all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: dian_cecht@zoho.com
To: 25278@debbugs.gnu.org
Subject: bug#25278: Possible virus found in icecat-45.5.1
Date: Mon, 26 Dec 2016 11:18:35 -0800	[thread overview]
Message-ID: <20161226191835.GA15226@khaalida> (raw)

Wanted to report a (possible) virus in icecat (45.5.1 for me, but someone on IRC
was using 45.3.0 with at least one identical checksum of one of the related
files). I'm not sure if this is a false positive, but I though it better to
report it than to ignore it. Better to draw attention to a nonissue than ignore
something dangerous.

I run clamdscan over my home directory daily and ran into a virus report using
it. I won't go into great detail of what I did, how, and why, but long story
short I removed any and all instances of the virus, rebooted, ran guix pull (I
had to remove files in /gnu/store because they were apparently infected. I
wasn't sure how or why, but I don't question viruses too much wrt what they can
and can't do), rescanned /gnu/store (which came out clean), then reinstalled
icecat. The relavant clamdscan output follows:

/gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere@lejenome.me.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew@jetpack.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock@gnu.org.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff@eff.org.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew@jetpack.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere@lejenome.me.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock@gnu.org.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff@eff.org.xpi: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja: Win.Trojan.Toa-5370166-0 FOUND
/gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja: Win.Trojan.Toa-5370166-0 FOUND

and for completeness sake, sha1sums of the files in question:


for i in $(cat pastebit-this.txt | cut -d':' -f1); do sha1sum $i; done
a0798a225f833c5fc495b7d34f842f6895430c05  /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere@lejenome.me.xpi
660a532ab26271d807484745549eb50c96e1d17d  /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew@jetpack.xpi
d1f71a8f48fb67096fd2317593662c93427ec200  /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock@gnu.org.xpi
2352c47726144e6f3b16dbbfd851767ec4da12f4  /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop@mozilla.org.xpi
f514044393bbcb35fd416f8934cc5796668880de  /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff@eff.org.xpi
e33f82770d29052967ea554a64fa3c2abbaa654b  /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja
660a532ab26271d807484745549eb50c96e1d17d  /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew@jetpack.xpi
a0798a225f833c5fc495b7d34f842f6895430c05  /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere@lejenome.me.xpi
d1f71a8f48fb67096fd2317593662c93427ec200  /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock@gnu.org.xpi
2352c47726144e6f3b16dbbfd851767ec4da12f4  /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop@mozilla.org.xpi
f514044393bbcb35fd416f8934cc5796668880de  /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff@eff.org.xpi
46a63a6d5a0fc94ee2646a6079cba38fb16715d9  /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja
e33f82770d29052967ea554a64fa3c2abbaa654b  /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja
46a63a6d5a0fc94ee2646a6079cba38fb16715d9  /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja

I'm hoping this is a false positive. I run Guix ontop of Gentoo and have also
found the same Trojan appearing in Firefox-related files in my home directory,
as well as in Wine directories (I didn't record the exact directories, but I
think they were something like ../drive_c/windows/sys?????/gecko/ or something
like that. Don't trust this 100%).

             reply	other threads:[~2016-12-26 19:19 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-26 19:18 dian_cecht [this message]
     [not found] ` <handler.25278.B.148277993421450.ack@debbugs.gnu.org>
2016-12-26 20:11   ` bug#25278: Acknowledgement (Possible virus found in icecat-45.5.1) dian_cecht
2016-12-26 22:05     ` ng0
2016-12-26 23:57     ` Leo Famulari
2016-12-27  0:20       ` dian_cecht
     [not found]         ` <20161227012415.GA14310@jasmine>
2016-12-27  1:41           ` dian_cecht
2017-01-03 20:16 ` bug#25278: Possible virus found in icecat-45.5.1 David Craven

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161226191835.GA15226@khaalida \
    --to=dian_cecht@zoho.com \
    --cc=25278@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.