I saw mention of clam at http://ubuntuadministrator.com/?p=377 and it looked like it might be interesting. Especially if it does not run all the time, just when I ask it to scan a directory. Unfortunately the steps there were not accurate. They probably meant:
sudo apt-get install clamav-freshclam
sudo freshclam
which gives
ClamAV update process started at Sun Dec 14 08:01:07 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92.1 Recommended version: 0.94.2
DON’T PANIC! Read http://www.clamav.net/support/faq
main.inc is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven)
daily.cvd is up to date (version: 8756, sigs: 34762, f-level: 38, builder: sven)
Not really what I wanted to see. I googled about and found a post about installing it from the menu system “applications->Add/Remove…” and did that. At the end you had to start up clamtk in gksudo mode to update the db. However that installation did nothing to remove the error messages when I ran from the command line. So I read the “DON’T PANIC! Read http://www.clamav.net/support/faq”. There they have a debian part but no Ubuntu part. I go to look at the debian notes and it was merely a placeholder for somebody else to finish. To verify I checked the redhat notes and notes were indeed there for a redhat installation. Sigh. So I decide to download their tar file and start from scratch. This was the key. In their tar files they have good documentation. I followed that documentation and it all worked fairly well. However I don’t want to document that now. Just a place holder for me so that the next time I want to install it on Ubuntu I know I need to download their tar file and look at their html documentation.
What is really important are the results:
———– SCAN SUMMARY ———–
Known viruses: 472355
Engine version: 0.94.2
Scanned directories: 6261
Scanned files: 80194
Infected files: 34
Data scanned: 5594.48 MB
Time: 1621.158 sec (27 m 1 s)
Thirty three of the infected files happened to be test files in the clam directories. The remaining file was
.opera/cache4/opr009T6: JS.Psyme-32 FOUND
and googling for this I find:
Psyme is a notoriously cunning downloader. The distributors of Psyme are known to actually insert links to the Trojan in other, legitimate websites and to propagate popups that also link to the Trojan. Clicking on the link or popup will initiate an automatic download of the Psyme Trojan that will then make contact with the Internet connection of the infected computer. From that point, it downloads other Malware, usually in the form of spying utilities like keyloggers.
Psyme abuses a vulnerability in older versions of Internet Explorer. By exploiting the way Explorer receives ADODB stream objects, the Trojan can download and install without being checked. ADOdb is a database abstraction written for certain programming languages; it allows Explorer to interpret information from various types of databases, regardless of which language they are written in.
Psyme has two popular variants; one is written in Visual Basic Script (VBS) and one in Java (JS). They have the same objectives. Additionally, there are another Trojan Downloaders called Psymedo and Trunlow that have characteristics so similar to Psyme that some authorities list them as the same program.
I don’t use opera very often. I’ll delete the cache file. Maybe I should make an account with very limited features for general web browsing and only use the default account for banking and such which probably never get viruses? I’ll think it over.
Ivor O'Connor 