Re: [Hampshire] Linux.Lion worm

On Friday 10 October 2008 10:58:08 Alan Pope wrote:
> 2008/10/10 Lisi <hantslug@???>:
> > On Thursday 09 October 2008 23:41:41 Alan Pope wrote:
> >> What leads you to think it's a _recent_ threat? All reports I can find
> >> indicate it's very old and well patched.
> >
> > I was scanning a Windows USB HDD with a fully updated copy of ClamAV
> > yesterday afternoon and it flagged it, so I looked it up. One of the
> > references on the first page claimed to have come from Kasperski and
> > referenced Symantec and, I think, McAfee and was dated 2 months ago.
>
> More than likely a false positive then in my opinion.

Yes, I had come to that conclusion but I don't trust my own judgement.

> > Can I safely assume that a copy of PCLinuxOS 2008 MiniMe, fully updated
> > to yesterday, will be safely patched? (Kernel 2.6.22.15.tex2) I shall
> > anyhow try to block the relevant IP provided that his router can. (I
> > have not yet checked, but I imagine that it can.) I'll also anyhow try
> > to delete the file in which ClamAV found it. But ClamAV says that it
> > tried but could not.
>
> What type of file is/was it?

Here are the relevant lines from the report:

/media/disk/pagefile.sys: Linux.Lionworm- 1 FOUND
WARNING: /media/disk/pagefile.sys: Can't remove

Thanks!
Lisi