Ubuntu: ClamAV PUA.Win32.Packer.PrivateExeProte-7



Question:

I ran ClamAV on my system and it reported two detections.

It reported PUA.Win32.Packer.PrivateExeProte-7 in:

/usr/lib/mono/4.0/mscorlib.dll  /urs/lib/mono/4.5/mscorlib.dll  

It says Action taken: None, and I basically have the option to quarantine those files. Is this a virus, trojan or some other malware? I see that my installation of Ubuntu 14.04 has Mono installed (I would assume it was installed by default when I installed the system because I don't remember installing it myself). If this really is malware and I quarantine and remove these files would I break anything?

I also have Windows 7 installed along my Ubuntu 14.04 system and I use ClamAV to protect that system from possibly getting infected and because I wouldn't want to spread possible malware to someone else who uses a Windows OS. I don't have Wine installed.

I tried looking online on various forums but I find conflicting reports and opinions on what this is so that's why I'm asking this question here.


Solution:1

The PUA mean "Potentially Unwanted Application", so it's a fairly low priority alert anyway.

The rest of the definition suggests it has found a Windows binary format that is compressed in such a way that makes introspection difficult for antivirus applications. That makes it invaluable for malware authors because they can keep changing the signature on their malware to evade detection.

In this case, I think it's just symptomatic of how Mono is built and ClamAV being over-suspicious. I ran a copy of my mscorelib.dlls through VirusTotal and it came back clean. I suggest you do the same.


If this really is malware and I quarantine and remove these files would I break anything?

It'd break Mono but if it is infected, that wouldn't be awful. You'd just want to reinstall the Mono packages.


Solution:2

PUA.Win32.Packer and all of it's variants (and there are bunches) are all suspect in my view. I just finished doing a full scan of my windows 8.1 drive in Linux Mint 17.1 Cinnamon 64 bit OS using ClamTK (ClamAV GUI) and found almost 1000 instances of this in almost very filetype. I understand most feel this PUA is actually a false positive, which I can understand. But, when you find this "false positive" in just about every filetype you can imagine, you really need to be more the suspicious I'd say. I can understand it possibly being in things like .dll, .exe and a few more, but why is it in a .pdf, or .mp4, and so many other filetypes of personally created files?

The reason I scanned this drive is because portions of windows has been self-corrupting and even though I fix them using windows refresh, they self-corrupt a short while later. I am a computer tech of over 25 years now and have run into just about everything you can imagine over the years. At the beginning of last year, my home system became infected though someone here downloading spoof emails and "believing" some pop-ups were legit and allowing them to run on networked computers. This was the start to what turned into an on-going battle, which is still not resolved.

It has come down to this. There are so many infected computers/servers and so much software that is open to security breaching, that just about every computer is compromised to some degree. Depending of the severity of the malware, unless some very bad or erratic indicators are exhibited, most everyone thinks their AV software is working and their computer is fine. Well, hate to say it, but they are not fine, not in any sense of the word. One of the very first things that happen with just about any good malware is compromising computer defenses and antivirus tools. Any software can be compromised, it just depends at what security level the malware is working under. Windows, because of it's open structure, is just about indefensible once administration level security has been reached. There isn't any "protected file structure" and cannot be breached and taken over -- I do it all the time when I need to forcefully remove self-protected infected files.

Not saying all of this to scare you, but to inform you that you are most likely using an infected computer -- I know I am. So, the best thing I can say is, do not do online banking, ever. Do not presume what you type is private in any way. Make sure you only use credit cards that are fully protected against ANY fraud, online or otherwise. BTW, less then 5 months back, my credit card was compromised in about a 2 week period to over $8,000. Got it all back, but don't know how much loss the credit card companies are going to take before they quite doing these payouts.

So, just because most people think these PUA's are not really there (which is simply silly, they are for certain there, even if not being used maliciously) or don't want to believe they are "really" harmful, don't be too quick to believe them. Be smart and as try to be as safe as you are able. You are being watched -- Without doubt, by someone.

-Rodger


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »