Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Possible infection?!

  1. #1

    Default Possible infection?!

    If this isn't the right sub-forum to discuss this kind of thing, please move, because otherwise I have no idea about where it should be.

    Story (needed):
    I was scanning my mother's PC (has Windows 7 64 bit with Avast Free antivirus), and among very few infections it detected two MS Word -.doc- files as infected. Were moved to quarantine. I happen to have the same files on my openSUSE laptop since they are old notes from school (some few years old, from a Computing class...). I couldn't believe what Avast told (on kind of a rage...) and I opened both files on my openSUSE laptop; they opened normally just with LibreOffice. In these doc files I observed there are some virus code examples (it was a class about security, seeing how would some viruses look like).

    1. This first one may be a bit offtopic, but if a doc or text file contains written malicious code in it, is it normally detected by antiviruses?

    2. If both doc files were indeed infected, are there consequences on my openSUSE installation?
    Could my system have been infected some way? Would any USB sticks or removable disks I plugged also get infected?
    Could Windows partitions (because I have dual-boot) also get bad? (Though I'd like to think they wouldn't because they're automatically mounted as directories, but default as read only).

    I've been told before that Linux distros shouldn't get infected by Windows viruses, but so many things have happened to me that I became unsure about everything, valid or not...

    Thanks beforehand.

  2. #2
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Possible infection?!

    On 2014-08-26 01:56, F style wrote:
    >
    > If this isn't the right sub-forum to discuss this kind of thing, please
    > move, because otherwise I have no idea about where it should be.
    >
    > Story (needed):
    > I was scanning my mother's PC (has Windows 7 64 bit with Avast Free
    > antivirus), and among very few infections it detected two MS Word -.doc-
    > files as infected. Were moved to quarantine. I happen to have the same
    > files on my openSUSE laptop since they are old notes from school (some
    > few years old, from a Computing class...). I couldn't believe what Avast
    > told (on kind of a rage...) and I opened both files on my openSUSE
    > laptop; they opened normally just with LibreOffice. In these doc files I
    > observed there are some virus code examples (it was a class about
    > security, seeing how would some viruses look like).


    Ah. LOL. X'-)


    > 1. This first one may be a bit offtopic, but if a doc or text file
    > contains written malicious code in it, is it normally detected by
    > antiviruses?


    Mmmm... let's say for the moment that it is detected, yes.


    > 2. If both doc files were indeed infected, are there consequences on my
    > openSUSE installation?


    Wait. The files were NOT infected. And no, there are no consequences for
    your openSUSE - not even for your mother Windows machine. That's a
    "false positive" if ever there was one.

    You simply have some TEXT files containing samples, in TEXT, of
    malicious code. But it is not CODE, it is TEXT. It is absolutely safe in
    any half serious operating system. Unless some _human_ converts back
    that text to code and runs it.


    The antivirus simply detects that there is a chain of bytes in a file,
    which it compares to a database of known viruses that it detects
    precisely by finding that string of bytes.

    And the trigger "string" can be a string of text in the virus where it's
    programmer wrote "Hello, I'm very bad guy, and I'm gonna f%& your disk".
    If you happen to write an email to a friend with the string "Hello, I'm
    very bad guy, and I'm gonna f%& your disk", it will trigger antivirus
    detectors on the way, and perhaps never reach your friend - even though
    you simply wrote some TEXT, that chanced to be the same one that a virus
    programmer once wrote, perhaps two decades ago. Even if the malicious
    code is not present anywhere.

    So... RELAX.



    And, even if the full "code" of the virus is included inside your school
    document, say, as an hex dump, it is absolutely safe there, no matter
    what a dumb antivirus says. Unless you pick that "code" in there and
    actually write a program to load and run it - you, a human.


    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  3. #3
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Possible infection?!

    On 2014-08-26 02:48, Carlos E. R. wrote:

    > And the trigger "string" can be a string of text in the virus where it's
    > programmer wrote "Hello, I'm very bad guy, and I'm gonna f%& your disk".
    > If you happen to write an email to a friend with the string "Hello, I'm
    > very bad guy, and I'm gonna f%& your disk", it will trigger antivirus
    > detectors on the way, and perhaps never reach your friend - even though
    > you simply wrote some TEXT, that chanced to be the same one that a virus
    > programmer once wrote, perhaps two decades ago. Even if the malicious
    > code is not present anywhere.
    >
    > So... RELAX.


    Look.

    Write a text file with exactly this line:

    Code:
    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    No line end. Save it, then scan it... it should trigger an alarm. But it
    is absolutely safe, it is a "safe virus", industry standard, used to
    test antivirus detector

    Code:
    cer@Telcontar:~> clamscan EICAR_test_file.txt
    EICAR_test_file.txt: Eicar-Test-Signature FOUND
    
    ----------- SCAN SUMMARY -----------
    Known viruses: 3513034
    Engine version: 0.98.4
    Scanned directories: 0
    Scanned files: 1
    Infected files: 1
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 5.702 sec (0 m 5 s)
    cer@Telcontar:~>
    cer@Telcontar:~> file EICAR_test_file.txt
    EICAR_test_file.txt: EICAR virus test files
    cer@Telcontar:~>
    You see, Linux tools know about this special file.


