Ubuntu

AVG/Linux reports Win32/PolyCrypt virus in my Ubuntu filesystem

Asked by miguelangeldavila

This afternoon I executed AVG antivirus (only to know how the program works) and I receive a report of 59 files infected by Win32/PolyCrypt virus. Then I installed Clamav but that antivirus does not report any infection.

It could be a false positive or a FUD strategy from Grisoft to promote its Antivirus?

The AVG log is the following:

AVG7 Anti-Virus command line scanner
Copyright (c) 2007 GRISOFT, s.r.o.
Program version 7.5.47, engine 442
Virus Database: Version 269.11.10/943 2007-08-08
License type is FREE.
"/lib/libevms-2.5.so.0" Virus found Win32/PolyCrypt
"/lib/libevms-2.5.so.0.5" Virus found Win32/PolyCrypt
"/lib/evms/2.5.5/md-1.1.20.so" Virus found Win32/PolyCrypt
"/lib/" Cannot open; not checked! Resource temporarily unavailable
"/opt/datastudio-4.5.2/jre/lib/i386/libjdwp.so" Virus found Win32/PolyCrypt
"/usr/bin/as" Virus found Win32/PolyCrypt
"/usr/bin/evolution" Virus found Win32/PolyCrypt
"/usr/bin/evolution-2.10" Virus found Win32/PolyCrypt
"/usr/bin/evolution-2.2" Virus found Win32/PolyCrypt
"/usr/bin/gdbserver" Virus found Win32/PolyCrypt
"/usr/bin/gencat" Virus found Win32/PolyCrypt
"/usr/bin/gnome-session" Virus found Win32/PolyCrypt
"/usr/bin/gnome-system-monitor" Virus found Win32/PolyCrypt
"/usr/bin/gurlchecker" Virus found Win32/PolyCrypt
"/usr/bin/mawk" Virus found Win32/PolyCrypt
"/usr/bin/msgunfmt" Virus found Win32/PolyCrypt
"/usr/bin/x-session-manager" Virus found Win32/PolyCrypt
"/usr/games/gnotravex" Virus found Win32/PolyCrypt
"/usr/lib/libgettextsrc-0.16.1.so" Virus found Win32/PolyCrypt
"/usr/lib/libgettextsrc.so" Virus found Win32/PolyCrypt
"/usr/lib/libneon.so.25" Virus found Win32/PolyCrypt
"/usr/lib/libneon.so.25.0.5" Virus found Win32/PolyCrypt
"/usr/lib/libneon.so.26" Virus found Win32/PolyCrypt
"/usr/lib/libneon.so.26.0.3" Virus found Win32/PolyCrypt
"/usr/lib/libportaudio.so.0" Virus found Win32/PolyCrypt
"/usr/lib/libportaudio.so.0.0.18" Virus found Win32/PolyCrypt
"/usr/lib/libsvn_repos-1.so.1" Virus found Win32/PolyCrypt
"/usr/lib/libsvn_repos-1.so.1.0.0" Virus found Win32/PolyCrypt
"/usr/lib/libuniquewm-0.9.so.25" Virus found Win32/PolyCrypt
"/usr/lib/libuniquewm-0.9.so.25.0.0" Virus found Win32/PolyCrypt
"/usr/lib/libuniquewm.so" Virus found Win32/PolyCrypt
"/usr/lib/gnome-applets/cpufreq-applet" Virus found Win32/PolyCrypt
"/usr/lib/gnome-pilot/conduits/libmal_conduit.so" Virus found Win32/PolyCrypt
"/usr/lib/gnome-vfs-2.0/modules/libhttp.so" Virus found Win32/PolyCrypt
"/usr/lib/gstreamer-0.10/libpitfdll.so" Virus found Win32/PolyCrypt
"/usr/lib/gtk-2.0/2.10.0/engines/libsmooth.so" Virus found Win32/PolyCrypt
"/usr/lib/httrack/htsserver" Virus found Win32/PolyCrypt
"/usr/lib/jvm/java-1.5.0-sun-1.5.0.11/jre/lib/i386/libjdwp.so" Virus found Win32/PolyCrypt
"/usr/lib/jvm/jre1.6.0/lib/i386/libjdwp.so" Virus found Win32/PolyCrypt
"/usr/lib/openoffice/program/configimport.bin" Virus found Win32/PolyCrypt
"/usr/lib/openoffice/program/dlgprov680li.uno.so" Virus found Win32/PolyCrypt
"/usr/lib/openoffice/program/gconfbe1.uno.so" Virus found Win32/PolyCrypt
"/usr/lib/openoffice/program/libdbpool2.so" Virus found Win32/PolyCrypt
"/usr/lib/openoffice/program/libgcc3_uno.so" Virus found Win32/PolyCrypt
"/usr/lib/openoffice/program/libjava_uno" Virus found Win32/PolyCrypt
"/usr/lib/openoffice/program/libjava_uno.so" Virus found Win32/PolyCrypt
"/usr/lib/openoffice/program/liburp_uno.so" Virus found Win32/PolyCrypt
"/usr/lib/openoffice/program/libxsltfilter680li.so" Virus found Win32/PolyCrypt
"/usr/lib/openoffice/program/proxyfac.uno.so" Virus found Win32/PolyCrypt
"/usr/lib/openoffice/program/servicemgr.uno.so" Virus found Win32/PolyCrypt
"/usr/lib/openoffice/program/uno.bin" Virus found Win32/PolyCrypt
"/usr/lib/openoffice/program/vbaevents680li.uno.so" Virus found Win32/PolyCrypt
"/usr/lib/perl5/auto/Curses/Curses.so" Virus found Win32/PolyCrypt
"/usr/lib/python-support/python-pisock/python2.4/_pisock.so" Virus found Win32/PolyCrypt
"/usr/lib/python-support/python-pisock/python2.5/_pisock.so" Virus found Win32/PolyCrypt
"/usr/lib/sane/libsane-pixma.so.1" Virus found Win32/PolyCrypt
"/usr/lib/sane/libsane-pixma.so.1.0.18" Virus found Win32/PolyCrypt
"/usr/lib/xorg/modules/libddc.so" Virus found Win32/PolyCrypt
"/usr/sbin/pam_tally" Virus found Win32/PolyCrypt

