You are here

Clamwin installed "Backdoor" virus!!!

20 posts / 0 new
Last post
nasire786
Offline
Last seen: 14 years 6 months ago
Joined: 2010-05-02 12:05
Clamwin installed "Backdoor" virus!!!

Microsoft Security Essentials flagged a threatening virus in my local settings folder while I was running Clamwin. How can this be with open source? Any ideas or am I misguided somewhere? Please help.

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 7 months ago
Joined: 2006-06-18 13:55
Relax

First, Relax

No, ClamWinPortable did Not install a "Backdoor" virus.
NO Officially Released app from PA.c has ever had virus in it, Ever!

I am currently running CWP on this machine and have had this version for months. I also have RealTime Anitvirus protection and RealTime AntiSpyware/Malware protection running.

In addition I scan my machine with at least 3 Different on-demand Antivirus products and 3 different AntiSpy/Malware products at least 3 times a week. The CWP downloaded from this site is clean.

Based on my experience your MSE is having what is called a False Positive [FP] reaction to either CWP or is reacting to something that it is scanning during a CWP scan [see the links below for more information on this possibility]

It is hard to tell in your situation what is occurring as you have not provided enough information.

What is happening?
When is it happening?
What is the file being detected by MSE?
Where is is located? ["local settings folder" is not enough information]

To start with, While CWP is NOT RUNNING,
Run a direct scan on the CWP directory with MSE.
I am hazarding a guess that you will find nothing, indicating that CWP itself is NOT infected.
Next start CWP, but do not do a scan, Does MSE react to this, I am guessing it will not.
If you run a scan with CWP does MSE react immediately, or only when CWP has been scanning for a bit?

Try this and report back with as much information as you can.

See this topic for more information:
https://portableapps.com/node/19645
also
https://portableapps.com/node/22119

Tim

Things have got to get better, they can't get worse, or can they?

Darkbee
Darkbee's picture
Offline
Last seen: 4 years 6 months ago
Joined: 2008-04-14 09:41
Don't Panic

If you have a file that DOES have a virus in it, and one on-demand virus scanner finds it, that can often trigger another resident virus scanner, because the resident scanner scans files that are accessed, and the on-demand scanner accessed that infected file. It doesn't mean the on-demand scanner planted a virus, it just help to trigger your resident scanner.

Sounds like you should:
A. Clean up your temporary files.
B. Run a manual scan of MSE and see what it finds.

And of course, everything that Tim said above.

Mir
Mir's picture
Offline
Last seen: 12 years 4 months ago
Joined: 2007-12-03 16:07
sounds

sounds like ti could also be a virus definition but i could be wrong.

nasire786
Offline
Last seen: 14 years 6 months ago
Joined: 2010-05-02 12:05
Thank you all

Thank you all for your help. I removed the suspected file and ran a full scan with Clamwin and MSE. Seems like kids invited the virus from somewhere else.

I love PortableApps and all the applications. Now, how about someone setup Gnumeric. The one on Sourceforge doesn't look very credible.

vf2nsr
vf2nsr's picture
Offline
Last seen: 8 years 1 month ago
Developer
Joined: 2010-02-13 17:10
Did you look here?

https://portableapps.com/node/18311 is that what you are looking for?

“Be who you are and say what you feel because those who mind don't matter and those who matter don't mind.” Dr. Seuss

Pict_Nose
Offline
Last seen: 4 months 3 weeks ago
Joined: 2010-07-28 19:01
Backdoor virus detected

While ClamWin was executing a scan on my USB drive, Norton flagged the following:

7/28/2010 1:37 PM,High,clamav-c8b3d2f9e8e52dc4de5d89478d14f197.000013a8.clamtmp (W32.IRCBot) detected by Auto-Protect,Blocked,Resolved - No Action
7/28/2010 1:37 PM,High,clamav-4ac6ce9477026b011db467ac2f5f6c0a.000013a8.clamtmp (W32.IRCBot) detected by Auto-Protect,Blocked,Resolved - No Action

ClamWin creates the clamav-xxxx.clamtmp files in the
\Documents and Settings\username\Local Settings\Temp directory as it scans.

Norton was evidently nimble enough to flag these temporary files a couple of times during the scan.

I am sure these are false positives. I have no idea what the contents of these temp files are, but evidently they look enough like an IRCBot to set off the antivirus.

John T. Haller
John T. Haller's picture
Offline
Last seen: 2 hours 7 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
False Positives

Things like Norton will often detect false positives in other antivirus products. You can report the error to them through your support contact.

Sometimes, the impossible can become possible, if you're awesome!

romel
Offline
Last seen: 1 month 3 weeks ago
Joined: 2011-09-16 10:11
Things like KASPERSKY!

Today, kaspersky has detected the <PAF PATH>\PortableApps\PortableApps.com\PortableAppsPlatform.exe as Packed.Win32.Dico.gen =:V

John T. Haller
John T. Haller's picture
Offline
Last seen: 2 hours 7 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
12 Year Old Unrelated Post

Why are you putting a new comment in reply to an unrelated comment from 12 years ago about a bug in Kaspersky?

Sometimes, the impossible can become possible, if you're awesome!

romel
Offline
Last seen: 1 month 3 weeks ago
Joined: 2011-09-16 10:11
Sorry, I didn't noticed the "Time Stamp"

I was trying do not open a new thread, and also didn't notice the "Time Stamp" of the post. I just looked for "False Positive", and then choose this post to "share" the AV detection.

marcel_denis
marcel_denis's picture
Offline
Last seen: 14 years 3 months ago
Joined: 2010-08-11 09:19
Backdoor:Win32/Ursap!rts

Hello, I just launched the PortableApps copy of Clamwin for the first time.
I mentioned I needed to download the Virus Definitions Database, which I did (2010-08-11, 9:30AM).
I then launched the scan on my portable drive.
During the scan, Microsoft Security Essentials (MSE) opened up stating it had found an infected file. I applied the suggested quarantine.

Category: Backdoor

Description: This program provides remote access to the computer it is installed on.

Recommendation: Permit this detected item only if you trust the program or the software publisher.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
file:C:\Users\Marcel\AppData\Local\Temp\clamav-7c3ead70cc9a9fe28a621af410f49866.00001974.clamtmp

Get more information about this item online.

I then deleted the ClamWinPortable directory and contents from my portable drive.
I proceeded to download the latest (identical) version 0.96.1 rev3 (2010-06-19) from the PortableApps page.
I installed it using the "Install new apps" in the PortableApps options.
I launched it.
I was offered to download the Virus Definitions Database, which I did.

ClamAV update process started at Wed Aug 11 10:03:36 2010
Downloading main.cvd [100%]
main.cvd updated (version: 52, sigs: 704727, f-level: 44, builder: sven)
Downloading daily.cvd [100%]
daily.cvd updated (version: 11530, sigs: 110026, f-level: 53, builder: ccordes)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 33, sigs: 8, f-level: 53, builder: edwin)
Database updated (814761 signatures) from database.clamav.net (IP: 208.70.244.158)

--------------------------------------
Completed
--------------------------------------

I did not scan anything with ClamWinPortable.

I updated the virus definitions of MSE.
I scanned the ClamWinPortable directory and content with MSE.
I scanned the directory: C:\Users\Marcel\AppData\Local\Temp where the "infected" appeared.
No viruses found
I then launched the ClamWinPortable to scan the contents of my portable drive as in the beginning.
MSE ALERT - Potential threat
Found same issue...
file:C:\Users\Marcel\AppData\Local\Temp\clamav-bb20d75cb4dfbb7470bac7d7a7f3a18a.00002568.clamtmp

I am lead to believe the ClamWin database definitions ignite MSE to believe there is an infection in this temporary file that ClamWin creates.

My solution:
I have now indicated to MSE not to scan files ending like .clamtmp

Marcel
Engineer, artist, family man
Montréal, Canada

Mir
Mir's picture
Offline
Last seen: 12 years 4 months ago
Joined: 2007-12-03 16:07
Tell MS its not a backdoor

ClamAV doesnt install a backdoor. so unless you got it from a unlegitimate place which i hope you didnt it is clean ans hould be reported to microsoft.

then agian Microsoft doesnt like FOSS much and doesnt like clamwin either (doesnt work as a viable AV for Windows Security Alert). So you might get no where with them.

Bitman
Offline
Last seen: 6 years 7 months ago
Joined: 2006-01-17 15:56
Clam Win Not Truly Portable?

I just had MSE virus checker detect a couple viruses on C drive too while scanning only the USB drive. It appears Clam win may be using the c drive to store temporary files. It shouldn't do that right?

e.g.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Permit this detected item only if you trust the program or the software publisher.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:C:\Users\user1\AppData\Local\Temp\clamav-b06ffc8a6e0a43c61e81766de4683f02.000009f8.clamtmp

John T. Haller
John T. Haller's picture
Offline
Last seen: 2 hours 7 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
TEMP

ClamWin stores files in TEMP while it is scanning and removes them on completion. Portable software is allowed to do this and a large percentage of software can not work without a TEMP folder/files.

Sometimes, the impossible can become possible, if you're awesome!

Mir
Mir's picture
Offline
Last seen: 12 years 4 months ago
Joined: 2007-12-03 16:07
this i didnt know

thank you for the heads up on this wealth of knowlage JTH.

This means Clamwin portable is portable but not STEALTH.

depp.jones
Offline
Last seen: 4 hours 48 min ago
DeveloperTranslator
Joined: 2010-06-05 17:19
It is kind of stealth as long

It is kind of stealth as long as you consider the state after it is closed. During runtime it is not. There still are some traces left like maybe mru cache and prefetch, but that is inevitable on newer windows os. At least if you don't have admin rights to clean them up.
Normally you always leave some traces if you use an app on a computer, no way around that. It's the way they affect the host system and to what extend they are cleaned up, that makes an app portable. Or not.

John T. Haller
John T. Haller's picture
Offline
Last seen: 2 hours 7 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Stealth

Stealth has no meaning in terms of portable software. Every single EXE you run will leave things behind in Prefetch and the registry and you can't remove that without being an admin.

Stealth in its common meaning means "don't leave anything behind". If you discount the above, then ClamWin is, of course, stealth because those are TEMP files and are removed as soon as ClamWin is done with them. I'd say most apps use TEMP in some way while running.

This is why we don't use terms like 'stealth'.

Sometimes, the impossible can become possible, if you're awesome!

consul
consul's picture
Offline
Last seen: 1 year 1 month ago
Joined: 2007-05-02 13:47
open source doesn't mean virus free ...

just wanted to say that, since you mentioned it in your post.

Don't be an uberPr∅. They are stinky.

johnnymazer
Offline
Last seen: 12 years 1 month ago
Joined: 2012-10-01 22:31
I thank all the viruses are open source...

Since you mentioned it...

Log in or register to post comments