    It is even possible that some people can not read this post - LOL.




    More info:

    http://en.wikipedia.org/wiki/EICAR_test_file


    Ah, if you change the word "STANDARD" in the "virus" with "STANDING",
    the "virus" is not detected by clamav - even though the virus CODE is
    exactly the same. If it were a real virus, it could do damage., and go
    undetected.

    One of the links hanging from the wikipedia article above explains this
    "trick".

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  4. #4

    Default Re: Possible infection?!

    OK. But what if the two doc files were *actually* really infected by some other application, website, or any other agent you can consider, long ago and I never noticed? Not only executable or rar files, but also doc files can become infected, can't they? I think there have been cases...

    They were never executed (opened) on my mother's PC, and I want to think they can do nothing while in Avast's quarantine. But what about my rig? Again, question #2 from first post...

  5. #5
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,037

    Default Re: Possible infection?!

    On Tue, 26 Aug 2014 02:06:02 +0000, F style wrote:

    > OK. But what if the two doc files were *actually* really infected by
    > some other application, website, or any other agent you can consider,
    > long ago and I never noticed? Not only executable or rar files, but also
    > doc files can become infected, can't they? I think there have been
    > cases...
    >
    > They were never executed (opened) on my mother's PC, and I want to think
    > they can do nothing while in Avast's quarantine. But what about my rig?
    > Again, question #2 from first post...


    In order to do anything malicious, virus code has to be executed.

    That's true for viruses that stay resident in memory or macro viruses
    (which is what you are describing).

    If the files aren't opened and macros aren't set to execute by default
    (which they *shouldn't* be IIRC), then no, your machine wouldn't be
    compromised.

    The existence of virus code on a system doesn't mean the system is
    infected. The execution of the code is what's necessary.

    I spent *years* doing my own brand of virus research - at one point, I
    had a collection of the things to test when I ran into weird network
    issues when I was in school, because some old-school viruses didn't
    handle network redirection very gracefully, and the result was weird
    behavior on the network.

    The one thing that's common about any program or bit of software that
    needs to do something is that it has to be run in order to do anything.
    If it isn't run, it won't do anything.

    Jim



    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  6. #6
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,580

    Default Re: Possible infection?!

    If you run Linux it can do you no arm. In Linux you can't run code with the owner permission and you are the owner.

    In the case of Word. Word allows execution of code embedded in it thus has been used as a vector for inserting code in WINDOWS systems. So yes if the virus was real it could infect a Windows machine but not a Linux.

    Even if the code would run in Linux and you gave it permission to run unless you run as root you can not damage the over all system. Some time back someone tried to run some common Windows viruses in wine.
    Here is an amusing link by someone who tried

    http://archive09.linux.com/feature/42031

  7. #7

    Default Re: Possible infection?!

    So, given I opened both doc files on my openSUSE system (again, as mentioned in first post),

    a) if they were infected for real (don't know, some malicious code that attached itself to both documents some remote time ago...), openSUSE system wouldn't be at harm at all, and instead a Wine "iteration" -because I have Wine- would run?

    b) If no Wine iteration was run, then most likely both documents aren't that infected? Or not necessarily? (If answer is positive, then there would be no way to check whether a file is infected on a Linux rig without Wine nor an antivirus....)

    A while ago I was told here in the forums that viruses ran with Wine would only infect the used Wine prefix. Also, checked permissions for both doc files and they are 600.

  8. #8
    Join Date
    Nov 2013
    Location
    Kamloops, BC, Canada
    Posts
    3,974

    Default Re: Possible infection?!

    Quote Originally Posted by F_style View Post
    So, given I opened both doc files on my openSUSE system (again, as mentioned in first post),

    a) if they were infected for real (don't know, some malicious code that attached itself to both documents some remote time ago...), openSUSE system wouldn't be at harm at all, and instead a Wine "iteration" -because I have Wine- would run?

    b) If no Wine iteration was run, then most likely both documents aren't that infected? Or not necessarily? (If answer is positive, then there would be no way to check whether a file is infected on a Linux rig without Wine nor an antivirus....)

    A while ago I was told here in the forums that viruses ran with Wine would only infect the used Wine prefix. Also, checked permissions for both doc files and they are 600.
    If there *was* a macro virus in the files, LibreOffice would not trigger them, only MS Office would.

    If opened on a Windows machine with MS Office, Avast would grab them and nuke them the moment the files were opened.
    -Gerry Makaro
    Fraser-Bell Info Tech
    Solving Tech Mysteries since the Olden Days!
    ~~
    If I helped you, consider clicking the Star at the bottom left of my post.

  9. #9
    Join Date
    Jun 2008
    Location
    The English Lake District. UK - GMT/BST
    Posts
    36,719
    Blog Entries
    20

    Default Re: Possible infection?!

    Stop worrying
    You are in no danger
    That has been made clear already
    Leap 15_KDE
    My Articles Was I any help? If yes: Click the star below

  10. #10

    Default Re: Possible infection?!

    Ok, thanks all again.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •