LinuxMint 10 RC Has Malware?

Discussion in 'malware problems & news' started by TheKid7, Nov 12, 2010.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Yesterday, I downloaded the LinuxMint 10 RC ISO image and burned it to a CD on one of my Windows XP Pro PC's. Upon finishing the burn process, I opened the CD/DVD burner tray to remove the CD. Immediately I got some sort of message something about pyrun.exe and No Disk. I was unable to close the message. I tried to close it with Windows Task Manager but it still would not close. I wound up restarting the PC to get rid of the message.

    This morning I ran a scan with SAS Free and it said that it detected a Trojan in a Temp folder. I uploaded the two suspect Trojan files to VirusTotal and the only positive was SAS. I decided to Quarantine the suspect files with SAS. The suspect files showed LinuxMint icons.

    Do you think that this is a real Trojan or a false positive.

    When I get a chance this evening, I will probably restore an older Image just to be sure.

    Thanks in Advance.

    SAS Log:

    Trojan.Agent/Gen-UsrMgr
    C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\PYL11B2.TMP\PYLAUNCHER.EXE
    C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\PYL11B2.TMP\PYRUN.EXE
    C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\PYL11B2.TMP.EXE
     
  2. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Why not contact Clem or Husse on the Mint forum directly?
    They'll be able to explain why Pyrun (as part of Wubi) ended up in that temp folder.

    OASIS (Online Armor database) has f.i. this on Pyrun;

    'What does pyrun.exe do?

    * Process - a process that runs on your computer
    * EnumerateFiles
    * Installer - Installs software on your computer.
    * ProcessStart
    * ExecutableCreate
    * DnsApiUse
    * RemoteCode
    * KeyLogger - Capable of reading keystrokes from the keyboard. Can potentially log them if malicious
    * Cache
    * StartWithParams
    '

    Enough possibilities to trigger SAS
     
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Sounds like you either stopped the process to soon or it went to install Linux and met that 'lazy developer zone' of not catering for card readers and virtual disks. The window will give you a 'No Disk' message and something like 'Continue, Try Again or Cancel' - if those files are related to LinuxMint, I know Wubi uses pyrun, its used to install linux from Windows.
     
    Last edited: Nov 12, 2010
  4. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Is Wubi being downloaded with the ISO?
     
  5. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    That's a good description of what happened.

    It is probably a false positive.

    Thanks.
     
  6. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I did some searches and it looks like they have been including Wubi starting with Linux Mint version 9.0.

    See the last paragraph under "Installation":

    http://en.wikipedia.org/wiki/Linux_Mint
     
  7. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    At least now I have "motivation" to finally stop procrastinating and turn off Windows AutoRun on all of my PC's. I will probably use Panda's USB Vaccine.
     
Loading...
Thread Status:
Not open for further replies.