/usr/sbin/tickeradj from SuSE 8.2 infected ?
Hello folkes, after applying the latest McAfee virusscan signature, I had to discover that VirusScan claimed /usr/sbin/tickeradj beeing infected with Linux/Rootkit-Dica.dam. Even the very latest signature 4399 came to the same result. So I tried to reinstall the xntp-package 4.1.1-261.i386.rpm with option --force. This, however didn't improve the situation. After that I installed the xntp-package from SuSE 9.0 which looks like beeing clean. I wonder if this is a false positive alert or if it is really infected. Had someone out there noticed the same behavior on his/her SuSE 8.2 machine ? Thank you very much Rainer
Hello,
after applying the latest McAfee virusscan signature, I had to discover that VirusScan claimed
/usr/sbin/tickeradj
here I only have /usr/sbin/tickadj - is this the file you mean?
beeing infected with Linux/Rootkit-Dica.dam.
I scanned it with the actual signature of antivir and got no alert. Greetings Juergen -- Juergen Porbadnigk Tel. +49 74 52/81 63 26 Steinbergstrasse 4 GSM +49 1 71/ 4 65 62 95 72202 Nagold
Hi Rainer, Am Freitag, 15. Oktober 2004 22:16 schrieb R. Schmidt: [rootkit in file]
Had someone out there noticed the same behavior on his/her SuSE 8.2 machine ? I ran rkhunter and chkrootkit and both tell me, that the file is clean. Possibly a error of your tool or an attack? Before overwriting the file, you should have calculated a md5 sum an the last edit date.
Thank you very much
Rainer
Regards Malte
R. Schmidt wrote:
Hello folkes,
after applying the latest McAfee virusscan signature, I had to discover that VirusScan claimed
/usr/sbin/tickeradj
beeing infected with Linux/Rootkit-Dica.dam.
Even the very latest signature 4399 came to the same result.
So I tried to reinstall the xntp-package 4.1.1-261.i386.rpm with option --force.
This, however didn't improve the situation. After that I installed the xntp-package from SuSE 9.0 which looks like beeing clean.
I wonder if this is a false positive alert or if it is really infected.
Had someone out there noticed the same behavior on his/her SuSE 8.2 machine ?
I mean that You has infected Your system installing the McAfee virusscan: http://slashdot.org/articles/01/11/28/173201.shtml http://www.wired.com/news/print/0,1294,48648,00.html http://www.heise.de/newsticker/meldung/23015 http://www.wedran.com/wicrosoft/
On Fri, Oct 15, 2004 at 10:16:42PM +0200, R. Schmidt wrote:
after applying the latest McAfee virusscan signature, I had to discover that VirusScan claimed
/usr/sbin/tickeradj
beeing infected with Linux/Rootkit-Dica.dam.
".dam" is a vendor-specific suffix used by McAfee to indicate a "damaged file" (a file that is damaged or corrupted by an infection).
I wonder if this is a false positive alert or if it is really infected.
So why don't you ask your av vendor first to get a qualified answer ? Send the suspected file in a password-protected zip-archive (with password "infected") to virus_research@nai.com so they can analyse this file (and possibly correct their virus definitions). Further instructions can be found under http://vil.nai.com/vil/submit-sample.asp If you can verify that the file in question is unmodified (in regard to the official suse version), I think it is most likely to be a false positive. But that is of course just a guess and no qualified answer :-) -- Michel Messerschmidt lists@michel-messerschmidt.de antiVirusTestCenter, Computer Science, University of Hamburg
participants (5)
-
Juan Erbes -
Juergen Porbadnigk -
Malte Buck -
Michel Messerschmidt -
R. Schmidt