Issue with win32 library and other injected stuff (security issue?)

KrisAnormal · March 30, 2015, 9:40pm

Hi Forum

Yesterday I did overeager clamav scan (

sudo clamscan / -r -i -z --bytecode yes --bytecode-unsigned yes --detect-pua yes --phishing-sigs yes --phishing-scan-urls yes --heuristic-scan-precedence yes --phishing-ssl yes --phishing-cloak yes --partition-intersection yes --algorithmic-detection yes --scan-archive yes --exclude-dir=/proc --exclude-dir=/sys/module/ --log=FILE

) and found few things.
/home/krzysztof/.cache/mozilla/firefox/h8al7xyp.default/cache2/entries/42E38E2B8FD6EE4BD798A98EEAA770A1686D96D3: PUA.Script.Packed-2 FOUND
/home/krzysztof/.cache/mozilla/firefox/h8al7xyp.default/cache2/entries/806287B37C7891615515A2574CEE29C169300CCB: PUA.Script.Packed-1 FOUND
/home/krzysztof/.cache/mozilla/firefox/h8al7xyp.default/cache2/entries/806287B37C7891615515A2574CEE29C169300CCB: PUA.Script.Packed-1 FOUND
/home/krzysztof/.cache/mozilla/firefox/h8al7xyp.default/cache2/entries/806287B37C7891615515A2574CEE29C169300CCB: PUA.Script.Packed-1 FOUND
/home/krzysztof/.cache/mozilla/firefox/h8al7xyp.default/cache2/entries/806287B37C7891615515A2574CEE29C169300CCB: PUA.Script.Packed-1 FOUND
/home/krzysztof/.cache/mozilla/firefox/h8al7xyp.default/cache2/entries/806287B37C7891615515A2574CEE29C169300CCB: PUA.Script.Packed-1 FOUND
/home/krzysztof/.cache/mozilla/firefox/h8al7xyp.default/cache2/entries/806287B37C7891615515A2574CEE29C169300CCB: PUA.Script.Packed-1 FOUND
/usr/share/doc/packages/libgphoto2/libgphoto2-api.html/jquery.js: PUA.HTML.Exploit.CVE_2014_0322 FOUND
/usr/share/texmf/doc/latex/movie15/overlay-example.pdf: PUA.Script.PDF.EmbeddedJS-1 FOUND
/usr/share/texmf/doc/latex/movie15/overlay-example.pdf: PUA.Script.PDF.EmbeddedJS-1 FOUND
/usr/share/texmf/doc/latex/movie15/overlay-example.pdf: PUA.Script.PDF.EmbeddedJS-1 FOUND
/usr/share/texmf/doc/latex/movie15/overlay-example.pdf: PUA.Script.PDF.EmbeddedJS-1 FOUND
/usr/share/texmf/doc/latex/movie15/overlay-example.pdf: PUA.Script.PDF.EmbeddedJS-1 FOUND
/usr/share/texmf/doc/latex/movie15/overlay-example.pdf: PUA.Script.PDF.EmbeddedJS-1 FOUND
/usr/share/texmf/doc/latex/movie15/overlay-example.pdf: PUA.Script.PDF.EmbeddedJS-1 FOUND
/usr/share/texmf/doc/latex/movie15/overlay-example.pdf: PUA.Script.PDF.EmbeddedJS-1 FOUND
/usr/share/texmf/doc/latex/movie15/overlay-example.pdf: PUA.Script.PDF.EmbeddedJS-1 FOUND
/usr/share/texmf/doc/latex/visualfaq/troubleshoot-vlf.pdf: PUA.Script.PDF.EmbeddedJS-1 FOUND
/usr/lib/win32/VFCodec.dll: PUA.Win32.Packer.BorlandDelphi-13 FOUND
/usr/lib/win32/VFCodec.dll: PUA.Win32.Packer.BorlandDelphi-1 FOUND
/usr/lib/win32/atrac3.acm: PUA.Win32.Packer.BorlandDelphi-18 FOUND
/usr/lib/win32/msh261.drv: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/msh261.drv: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/i263_32.drv: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/i263_32.drv: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/drv23260.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/drv23260.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/vsslight.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/psiv.dll: PUA.Win32.Packer.Starforce-1 FOUND
/usr/lib/win32/ctadp32.acm: PUA.Win32.Packer.NspackDotnetNor FOUND
/usr/lib/win32/ctadp32.acm: PUA.Win32.Packer.NspackDotnetNor-1 FOUND
/usr/lib/win32/cinevfw.dll: PUA.Win32.Packer.Ep-6 FOUND
/usr/lib/win32/cinevfw.dll: PUA.Win32.Packer.Embedpe-2 FOUND
/usr/lib/win32/cinevfw.dll: PUA.Win32.Packer.Armadillo-42 FOUND
/usr/lib/win32/ivvideo.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/ivvideo.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/ivvideo.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/ivvideo.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/ivvideo.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/ivvideo.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/ivvideo.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/ivvideo.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/ivvideo.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/vsswlt.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/vsswlt.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/vsswlt.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/vsswlt.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/vsswlt.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/vsswlt.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/wmvadvd.dll: PUA.Win32.Packer.Msvcpp FOUND
/usr/lib/win32/mcdvd_32.dll: PUA.Win32.Packer.BorlandDelphi-18 FOUND
/usr/lib/win32/m3jpegdec.ax: PUA.Win32.Packer.NspackDotnetNor FOUND
/usr/lib/win32/m3jpegdec.ax: PUA.Win32.Packer.NspackDotnetNor-1 FOUND
/usr/lib/win32/rt32dcmp.dll: PUA.Win32.Packer.Rpolycryptor FOUND
/usr/lib/win32/rt32dcmp.dll: PUA.Win32.Packer.Rpolycryptor FOUND
/usr/lib/win32/TRICDC32.DRV: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/vorbis.acm: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/vorbis.acm: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/WCMV.dll: PUA.Win32.Packer.SetupExeSection FOUND
/usr/lib/win32/ViVD2.dll: PUA.Win32.Packer.Upx-57 FOUND
/usr/lib/win32/ViVD2.dll: PUA.Win32.Packer.Upx-46 FOUND
/usr/lib/win32/ViVD2.dll: PUA.Win32.Packer.Upx-53 FOUND
/usr/lib/win32/ViVD2.dll: PUA.Win32.Packer.Upolyx-12 FOUND
/usr/lib/win32/tssoft32.acm: PUA.Win32.Packer.SetupExeSection FOUND
/usr/lib/win32/wms10dmod.dll: PUA.Win32.Packer.Msvcpp FOUND
/usr/lib/win32/vp7vfw.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/LCodcCMP.dll: PUA.Win32.Packer.PrivateExeProte-7 FOUND
/usr/lib/win32/wmsdmod.dll: PUA.Win32.Packer.Msvcpp FOUND
The first thing is any one this thing is dangerous. Second thing is possible ( and asking as nice as could) please scan every if possible every windows software with nod32. This may prevent future exploit and additional overhead for windows exploit is not needed. If this non-issue please let me know and glad for your comments and opinions. Thank you for your time.
Chris

gogalthorp · March 30, 2015, 9:58pm

Claim is meant for the most part to look for Windows viruses Scanning you system is bound to create false positives.

Most will use clam to scan email and such to protect against sending on nasties that might harm a Windows user.

The Firefox and PDF files may be of interest if you pass them own to a Windows user. Maybe you have been surfing questionable sites??? it is all in cache any way

The DLL’s and other Windows based files well??? Linux does not use DLLs but I guess wine might but the location seem odd since last I used it wine was all in my home not at a system location. So where did /usr/lib/win32 come from??

Linux is safe from all this nonsense but if you gave or moved those files to Windows machine there may be a problem

KrisAnormal · March 30, 2015, 10:21pm

I very sorry to clarify I using opensuse 13.1 32 bit gnome edition i686 Athlon 3000+ 1g memory, Radeon 4650 and Asus motherboard and lot of codes like ffmpeg gstreamer all bundle nad vlc stuff and in my (bad-informed) opinion it come from proprietary decode stuff or some unfamiliar for me mono stuff. But if is not to worry about thank you for your attention and time.
Sincerely
Chris

wolfi323 · March 30, 2015, 10:44pm

Most of the stuff mentioned is located in /usr/lib/win32, those are the ancient Windows codecs from the package “w32codec-all”.
I would recommend you to just uninstall this package, as it is not needed nor used at all nowadays. ffmpeg is able to decode most things itself now.

This would leave some stuff in your Firefox browser cache (which you can clean), and the following files:

/usr/share/doc/packages/libgphoto2/libgphoto2-api.html/jquery.js: PUA.HTML.Exploit.CVE_2014_0322 FOUND
/usr/share/texmf/doc/latex/movie15/overlay-example.pdf: PUA.Script.PDF.EmbeddedJS-1 FOUND
/usr/share/texmf/doc/latex/visualfaq/troubleshoot-vlf.pdf: PUA.Script.PDF.EmbeddedJS-1 FOUND

IMHO you can just ignore those. They are either false positives, or harmless for your Linux system anyway (or both).

I_A · March 30, 2015, 10:45pm

most of that is informational I even think you didn’t find any virus, in firefox’s cache clam found PUP’s (Potentially Unwanted Programs) probably ads as the internet is full of them, it foud javascripts in a few pdf files now this is normal, regarding the win32 codecs clamav only stated that they are compressed most likely the rpm author used UPX to squeeze a few bytes, btw where or hoiw did you install those windows codecs a few years ago Xine needed Windows dll for decoding some propitiatory formats but ffmpeg has full support for almost any media out there even types that windows doesn’t support, those dll’s are more or less pointless you can remove them or keep them I haven’t used Xine/kaffeine in a long time I use vlc/smplayer and they don’t use any windows binaries

wolfi323 · March 30, 2015, 11:00pm

Xine/kaffeine doesn’t use them either. You’d have to manually force it to AFAIK.
But as I already wrote as well, there’s absolutely no need for them any more.

I don’t have them installed at all since I switched to 64bit 6 years ago (as they are 32bit, they won’t work with 64bit players anyway). I haven’t encountered a single video I couldn’t play in that time…

KrisAnormal · March 30, 2015, 11:33pm

One more time thank you for attention and time
Sincerely
Chris