0

There is a warning in my country that this trojan infected computers over a news site (The Trojans name is GOZI).

I used clamav but it says it is not the latest version.

How to install the latest version of clamav?

empedokles
  • 3,883
  • 15
  • 46
  • 68
  • Possible duplicate of Do I need to have 'antivirus software' installed? – Mark Kirby Apr 08 '16 at 07:44
  • I'm not sure if it's a virus and it's not really that question. – empedokles Apr 08 '16 at 07:54
  • A trojen is a virus and your question can be broken down to "How do I install anti-virus" anti-virus software is how you would check if you have a virus. – Mark Kirby Apr 08 '16 at 08:02
  • There are several listed only on external sites. But most I don't find in the software store. Which one do you suggest? I installed ClamTk, which has a terrible user GUI (I can't figure out how it works). – empedokles Apr 08 '16 at 08:16
  • Use the command line version clamav, it will be installed already run sudo freshclam to update the database, then sudo clamscan -r / to run a scan, when it is done it will list threts it finds on your computer. – Mark Kirby Apr 08 '16 at 08:21
  • See here for more detail http://askubuntu.com/questions/250290/how-do-i-scan-for-viruses-with-clamav – Mark Kirby Apr 08 '16 at 08:23
  • Thanks. It says I'm using an outdated version, how can I update it? P.S. I already did sudo apt-get update, but the same error shows up. – empedokles Apr 08 '16 at 08:46
  • 1
    You can't from the repos, that is the version you get. If you add how to install the latest clamav to the question, I will write you an answer on how to build it from source but it needs to be in the question or it will just get flagged and removed. – Mark Kirby Apr 08 '16 at 08:49

2 Answers2

2

Uninstall clamav and clamtk repository version:

sudo apt-get purge clamav clamtk

First you will need some dependencies and build tools: 

sudo apt-get install openssl build-essential libssl-dev checkinstall

Download this file, it will go to your /home:

wget https://www.clamav.net/downloads/production/clamav-0.99.1.tar.gz

Extract that file and change to the folder it created:

tar -xvzf ~/clamav-0.99.1.tar.gz
cd ~/clamav-0.99.1

Now run the following commands to build clamav 0.99.1:

./configure
make

Now build a package with

sudo checkinstall

checkinstall will guide you through the building of a .deb package and when it is done run

sudo dpkg -i ~/clamav-0.99.1/clamav_0.99.1-1_amd64.deb

Now it is installed but you may face errors about a config file, if you do run these commands (Thanks to user Terrance on this question for this, if you use it give him a vote)

sudo dpkg-reconfigure clamav-freshclam

Just keep pressing Enter to use default settings, then run

sudo rm -f /usr/local/etc/freshclam.conf
sudo ln -s /etc/clamav/freshclam.conf /usr/local/etc/freshclam.conf

Now you can run a

sudo clamscan -r /

To do a scan.

Tested on 15.10.

Community
  • 1
Mark Kirby
  • 18,529
  • 19
  • 78
  • 114
  • After the installation I receive: clamscan: error while loading shared libraries: libclamav.so.7: cannot open shared object file: No such file or directory when trying to run nuc@nuc:~/clamav-0.99.1$ sudo clamscan -r / – empedokles Apr 08 '16 at 14:51
  • I got that error too. Forgot to add to the question sorry. Run ldconfig in a terminal and reboot, I think that was the fix. – Mark Kirby Apr 08 '16 at 14:59
1

Excerpt from http://www.govcert.admin.ch/blog/21/20min.ch-malvertising-incident

The infection chain is as follows:

  1. The swf file on 20min.ch contains an embedded Javascript which does a basic fingerprint using User Agent and Cookie. Based on this information a decision is made whether to redirect to the infection site or not.
  2. Redirect to the exploit Kit where a VB Script is downloaded with another check which exploit would suit the target
  3. Infect the device with Gozi in the form of a .dll that is made persistent via registry key (rundll) under HKEY\CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. The dll resides in the %APPDATA% folder of the user.
msomm
  • 11