Possible infection?!

If this isn’t the right sub-forum to discuss this kind of thing, please move, because otherwise I have no idea about where it should be.

Story (needed):
I was scanning my mother’s PC (has Windows 7 64 bit with Avast Free antivirus), and among very few infections it detected two MS Word -.doc- files as infected. Were moved to quarantine. I happen to have the same files on my openSUSE laptop since they are old notes from school (some few years old, from a Computing class…). I couldn’t believe what Avast told (on kind of a rage…) and I opened both files on my openSUSE laptop; they opened normally just with LibreOffice. In these doc files I observed there are some virus code examples (it was a class about security, seeing how would some viruses look like).

  1. This first one may be a bit offtopic, but if a doc or text file contains written malicious code in it, is it normally detected by antiviruses?

  2. If both doc files were indeed infected, are there consequences on my openSUSE installation?
    Could my system have been infected some way? Would any USB sticks or removable disks I plugged also get infected?
    Could Windows partitions (because I have dual-boot) also get bad? (Though I’d like to think they wouldn’t because they’re automatically mounted as directories, but default as read only).

I’ve been told before that Linux distros shouldn’t get infected by Windows viruses, but so many things have happened to me that I became unsure about everything, valid or not…

Thanks beforehand.

On 2014-08-26 01:56, F style wrote:
>
> If this isn’t the right sub-forum to discuss this kind of thing, please
> move, because otherwise I have no idea about where it should be.
>
> Story (needed):
> I was scanning my mother’s PC (has Windows 7 64 bit with Avast Free
> antivirus), and among very few infections it detected two MS Word -.doc-
> files as infected. Were moved to quarantine. I happen to have the same
> files on my openSUSE laptop since they are old notes from school (some
> few years old, from a Computing class…). I couldn’t believe what Avast
> told (on kind of a rage…) and I opened both files on my openSUSE
> laptop; they opened normally just with LibreOffice. In these doc files I
> observed there are some virus code examples (it was a class about
> security, seeing how would some viruses look like).

Ah. LOL. X’-)

> 1. This first one may be a bit offtopic, but if a doc or text file
> contains written malicious code in it, is it normally detected by
> antiviruses?

Mmmm… let’s say for the moment that it is detected, yes.

> 2. If both doc files were indeed infected, are there consequences on my
> openSUSE installation?

Wait. The files were NOT infected. And no, there are no consequences for
your openSUSE - not even for your mother Windows machine. That’s a
“false positive” if ever there was one.

You simply have some TEXT files containing samples, in TEXT, of
malicious code. But it is not CODE, it is TEXT. It is absolutely safe in
any half serious operating system. Unless some human converts back
that text to code and runs it.

The antivirus simply detects that there is a chain of bytes in a file,
which it compares to a database of known viruses that it detects
precisely by finding that string of bytes.

And the trigger “string” can be a string of text in the virus where it’s
programmer wrote “Hello, I’m very bad guy, and I’m gonna f%& your disk”.
If you happen to write an email to a friend with the string “Hello, I’m
very bad guy, and I’m gonna f%& your disk”, it will trigger antivirus
detectors on the way, and perhaps never reach your friend - even though
you simply wrote some TEXT, that chanced to be the same one that a virus
programmer once wrote, perhaps two decades ago. Even if the malicious
code is not present anywhere.

So… RELAX.

And, even if the full “code” of the virus is included inside your school
document, say, as an hex dump, it is absolutely safe there, no matter
what a dumb antivirus says. Unless you pick that “code” in there and
actually write a program to load and run it - you, a human.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On 2014-08-26 02:48, Carlos E. R. wrote:

> And the trigger “string” can be a string of text in the virus where it’s
> programmer wrote “Hello, I’m very bad guy, and I’m gonna f%& your disk”.
> If you happen to write an email to a friend with the string “Hello, I’m
> very bad guy, and I’m gonna f%& your disk”, it will trigger antivirus
> detectors on the way, and perhaps never reach your friend - even though
> you simply wrote some TEXT, that chanced to be the same one that a virus
> programmer once wrote, perhaps two decades ago. Even if the malicious
> code is not present anywhere.
>
> So… RELAX.

Look.

Write a text file with exactly this line:


X5O!P%@AP4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

No line end. Save it, then scan it… it should trigger an alarm. But it
is absolutely safe, it is a “safe virus”, industry standard, used to
test antivirus detector


cer@Telcontar:~> clamscan EICAR_test_file.txt
EICAR_test_file.txt: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3513034
Engine version: 0.98.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 5.702 sec (0 m 5 s)
cer@Telcontar:~>
cer@Telcontar:~> file EICAR_test_file.txt
EICAR_test_file.txt: EICAR virus test files
cer@Telcontar:~>

You see, Linux tools know about this special file.

It is even possible that some people can not read this post - LOL.

More info:

http://en.wikipedia.org/wiki/EICAR_test_file

Ah, if you change the word “STANDARD” in the “virus” with “STANDING”,
the “virus” is not detected by clamav - even though the virus CODE is
exactly the same. If it were a real virus, it could do damage., and go
undetected.

One of the links hanging from the wikipedia article above explains this
“trick”.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

OK. But what if the two doc files were actually really infected by some other application, website, or any other agent you can consider, long ago and I never noticed? Not only executable or rar files, but also doc files can become infected, can’t they? I think there have been cases…

They were never executed (opened) on my mother’s PC, and I want to think they can do nothing while in Avast’s quarantine. But what about my rig? Again, question #2 from first post…

On Tue, 26 Aug 2014 02:06:02 +0000, F style wrote:

> OK. But what if the two doc files were actually really infected by
> some other application, website, or any other agent you can consider,
> long ago and I never noticed? Not only executable or rar files, but also
> doc files can become infected, can’t they? I think there have been
> cases…
>
> They were never executed (opened) on my mother’s PC, and I want to think
> they can do nothing while in Avast’s quarantine. But what about my rig?
> Again, question #2 from first post…

In order to do anything malicious, virus code has to be executed.

That’s true for viruses that stay resident in memory or macro viruses
(which is what you are describing).

If the files aren’t opened and macros aren’t set to execute by default
(which they shouldn’t be IIRC), then no, your machine wouldn’t be
compromised.

The existence of virus code on a system doesn’t mean the system is
infected. The execution of the code is what’s necessary.

I spent years doing my own brand of virus research - at one point, I
had a collection of the things to test when I ran into weird network
issues when I was in school, because some old-school viruses didn’t
handle network redirection very gracefully, and the result was weird
behavior on the network.

The one thing that’s common about any program or bit of software that
needs to do something is that it has to be run in order to do anything.
If it isn’t run, it won’t do anything.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

If you run Linux it can do you no arm. In Linux you can’t run code with the owner permission and you are the owner.

In the case of Word. Word allows execution of code embedded in it thus has been used as a vector for inserting code in WINDOWS systems. So yes if the virus was real it could infect a Windows machine but not a Linux.

Even if the code would run in Linux and you gave it permission to run unless you run as root you can not damage the over all system. Some time back someone tried to run some common Windows viruses in wine.
Here is an amusing link by someone who tried

http://archive09.linux.com/feature/42031

So, given I opened both doc files on my openSUSE system (again, as mentioned in first post),

a) if they were infected for real (don’t know, some malicious code that attached itself to both documents some remote time ago…), openSUSE system wouldn’t be at harm at all, and instead a Wine “iteration” -because I have Wine- would run?

b) If no Wine iteration was run, then most likely both documents aren’t that infected? Or not necessarily? (If answer is positive, then there would be no way to check whether a file is infected on a Linux rig without Wine nor an antivirus…)

A while ago I was told here in the forums that viruses ran with Wine would only infect the used Wine prefix. Also, checked permissions for both doc files and they are 600.

If there was a macro virus in the files, LibreOffice would not trigger them, only MS Office would.

If opened on a Windows machine with MS Office, Avast would grab them and nuke them the moment the files were opened.

Stop worrying
You are in no danger
That has been made clear already

Ok, thanks all again.

On 2014-08-26 04:26, gogalthorp wrote:
>
> If you run Linux it can do you no arm. In Linux you can’t run code with
> the owner permission and you are the owner.
>
> In the case of Word. Word allows execution of code embedded in it thus
> has been used as a vector for inserting code in WINDOWS systems. So yes
> if the virus was real it could infect a Windows machine but not a Linux.

Again, no.

A real and dangerous virus in the text of the document does nothing.
Not in Windows, not in Linux.

A macro virus, living inside a macro in an *office document, can do
damage, as a macro is executable, and maybe automatically execute,
depending on the settings. It is also conceivable that they work both in
Linux and Windows, depending on application.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On 2014-08-26 05:56, Fraser Bell wrote:

> If opened on a Windows machine with MS Office, Avast would grab them and
> nuke them the moment the files were opened.

If the virus is known. :slight_smile:

On the other hand, MS Office has, I believe, settings to not
automatically run macros if not certified, or some other adjustable
security setting. I don’t remember what the default setting is.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Just when mr Caf had come to calm things down…

So ok, there are virus examples written in the docs indeed. Avast told they were infected by a virus/malware that I don’t remember the name, but I think it was Windows related. Both docs have permissions as 600 set.

So will I never know if Avast detected them because of the text content, or because they were really infected by another old virus, or both cases? What do I do if I’m actually infected on Linux machine?
If a MS Word file came with macros or other executable content, would LibreOffice detect them somewhat? Because when I opened both files there didn’t seem to be any macros nor other kind of content aside from just text.

Or should I finally upload here both files?

On 2014-08-26 17:46, F style wrote:
>
> Just when mr Caf had come to calm things down…
>
> So ok, there are virus examples written in the docs indeed. Avast told
> they were infected by a virus/malware that I don’t remember the name,
> but I think it was Windows related. Both docs have permissions as 600
> set.

Yes, and that’s a false positive.

> So will I never know if Avast detected them because of the text content,
> or because they were really infected by another old virus, or both
> cases? What do I do if I’m actually infected on Linux machine?
> If a MS Word file came with macros or other executable content, would
> LibreOffice detect them somewhat? Because when I opened both files there
> didn’t seem to be any macros nor other kind of content aside from just
> text.

Well, LibreOffice doesn’t by default run macros found in files. And,
LibreOffice has its own macro/script language: I believe it can not run
macros found in old .doc files (I think those used some kind of
visualbasic, but I’m unsure).

So no, you are safe in Linux for both reasons.

If it is able to read and understand the macros, I think it tells you
about that in a pop-up, saying whether it will run or ignore them, and
how to change that behavior.

And if the document has macros, there is a menu to list and open those
macros (“open” ≠ “run”). Similarly, MS Office can list/edit/etc them, so
you can find if there are macros.

> Or should I finally upload here both files?

Nope :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)