On Wed, Oct 31, 2012 at 08:17:52PM -0400, Alan Feuerbacher wrote: > A couple of weeks ago I downloaded to my Windows 7 machine 10 DVD > iso files for debian-6.0.6-amd64. I have not yet installed Debian to > this machine. > > Last night Kaspersky anti-virus detected a Trojan in one of the files: > > debian-6.0.6-amd64-DVD-7.iso\pool\main\n\nepenthes\nepenthes_0.2.2-6_amd64.deb\data.tar\.\usr\share\doc\nepenthes\README.VFS > > The Trojan is called Trojan-Downloader.BAT.ftp.z > > Is this a real Trojan? If so, why would it be there? If not, what is it? Looking at the file in question, I can see why it's being flagged up. README.VFS is headed "VFS testcases", followed by a Batchfile that, if executed, looks like it would download a series of EXEs and DLLs from ftp sites around the internet. The batchfile looks exceedingly dodgy to my untrained eyes BUT there are a few things to remember: 1) As pointed out by someone else, this package is explicitly about collecting malware; if you're interested in that you're probably more au fait with what the script might do. 2) The file itself is a README file (i.e. plain text) in the documentation directory of a package that most people wouldn't install. In other words, the file is only a risk to you if you install the nepenthes package AND then copy the README.VFS file to a Windows system AND rename it to *.BAT AND execute that file. If in doubt, don't do that :)
Attachment:
signature.asc
Description: Digital signature