novel we sent you. It's a Spanish story about a guy named "manual".

Habitual
Level 13
Level 13
Posts: 4870
Joined: Sun Nov 21, 2010 8:31 pm
Location: 0.0.0.0

Re: ClamAV detects trojan in mint drivers

Post by Habitual » Wed Jun 22, 2016 12:04 pm

Mute Ant wrote:It is easy to make malware files 'disappear' in an ext4 file system with just one chance to run with root privilege, and very easy to craft a deb package to give it that chance. If ClamAV can't or won't quarantine it, I suggest you 7-zip-encrypt it in place with a password and manually shred the original, until you find out where it came from.
Since we both have that file, it can be reasoned it came from Mint.

Anybody else have /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys

Code: Select all

md5sum /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
b89bcf0a25aeb3b47030ac83287f894a  /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
I'm not about to panic. zip/pass/shred - what a load of hooey.
That's my opinion.

DanielR
Level 4
Level 4
Posts: 240
Joined: Mon Sep 23, 2013 1:22 pm

Re: ClamAV detects trojan in mint drivers

Post by DanielR » Wed Jun 22, 2016 1:09 pm

Habitual wrote: [...]
Anybody else have /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys

Code: Select all

md5sum /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
b89bcf0a25aeb3b47030ac83287f894a  /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
I'm not about to panic. zip/pass/shred - what a load of hooey.
That's my opinion.
LM13 32-Bit:

Code: Select all

md5sum /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
b89bcf0a25aeb3b47030ac83287f894a  /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
However, why does Mint include Windows driver?

BTW, after having been thoroughly fed up with ClamAV constantly reporting false positives, I purged ClamAV from my system. I'm still alive and so is my LM13 installation ...

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4201
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: ClamAV detects trojan in mint drivers

Post by Fred Barclay » Wed Jun 22, 2016 1:28 pm

I have the driver too in a LMDE 2 MATE 64-bit system (reinstalled just a few days ago).

Code: Select all

fred@<redacted> ~ $ md5sum /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
b89bcf0a25aeb3b47030ac83287f894a  /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
EDIT:
Virus Total only detects a trojan with ClamAV... the other scanners say it's safe:
https://www.virustotal.com/en/file/deba ... 466616652/
Almost definitely a false positive. :mrgreen:
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
BG405
Level 7
Level 7
Posts: 1785
Joined: Fri Mar 11, 2016 3:09 pm
Location: England

Re: ClamAV detects trojan in mint drivers

Post by BG405 » Wed Jun 22, 2016 3:10 pm

Never run ClamAV but do have this file on the Dell.

Code: Select all

brian@SERVER /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5 $ ls -a
.  ..  bcmwl5.inf  bcmwl5.sys
Very much doubt it's anything to worry about.
Dell Inspiron 1525 - LM17.3 CE 64-------------------Acer D255E 2GB - Manjaro KDE, LM17.3 KDE 32
Toshiba NB305 - Manjaro KDE------------------------K7S5A AMD 1.2GHz - LM17.3 Xfce 32 & WinXP-Pro
Acer Aspire E11 ES1-111M - LM18.2 KDE 64 ----Dell PII 350 64MB - Puppy 4.3 & Win98-SE

User avatar
Schultz
Level 7
Level 7
Posts: 1555
Joined: Thu Feb 25, 2016 8:57 pm

Re: ClamAV detects trojan in mint drivers

Post by Schultz » Wed Jun 22, 2016 6:58 pm

I have it too (on Mint 17.3 Mate 64 bit).

JeremyB
Level 20
Level 20
Posts: 10620
Joined: Fri Feb 21, 2014 8:17 am

Re: ClamAV detects trojan in mint drivers

Post by JeremyB » Wed Jun 22, 2016 7:02 pm

BG405 wrote:Never run ClamAV but do have this file on the Dell.

Code: Select all

brian@SERVER /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5 $ ls -a
.  ..  bcmwl5.inf  bcmwl5.sys
Very much doubt it's anything to worry about.
I agree. It must be part of some ndiswrapper package as ndiswrapper uses windows sys and inf files for wifi

kurzwell
Level 1
Level 1
Posts: 2
Joined: Tue Jul 19, 2016 10:54 am

Re: ClamAV detects trojan in mint drivers

Post by kurzwell » Tue Jul 19, 2016 10:57 am

I just discovered the same issue on a scan and re-confirmed that ClamAV is the only one to flag this file on VirusTotal. Thanks for the info.

Habitual
Level 13
Level 13
Posts: 4870
Joined: Sun Nov 21, 2010 8:31 pm
Location: 0.0.0.0

Re: ClamAV detects trojan in mint drivers

Post by Habitual » Tue Jul 19, 2016 1:31 pm

Code: Select all

dpkg -S /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
mintwifi: /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
mintwifi > ndiswrapper.
Good catch.

George Stamford
Level 2
Level 2
Posts: 74
Joined: Sun Dec 13, 2015 9:11 am

Re: ClamAV detects trojan in mint drivers

Post by George Stamford » Tue Jul 19, 2016 5:16 pm

I guess the OP didn't see all the other posts telling everyone that Windoze viruses don't affect Linux systems and that Clam AV is not needed on any Linux system? The ONLY reasonn for checking any part of Linux is to check a file that you will be using in Windoze.