------------------------------------------------------------
Test start Wed Aug 8 20:02:14 2007

Elapsed time 1007sec.
------------------------------------------------------------
Scanned files : 22541
Infected files : 58
Errors : 1
Reported files : 59
------------------------------------------------------------

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
miguelangeldavila
Solved:
Last query:
Last reply:
Revision history for this message
miguelangeldavila (miguelangeldavila-argotvisual) said : 		#1

The scanning was made without heuristycs enabled

Revision history for this message
Gord Allott (gordallott) said : 		#2

they are almost definatly false positives

Revision history for this message
SuezanneCB SuezanneC Baskerville (suezanne) said : 		#3

I am in the process of getting reports of virus infection from AVG on the Win32/PolyCrypt virus, in my case it is so far in folders related to Cygwin.

I have previously downloaded a Ubuntu installer.

Revision history for this message
Brett Smith (bretts5964) said : 		#4

I can confirm that one file is a false positive. AVG Free for Windows returned this result when scanning my Kubuntu 7.04 partition:

"/usr/bin/mawk" Virus found Win32/PolyCrypt

Most of your other files seem to be Gnome related, so it's no surprise that they didn't turn up on Kubuntu, (they are not installed). I decided to check /usr/bin/mawk with another online scanner, and it found no threats.

Trend Micro HouseCall - Free Online Virus and Spyware Scan
http://housecall.trendmicro.com/

I ran this under Windows in Firefox, but it is supposed to work on Linux also.

Revision history for this message
miguelangeldavila (miguelangeldavila-argotvisual) said : 		#5

I send some files to Grisoft, the makers of AVG, not yet have answer.

On the other hand, some of the "infected" files are part of a program that I compiled . I recompiled the program (Inkscape) and the anti-virus continues reporting it as infected. That confirms to me that it is a false positive.

Another thing about AVG for Linux, it reports soft links besides the programs at which they point, AVG does not distinguish them. If they think to repair the infection in a future (today it does not happen), the cleanup would happen twice. A Linux program of this kind has to be warned about soft links.

Thanks for the link Bret. At least Trend Micro is not Active-X dependant as Symantec. As spects the tool do not read the filesystem on a Linux computer, but either warns to the user abut that, it only remains idle.

They are using Java, but, what happend with the clucked* Java sandbox to prevent Java from access the filesystem? I'm not paranoiac, I only joke about.

By the way, we must await for coming well programed antivirus in Linux, and of course, for the virus too.

* In Mexico we say "cacarear" for boasted.

Revision history for this message
miguelangeldavila (miguelangeldavila-argotvisual) said : 		#6

I leave still opened this answer because I'm using Internet Explorer under Wine to test websites. It is a small probability that IE allows an infection by trojans, at least from a Winux new kind virus

Revision history for this message
miguelangeldavila (miguelangeldavila-argotvisual) said : 		#7

Solved: From the last update AVG stopped to report the infection. These boys are working very fast.

Thank you very much by the answers.

Revision history for this message
louise whitehurst (louisewhitehurst) said : 		#8

Using command line scanner with an advanced tool for automatic database updates is what we need.
https://theessayservice.org/buy-book-review/