GNU bug report logs -
#25278
Possible virus found in icecat-45.5.1
Previous Next
Reported by: dian_cecht <at> zoho.com
Date: Mon, 26 Dec 2016 19:19:02 UTC
Severity: normal
Done: dian_cecht <at> zoho.com
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 25278 in the body.
You can then email your comments to 25278 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#25278; Package
guix.
(Mon, 26 Dec 2016 19:19:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
dian_cecht <at> zoho.com:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Mon, 26 Dec 2016 19:19:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Wanted to report a (possible) virus in icecat (45.5.1 for me, but someone on IRC
was using 45.3.0 with at least one identical checksum of one of the related
files). I'm not sure if this is a false positive, but I though it better to
report it than to ignore it. Better to draw attention to a nonissue than ignore
something dangerous.
I run clamdscan over my home directory daily and ran into a virus report using
it. I won't go into great detail of what I did, how, and why, but long story
short I removed any and all instances of the virus, rebooted, ran guix pull (I
had to remove files in /gnu/store because they were apparently infected. I
wasn't sure how or why, but I don't question viruses too much wrt what they can
and can't do), rescanned /gnu/store (which came out clean), then reinstalled
icecat. The relavant clamdscan output follows:
/gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere <at> lejenome.me.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew <at> jetpack.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock <at> gnu.org.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop <at> mozilla.org.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff <at> eff.org.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew <at> jetpack.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere <at> lejenome.me.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock <at> gnu.org.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop <at> mozilla.org.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff <at> eff.org.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja: Win.Trojan.Toa-5370166-0 FOUND
and for completeness sake, sha1sums of the files in question:
for i in $(cat pastebit-this.txt | cut -d':' -f1); do sha1sum $i; done
a0798a225f833c5fc495b7d34f842f6895430c05 /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere <at> lejenome.me.xpi
660a532ab26271d807484745549eb50c96e1d17d /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew <at> jetpack.xpi
d1f71a8f48fb67096fd2317593662c93427ec200 /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock <at> gnu.org.xpi
2352c47726144e6f3b16dbbfd851767ec4da12f4 /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop <at> mozilla.org.xpi
f514044393bbcb35fd416f8934cc5796668880de /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff <at> eff.org.xpi
e33f82770d29052967ea554a64fa3c2abbaa654b /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja
660a532ab26271d807484745549eb50c96e1d17d /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew <at> jetpack.xpi
a0798a225f833c5fc495b7d34f842f6895430c05 /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere <at> lejenome.me.xpi
d1f71a8f48fb67096fd2317593662c93427ec200 /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock <at> gnu.org.xpi
2352c47726144e6f3b16dbbfd851767ec4da12f4 /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop <at> mozilla.org.xpi
f514044393bbcb35fd416f8934cc5796668880de /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff <at> eff.org.xpi
46a63a6d5a0fc94ee2646a6079cba38fb16715d9 /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja
e33f82770d29052967ea554a64fa3c2abbaa654b /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja
46a63a6d5a0fc94ee2646a6079cba38fb16715d9 /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja
I'm hoping this is a false positive. I run Guix ontop of Gentoo and have also
found the same Trojan appearing in Firefox-related files in my home directory,
as well as in Wine directories (I didn't record the exact directories, but I
think they were something like ../drive_c/windows/sys?????/gecko/ or something
like that. Don't trust this 100%).
Information forwarded
to
bug-guix <at> gnu.org:
bug#25278; Package
guix.
(Mon, 26 Dec 2016 20:12:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 25278 <at> debbugs.gnu.org (full text, mbox):
I just wanted to add that I went ahead and ran icecat-45.5.1 then rescanned
~/.mozilla and nothing related to the virus popped up with the scan.
Information forwarded
to
bug-guix <at> gnu.org:
bug#25278; Package
guix.
(Mon, 26 Dec 2016 22:06:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 25278 <at> debbugs.gnu.org (full text, mbox):
dian_cecht <at> zoho.com writes:
> I just wanted to add that I went ahead and ran icecat-45.5.1 then rescanned
> ~/.mozilla and nothing related to the virus popped up with the scan.
>
>
>
>
>
So this issue is done and can be closed?
--
♥Ⓐ ng0
PGP keys and more: https://n0is.noblogs.org/ http://ng0.chaosnet.org
Information forwarded
to
bug-guix <at> gnu.org:
bug#25278; Package
guix.
(Mon, 26 Dec 2016 23:58:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 25278 <at> debbugs.gnu.org (full text, mbox):
On Mon, Dec 26, 2016 at 12:11:13PM -0800, dian_cecht <at> zoho.com wrote:
> I just wanted to add that I went ahead and ran icecat-45.5.1 then rescanned
> ~/.mozilla and nothing related to the virus popped up with the scan.
Are the files with the same SHA1 hashes still present?
Information forwarded
to
bug-guix <at> gnu.org:
bug#25278; Package
guix.
(Tue, 27 Dec 2016 00:21:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 25278 <at> debbugs.gnu.org (full text, mbox):
On Mon, Dec 26, 2016 at 06:57:50PM -0500, Leo Famulari wrote:
> On Mon, Dec 26, 2016 at 12:11:13PM -0800, dian_cecht <at> zoho.com wrote:
> > I just wanted to add that I went ahead and ran icecat-45.5.1 then rescanned
> > ~/.mozilla and nothing related to the virus popped up with the scan.
>
> Are the files with the same SHA1 hashes still present?
So I rechecked the files listed in this bugreport and yes, the checksums are the
same. However, they no longer list as viruses according to ClamAV. I checked my
logs and I'm assuming that a database update fixed a false positive (freshclam
updates the database every 2 hours on my machine, and, afaik, the virus
definition was added in the last day or two).
So it looks to me like it was simply a false positive.
Reply sent
to
dian_cecht <at> zoho.com:
You have taken responsibility.
(Tue, 27 Dec 2016 01:42:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
dian_cecht <at> zoho.com:
bug acknowledged by developer.
(Tue, 27 Dec 2016 01:42:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 25278-done <at> debbugs.gnu.org (full text, mbox):
On Mon, Dec 26, 2016 at 08:24:15PM -0500, Leo Famulari wrote:
> On Mon, Dec 26, 2016 at 04:20:47PM -0800, dian_cecht <at> zoho.com wrote:
> > On Mon, Dec 26, 2016 at 06:57:50PM -0500, Leo Famulari wrote:
> > > On Mon, Dec 26, 2016 at 12:11:13PM -0800, dian_cecht <at> zoho.com wrote:
> > > > I just wanted to add that I went ahead and ran icecat-45.5.1 then rescanned
> > > > ~/.mozilla and nothing related to the virus popped up with the scan.
> > >
> > > Are the files with the same SHA1 hashes still present?
> >
> > So I rechecked the files listed in this bugreport and yes, the checksums are the
> > same. However, they no longer list as viruses according to ClamAV. I checked my
> > logs and I'm assuming that a database update fixed a false positive (freshclam
> > updates the database every 2 hours on my machine, and, afaik, the virus
> > definition was added in the last day or two).
> >
> > So it looks to me like it was simply a false positive.
>
> Good news!
>
> You can close the bug by sending a message to
> <25278-done <at> debbugs.gnu.org>.
Good to know. Thanks.
Information forwarded
to
bug-guix <at> gnu.org:
bug#25278; Package
guix.
(Tue, 03 Jan 2017 20:17:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 25278 <at> debbugs.gnu.org (full text, mbox):
> I'm hoping this is a false positive. I run Guix ontop of Gentoo and have also
> found the same Trojan appearing in Firefox-related files in my home directory,
> as well as in Wine directories (I didn't record the exact directories, but I
> think they were something like ../drive_c/windows/sys?????/gecko/ or something
> like that. Don't trust this 100%).
It's an anti-viruses business model to find viruses everywhere. That's
how they scare you into buying a license. They usually are overly
optimistic with declaring something a virus. Besides, what's a windows
virus going to do on a gentoo system?
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 01 Feb 2017 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 200 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.