Ivor O’Connor

December 14, 2008

Anti Virus In Ubuntu: Clam

Filed under: anti virus, ubuntu — Tags: , — ioconnor @ 5:37 pm

I saw mention of clam at http://ubuntuadministrator.com/?p=377 and it looked like it might be interesting. Especially if it does not run all the time, just when I ask it to scan a directory. Unfortunately the steps there were not accurate. They probably meant:

sudo apt-get install clamav-freshclam
sudo freshclam

which gives

ClamAV update process started at Sun Dec 14 08:01:07 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92.1 Recommended version: 0.94.2
DON’T PANIC! Read http://www.clamav.net/support/faq
main.inc is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven)
daily.cvd is up to date (version: 8756, sigs: 34762, f-level: 38, builder: sven)

Not really what I wanted to see. I googled about and found a post about installing it from the menu system “applications->Add/Remove…” and did that. At the end you had to start up clamtk in gksudo mode to update the db. However that installation did nothing to remove the error messages when I ran from the command line. So I read the “DON’T PANIC! Read http://www.clamav.net/support/faq”. There they have a debian part but no Ubuntu part. I go to look at the debian notes and it was merely a placeholder for somebody else to finish. To verify I checked the redhat notes and notes were indeed there for a redhat installation. Sigh. So I decide to download their tar file and start from scratch. This was the key. In their tar files they have good documentation. I followed that documentation and it all worked fairly well. However I don’t want to document that now. Just a place holder for me so that the next time I want to install it on Ubuntu I know I need to download their tar file and look at their html documentation.

What is really important are the results:

———– SCAN SUMMARY ———–
Known viruses: 472355
Engine version: 0.94.2
Scanned directories: 6261
Scanned files: 80194
Infected files: 34
Data scanned: 5594.48 MB
Time: 1621.158 sec (27 m 1 s)

Thirty three of the infected files happened to be test files in the clam directories. The remaining file was

.opera/cache4/opr009T6: JS.Psyme-32 FOUND

and googling for this I find:

Psyme is a notoriously cunning downloader. The distributors of Psyme are known to actually insert links to the Trojan in other, legitimate websites and to propagate popups that also link to the Trojan. Clicking on the link or popup will initiate an automatic download of the Psyme Trojan that will then make contact with the Internet connection of the infected computer. From that point, it downloads other Malware, usually in the form of spying utilities like keyloggers.

Psyme abuses a vulnerability in older versions of Internet Explorer. By exploiting the way Explorer receives ADODB stream objects, the Trojan can download and install without being checked. ADOdb is a database abstraction written for certain programming languages; it allows Explorer to interpret information from various types of databases, regardless of which language they are written in.

Psyme has two popular variants; one is written in Visual Basic Script (VBS) and one in Java (JS). They have the same objectives. Additionally, there are another Trojan Downloaders called Psymedo and Trunlow that have characteristics so similar to Psyme that some authorities list them as the same program.

I don’t use opera very often. I’ll delete the cache file. Maybe I should make an account with very limited features for general web browsing and only use the default account for banking and such which probably never get viruses? I’ll think it over.


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: