Mailing List Archive

Hi Wally,

Downloaders are not generally Trojans, although they may result from a Trojan that is used to install a Downloader.

This signature has been in the Clamav database since Apr 26 2017, which would tend to indicate it's validity.

The signature breaks out to:
> % sigtool -fTxt.Downloader.Generic-6298945-0|sigtool --decode-sigs
> VIRUS NAME: Txt.Downloader.Generic-6298945-0
> TDB: Engine:71-255,Target:7
> LOGICAL EXPRESSION: (0|1)&(2>1)&3&(4>5)&(5>2)&(6>125)
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> admin
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> random
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> eval(
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> wscript.shell
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> :2e{EXCLUDING_STRING_ALTERNATIVE::}
> * SUBSIG ID 5
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> activ
> * SUBSIG ID 6
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> :2

Perhaps you have an add-on that is re-creating this file or you are visiting a page that re-creates it.

-Al-
--
ClamXAV User

On Oct 21, 2022, at 5:54 PM, Wally Spratz <wally@longoz.ca> wrote:
> Hi all,
>
> Recently my clamav scan summary has starting showing a positive result for 'Txt.Downloader.Generic-6298945-0' in the following directory:
>
>> /home/a/.cache/mozilla/firefox/aumvdtqj.default-release/cache2/entries/79B6E3A1CE2A151EBE6E39D2C50B6F304AFA5F65: Txt.Downloader.Generic-6298945-0 FOUND
>
> Does anybody know whether or not this is a trojan?
>
> If I delete the Firefox cache it disappears for a few scans but eventually it comes back.
>
> Any idea what I should do to prevent this?
>
> I am on Firefox 105.0.2 (64 bit) on Fedora 35
>
> Here is the scan summary:
>
> /home/a/.cache/mozilla/firefox/aumvdtqj.default-release/cache2/entries/79B6E3A1CE2A151EBE6E39D2C50B6F304AFA5F65: Txt.Downloader.Generic-6298945-0 FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8640721
> Engine version: 0.103.7
> Scanned directories: 67339
> Scanned files: 484686
> Infected files: 1
> Data scanned: 46840.43 MB
> Data read: 598814.74 MB (ratio 0.08:1)
> Time: 4253.298 sec (70 m 53 s)
> Start Date: 2022:10:21 15:15:01
> End Date: 2022:10:21 16:25:55
>
>
> Thanks
>
> Wally



Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.

hi wally they say you can get rid of anything in a cache without
to many problems or after effects
one way to stop it comming into the cache making it read only
but this will stop other files entering as well
but maybe have a look at the permissions of the cache at least

now though this is uncomfortable task i must try to get the information out ,humanity's survivel depends on circulation of information

take these two words and join them then search on favourite web Engin
32 0r 64 B?? operating system
shall i throw this rubbish down the rubbish C????

kind regards colin
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hi Colin,

Thanks for the suggestion.

I gave ownership of the .cache directory to Root and this has resolved
the issue so far.

I had some earlier success with removing all Firefox extensions, but
this only worked for awhile.

In the end I completely removed firefox from the system and deleted all
related files and profiles
and then reinstalled it.

Then I did a chown of the cache directory giving ownership to Root so
Firefox cannot write any files to .cache.

It has not had any discernable effect on Firefox performance and so far
so good; no more evidence of the txt.downloader malware.

I have been checking the scans regularly to see if the malware tries to
write to any other directories but its all good to date.

Does anybody have any idea of what this Malware does and how it is acquired?

Thanks

Wally

On 10/24/22 09:20, colin course wrote:
> hi wally they say you can get rid of anything in a cache without
> to many problems or after effects
> one way to stop it comming into the cache making it read only
> but this will stop other files entering as well
> but maybe have a look at the permissions of the cache at least
>
> now though this is uncomfortable task i must try to get the information out ,humanity's survivel depends on circulation of information
>
> take these two words and join them then search on favourite web Engin
> 32 0r 64 B?? operating system
> shall i throw this rubbish down the rubbish C????
>
> kind regards colin
>
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hi there,

On Fri, 28 Oct 2022, Wally Spratz wrote:

> ...
> Does anybody have any idea of what this Malware does

The clue is in the name: ".Generic-".

Mr. Varnell has shown you the signature. As he pointed out it's one
which has been around for several years, so that's evidence that it's
not very prone to false positives; AFAICT it hasn't been mentioned on
the ClamAV Users' list until you brought it up. If you look at the
strings in the decoded signature, you can probably agree that things
which contain them would be suspect.

If you'd like a second opinion you can always send a copy of the
offending file to Jotti and/or Virus Total:

https://virusscan.jotti.org/

https://www.virustotal.com/old-browsers/

My guess is you will find that at least half a dozen other scanners
complain about it. They might give you more information, or at least
a bit more context.

> and how it is acquired?

Given your description of where it was found, I'd guess by not being
careful in your browsing habits. Bear in mind that the fact that it's
in your browser cache doesn't necessarily mean that anything on your
system is vulnerable to it, but all the same this isn't something that
you'd want to treat lightly. If a site is hosting anything malicious,
even if it's something to which your system isn't vulnerable, it must
be considered dangerous because you can never know what else it might
be hosting to which your system *might* be vulnerable. As you've said
"eventually it comes back" it is - just about - possible that there is
some persistent malware doing things when you aren't looking, but now
I'm getting into the weeds and I think the overwhelming probability is
that you are using some Website which has been compromised. I'd take
anything like this as a warning that I need to be more careful about
the sites that I visit. Maybe You can do a service to the community
by trying to find which site it is and alerting the owner, but the
vast majority of compromised Websites are run by hopeless cases and
you'd probably just be wasting your time. Far better to avoid them,
and let them die a natural death.

I've never seen anything like this in my browser's cache directory but
(1) I'm cautious about Websites that I visit and (2) I never scan it.

--

73,
Ged.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

glad that worked for you wally :)

please check out that website
and all the best to you man

kind regards colin
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat