From mboxrd@z Thu Jan 1 00:00:00 1970 From: dian_cecht@zoho.com Subject: bug#25278: Possible virus found in icecat-45.5.1 Date: Mon, 26 Dec 2016 11:18:35 -0800 Message-ID: <20161226191835.GA15226@khaalida> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60369) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cLana-0007ML-38 for bug-guix@gnu.org; Mon, 26 Dec 2016 14:19:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cLanW-0005QH-VT for bug-guix@gnu.org; Mon, 26 Dec 2016 14:19:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:40545) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cLanW-0005Q9-Sl for bug-guix@gnu.org; Mon, 26 Dec 2016 14:19:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1cLanW-0005aJ-Ho for bug-guix@gnu.org; Mon, 26 Dec 2016 14:19:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60323) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cLanE-0007LF-So for bug-guix@gnu.org; Mon, 26 Dec 2016 14:18:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cLanB-0005MQ-Pl for bug-guix@gnu.org; Mon, 26 Dec 2016 14:18:44 -0500 Received: from sender153-mail.zoho.com ([74.201.84.153]:25496) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cLanB-0005Lv-G5 for bug-guix@gnu.org; Mon, 26 Dec 2016 14:18:41 -0500 Received: from localhost (khaalida [local]) by khaalida (OpenSMTPD) with ESMTPA id 8878c85b for ; Mon, 26 Dec 2016 19:18:35 +0000 (UTC) Content-Disposition: inline List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 25278@debbugs.gnu.org Wanted to report a (possible) virus in icecat (45.5.1 for me, but someone on IRC was using 45.3.0 with at least one identical checksum of one of the related files). I'm not sure if this is a false positive, but I though it better to report it than to ignore it. Better to draw attention to a nonissue than ignore something dangerous. I run clamdscan over my home directory daily and ran into a virus report using it. I won't go into great detail of what I did, how, and why, but long story short I removed any and all instances of the virus, rebooted, ran guix pull (I had to remove files in /gnu/store because they were apparently infected. I wasn't sure how or why, but I don't question viruses too much wrt what they can and can't do), rescanned /gnu/store (which came out clean), then reinstalled icecat. The relavant clamdscan output follows: /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere@lejenome.me.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew@jetpack.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock@gnu.org.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff@eff.org.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew@jetpack.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere@lejenome.me.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock@gnu.org.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff@eff.org.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja: Win.Trojan.Toa-5370166-0 FOUND and for completeness sake, sha1sums of the files in question: for i in $(cat pastebit-this.txt | cut -d':' -f1); do sha1sum $i; done a0798a225f833c5fc495b7d34f842f6895430c05 /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere@lejenome.me.xpi 660a532ab26271d807484745549eb50c96e1d17d /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew@jetpack.xpi d1f71a8f48fb67096fd2317593662c93427ec200 /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock@gnu.org.xpi 2352c47726144e6f3b16dbbfd851767ec4da12f4 /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop@mozilla.org.xpi f514044393bbcb35fd416f8934cc5796668880de /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff@eff.org.xpi e33f82770d29052967ea554a64fa3c2abbaa654b /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja 660a532ab26271d807484745549eb50c96e1d17d /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew@jetpack.xpi a0798a225f833c5fc495b7d34f842f6895430c05 /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere@lejenome.me.xpi d1f71a8f48fb67096fd2317593662c93427ec200 /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock@gnu.org.xpi 2352c47726144e6f3b16dbbfd851767ec4da12f4 /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop@mozilla.org.xpi f514044393bbcb35fd416f8934cc5796668880de /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff@eff.org.xpi 46a63a6d5a0fc94ee2646a6079cba38fb16715d9 /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja e33f82770d29052967ea554a64fa3c2abbaa654b /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja 46a63a6d5a0fc94ee2646a6079cba38fb16715d9 /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja I'm hoping this is a false positive. I run Guix ontop of Gentoo and have also found the same Trojan appearing in Firefox-related files in my home directory, as well as in Wine directories (I didn't record the exact directories, but I think they were something like ../drive_c/windows/sys?????/gecko/ or something like that. Don't trust this 100%).