Habitual
Level 13
Level 13
Posts: 4870
Joined: Sun Nov 21, 2010 8:31 pm
Location: 0.0.0.0

Re: ClamAV detects trojan in mint drivers

Post by Habitual » Tue Jul 19, 2016 7:20 pm

George Stamford wrote:I guess the OP didn't see all the other posts telling everyone that Windoze viruses don't affect Linux systems and that Clam AV is not needed on any Linux system? The ONLY reasonn for checking any part of Linux is to check a file that you will be using in Windoze.
and why people feel the need to scan "/" with it is beyond me.
It's a "thing". Useless as floppies.

I thought it more important that the question of "where did it come from?" be answered.
hence:

Code: Select all

dpkg -S /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
mintwifi: /usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys
Get you some!

George Stamford
Level 2
Level 2
Posts: 74
Joined: Sun Dec 13, 2015 9:11 am

Re: ClamAV detects trojan in mint drivers

Post by George Stamford » Wed Jul 20, 2016 3:14 pm

I still use floppies!

My Yamaha midi keyboard uses them to read pre-recorded midi songs so I can have my own private live music concerts. Yamaha PSR 550.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4201
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: ClamAV detects trojan in mint drivers

Post by Fred Barclay » Wed Jul 20, 2016 3:30 pm

George Stamford wrote:I guess the OP didn't see all the other posts telling everyone that Windoze viruses don't affect Linux systems and that Clam AV is not needed on any Linux system? The ONLY reasonn for checking any part of Linux is to check a file that you will be using in Windoze.
Well, in defense of the OP (though I totally agree that searching for Windows viruses in desktop Linux is a waste of time and can be risky)...

1. He was proactive in securing his system. Though he took the wrong way of doing it, he still tried and didn't adopt a laissez-faire attitude.

2. He didn't panic and start deleting things. Several of us in this thread can probably remember other threads (one relatively recently) in which the poster was convinced that he was infected and started deleting some very important files. :roll:

3. He asked! This is what I'm happiest to see: the OP had a mistaken assumption, but he asked for help and advice here.

4. He avoids Wine, mono, and PPAs. :D
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

mkiker2089
Level 1
Level 1
Posts: 23
Joined: Thu Sep 29, 2016 6:49 pm

Re: ClamAV detects trojan in mint drivers

Post by mkiker2089 » Fri Oct 21, 2016 11:04 am

Forgive bumping an older thread. I'm new here. May I toss two questions on

1- does Clam really even look for Linux viruses. Reading around it seems to me like Clam is only useful to make sure your windows partitions are clean. I'm told Avast is similar. They will fill your Linux, Android, and Apple machines with their own addware and really only look for Windows viruses.

2- that said I do have a family member that was hit on her MacBook with that same DNS changer that hit Windows users. I can't remember how it was getting in and my research is a bit spotty. That said Linux is supposedly safer but Macs are supposed to be safe as well. While the need for an antivirus is almost nonexistent wouldn't it be nice to have one just in case. Mayne not a TSR one but one we could schedule to check things out on a weekly basis?

Third, yes I know I said 2, does anyone have an opinion on Avast? I used it for years on my Android device because it didn't get in the way and had nice bonus features. That was until it started treating me like an idiot and giving me warning about choices I made. Now on my Windows 7 machine I'm starting to see false positives and at least once it's hijacked my browser because it says Google isn't a trusted source and insists on adding Yahoo to the Chrome and Firefox startup.

Habitual
Level 13
Level 13
Posts: 4870
Joined: Sun Nov 21, 2010 8:31 pm
Location: 0.0.0.0

Re: ClamAV detects trojan in mint drivers

Post by Habitual » Fri Oct 21, 2016 11:54 am

mkiker2089 wrote:Forgive bumping an older thread. I'm new here. May I toss two questions on

1- does Clam really even look for Linux viruses. Reading around it seems to me like Clam is only useful to make sure your windows partitions are clean. I'm told Avast is similar. They will fill your Linux, Android, and Apple machines with their own addware and really only look for Windows viruses.
ClamAV doesn't clean. Its job is to scan for Windows viruses on Linux Servers and is useless to desktop Linux users.
"They can fix"? Isn't that the Products Function? Useless at teats on a boar hog.
mkiker2089 wrote:I can't remember how it was getting in and my research is a bit spotty.
Yeah, TSR gave that away.
What is the common-denominator in all these "I read somewhere..." instances? The user. Very Common to report the disastrous (I haz visitz)
mkiker2089 wrote:Third, yes I know I said 2, does anyone have an opinion on Avast? I used it for years on my Android device because it didn't get in the way and had nice bonus features.
So glad you asked.
<insert AV Product Here> is unnecessary on the Linux desktop.
Yeah, I can imagine what you got for those "bonus features". #Siphoned

Just my opinion.

gnjepar
Level 1
Level 1
Posts: 18
Joined: Tue Jun 25, 2013 7:23 am

Re: ClamAV detects trojan in mint drivers

Post by gnjepar » Wed Dec 14, 2016 3:31 pm

I heavily interact with MS systems, so do many other people that use GNU/Linux systems. I most certainly want to keep my data clean.

So, what AV to use if Clam reports so many false positives?

Post Reply

Return to “Newbie Questions”