[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trojan Detected by Kaspersky in One Debian DVD

On Wed, Oct 31, 2012 at 08:17:52PM -0400, Alan Feuerbacher wrote:
> A couple of weeks ago I downloaded to my Windows 7 machine 10 DVD
> iso files for debian-6.0.6-amd64. I have not yet installed Debian to
> this machine.
> Last night Kaspersky anti-virus detected a Trojan in one of the files:
> debian-6.0.6-amd64-DVD-7.iso\pool\main\n\nepenthes\nepenthes_0.2.2-6_amd64.deb\data.tar\.\usr\share\doc\nepenthes\README.VFS
> The Trojan is called Trojan-Downloader.BAT.ftp.z
> Is this a real Trojan? If so, why would it be there? If not, what is it?

Looking at the file in question, I can see why it's being flagged up.
README.VFS is headed "VFS testcases", followed by a Batchfile that, if
executed, looks like it would download a series of EXEs and DLLs from
ftp sites around the internet. The batchfile looks exceedingly dodgy to
my untrained eyes BUT there are a few things to remember: 1) As pointed
out by someone else, this package is explicitly about collecting
malware; if you're interested in that you're probably more au fait with
what the script might do. 2) The file itself is a README file (i.e.
plain text) in the documentation directory of a package that most people
wouldn't install.

In other words, the file is only a risk to you if you install the
nepenthes package AND then copy the README.VFS file to a Windows
system AND rename it to *.BAT AND execute that file. If in doubt, don't
do that :)

Attachment: signature.asc
Description: Digital signature

Reply to: