Shortcut Virus in Ubuntu 12.04

Question

I love Ubuntu. I'm shocked to find this virus which is creating a Recycler folder and many ".lnk" files the moment I insert any usb drive. Inserting the USB back to my Windows PC running BitDefender Internet Security 2015 clearly detecting these files as malware. It is hiding all the data that was in the USB.

Honestly, I didn't believe it for 15 days. We use Ubuntu PCs for Internet access in our company. All Ubuntu PCs in my building are suffering from this problem. I formatted my PC and did a fresh install of Ubuntu 12.04. The virus is re-appearing after only a few days.

I installed BitDefender on my Ubuntu PC today and did a full system scan.Eleven infected files got detected and deleted. I rescanned to make sure no infected files are there.Yet the .lnk files are being created once I reinsert the flash drive.

I've apt-get updated many times. My sources.list has Ubuntu main repos and update repos which include security updates. Please help me to eradicate this virus from my Ubuntu PC as well as other PCs in the network.

I'm running Ubuntu 12.04 Desktop on a 32-bit machine, 2 GB RAM, Intel Core 2 Duo processor.

I wrote a post on how to install BD in Linux explaining the problem. You can read here.

The sources.list has the following repos:

###### Ubuntu Main Repos
deb http://in.archive.ubuntu.com/ubuntu/ precise main restricted universe
deb-src http://in.archive.ubuntu.com/ubuntu/ precise main restricted universe

###### Ubuntu Update Repos
deb http://in.archive.ubuntu.com/ubuntu/ precise-security main restricted universe
deb http://in.archive.ubuntu.com/ubuntu/ precise-updates main restricted universe
deb-src http://in.archive.ubuntu.com/ubuntu/ precise-security main restricted universe
deb-src http://in.archive.ubuntu.com/ubuntu/ precise-updates main restricted universe

These are the files that are being created as and when the USB is inserted: Recycler folder, AUTOEXEC.BAT.lnk, boot.ini.lnk, bootfont.bin.lnk, CONFIG.SYS.lnk, IO.SYS.lnk, MSDOS.SYS.lnk, pagefile.sys.lnk

The log file /opt/BitDefender-scanner/var/log/bdscan.log has the following:

//
// BitDefender scan report
//
// Time: Mon Jan 12 11:18:56 2015
// Command line: / --action=delete --suspect-copy --follow-link --log --no-list --no-warnings
// Core: AVCORE v2.1 Linux/i386 11.0.1.12 (Aug 7, 2014)
// Engines: scan: 17, unpack: 13, archive: 51, mail: 8
// Total signatures: 6337727
//

/media/580F-A489__/RECYCLER/temp/qedit.dld      infected: Trojan.Generic.12478731
/media/580F-A489__/RECYCLER/temp/qedit.dld      deleted
/media/580F-A489__/RECYCLER/S-1-5-21-602162358-842925246-1417001333-502/tmp0211 infected: Trojan.GenericKD.2051722
/media/580F-A489__/RECYCLER/S-1-5-21-602162358-842925246-1417001333-502/tmp0211 deleted
/media/580F-A489__/RECYCLER/S-1-5-21-854245398-2077806209-0000980848-1003/tmp0211       infected: Trojan.GenericKD.2051722
/media/580F-A489__/RECYCLER/S-1-5-21-854245398-2077806209-0000980848-1003/tmp0211       deleted
/media/580F-A489_/RECYCLER/temp/qedit.dld       infected: Trojan.Generic.12478731
/media/580F-A489_/RECYCLER/temp/qedit.dld       deleted
/media/580F-A489_/RECYCLER/S-1-5-21-602162358-842925246-1417001333-502/tmp0211  infected: Trojan.GenericKD.2051722
/media/580F-A489_/RECYCLER/S-1-5-21-602162358-842925246-1417001333-502/tmp0211  deleted
/media/580F-A489_/RECYCLER/S-1-5-21-854245398-2077806209-0000980848-1003/tmp0211        infected: Trojan.GenericKD.2051722
/media/580F-A489_/RECYCLER/S-1-5-21-854245398-2077806209-0000980848-1003/tmp0211        deleted
/media/DEEPAK/RECYCLER/temp/qedit.dld   infected: Trojan.Generic.12478731
/media/DEEPAK/RECYCLER/temp/qedit.dld   deleted
/media/DEEPAK/RECYCLER/S-1-5-21-854245398-2077806209-0000980848-1003/tmp0211    infected: Trojan.GenericKD.2051722
/media/DEEPAK/RECYCLER/S-1-5-21-854245398-2077806209-0000980848-1003/tmp0211    deleted
/media/DEEPAK/RECYCLER/S-1-5-21-602162358-842925246-1417001333-502/tmp0211      infected: Trojan.GenericKD.2051722
/media/DEEPAK/RECYCLER/S-1-5-21-602162358-842925246-1417001333-502/tmp0211      deleted
/bin/.flash/.u/44.58u.tar=>(gzip)=>0000000000.nls       password protected
/bin/.flash/.u/44.58u.tar=>(gzip)=>jg.nls       password protected
/bin/.flash/bin/comlnkdll       infected: Trojan.Generic.12478731
/bin/.flash/bin/comlnkdll       deleted
/bin/.flash/bin/comhorse.dat    infected: Trojan.GenericKD.2051722
/bin/.flash/bin/comhorse.dat    deleted


Results:
Folders            : 0
Files              : 619188
Packed             : 4029
Archives           : 15070
Infected files     : 11
Suspect files      : 0
Deleted files      : 11
Copied files       : 0
I/O errors         : 950
Files/second       : 407
Scan time          : 00:25:19

I'm not able find the exact Trojan details in BD Virus Encyclopedia. However this article says Trojan.GenericKD is a PUP(Potentially Unwanted Program) which may come from custom installers found in sites such as CNET,Softonic,Brothersoft etc. These sites are blocked by the Web Gateway in the company.

Sachin S Kamath · Answer 1 · 2015-01-10T13:59:28.837

2

Go to Disk Manager and format the pendrive.

First,understand that there is NO shortcut virus for Ubuntu. It's your Flash drive messing with itself or you use Wine.

I suggest you reinstall Wine, if you have Wine installed.

Remove Wine completely by typing : sudo apt-get remove wine

Install wine again by typing : sudo apt-get install wine

This should solve the issue.

edited Jan 10 '15 at 13:59

answered Jan 10 '15 at 12:55

Sachin S Kamath

1,477

isuru-buddhika · Answer 2 · 2015-01-10T14:29:43.477

As far as I know Ubuntu or any other Linux distro is not affected by shortcut virus. There has to be some kind of a windows process running in your system. Even If we assume if your system is affected by a Linux targeted shortcut virus what is the purpose o it to create .lnk files as those files will work on a windows system.

Do you find any .exe files or .bat files copied to your pen drive?

As Ubuntu documentation explains BitDefender identifies Windows viruses on your system.

BitDefender is a program to check for Windows viruses and malware. It can be run in the background or on demand when required. Once installed it can be found under Applications - Systems Tools. It can be used as an alternative to clamav/clamtk. Ubuntu Documentation

So if it's showing any viruses it means that there are Windows viruses are on your system. Those will not work on Ubuntu.

score 1 · Answer 3 · answered Jan 12 '15 at 10:02

Sorry for posting this as an answer, but I'll edit and update this answer as we go along to minimise the number of comments and keep things uncluttered. I've got clamav installed and that's just to be able to detect Windows viruses on NTFS hard disks that I hook up though my USB. (no daemon installed)

Furthermore, clamav is available in the standard Ubuntu software repositories and recommended by Canonical: https://help.ubuntu.com/community/ClamAV. Why did you even install bitdefender?

You say that .lnk files keep cropping up and that this is all over your company's network. Do you have samba installed on those machines with guest accounts enabled?

You say that you've reinstalled using 12.04. Why an end-of-life version?

If you can answer the questions above, I'm pretty sure I can help you much better by using free software.

Shortcut Virus in Ubuntu 12.04

3 Answers3