How to remove a possible trojan virus

Hi. I'm horribly stuck on what to do. I discovered strange random images all called cover.jpg scattered among folders within my Videos Folder. They seem to have no rhyme or reason in there placements and some appear to be from shows/ movies. I never downloaded these.

Scanning using a program called Raspirus it believes there is a trojan called ELASTIC_Windows_Trojan_Generic_9997489C involved. ClamAV doesn't detect anything so it could be a false positive but these suspicious image files ending up in random folders suggest something is happening.
Sadly I currently can't pin a program that could have caused it as a lot was being installed and uninstalled from the Software Store while looking for replacements/alternatives to the video viewing app and a 2D animation app. The apps I can remember installing from the Software Store are;

  • Pencil2D
  • Synfig Studio (currently uninstalled)
  • Ultimate Media Downloader (currently uninstalled)
  • Pipeline (currently uninstalled)
  • Footage (currently uninstalled)
  • Videos (currently uninstalled)

Please tell me if there is an easier way to actually tell if something is really going on and how to remove it if there is?

Zorin 17.2 Pro Edition

Windows Trojans are ineffectual and cannot effect GnuLinux distributions.

Are you using WINE? (Zorin Windows App Support)

These sound like the standard Cover Image for media- usually used as Thumbnail images.

Which, this app may be the culprit. Not a virus - just annoying.
Some applications (On Windows OS more than GnuLinux, but still) will add default Demonstrative Content.
Since the app is removed, I would just delete the random cover.jpg files.

Please remember to answer as to whether or not you have Wine installed.

2 Likes

Welcome to the Forum!

To scan the Files for a double-check, You could use Virustotal. It is a Website for scaning Viruses:

  • I was unsure if this was some kind of cover name for something else or just what it says.
  • I have WINE installed but to my knowledge it hasn't been used actively as I was using Linux based programs.
  • All the images have the standard cover image name. It scared me as they were in various folders that should have no association with where files are downloaded. In some cases files are not being actively moved in and out of some folders as they are video archives. The images themselves didn't seem to make any sense as they didn't appear linked to anything.
  • Hopefully it is just Ultimate Media Downloader being strange as I used it once before and never noticed anything odd like this happening.

Thanks. I'll use this to check over the folders.

For reassurance, in addition to ClamAV, you could scan with Rkhunter and Chkrootkit.

1 Like

Raspirus does not offer file deletion or quarantine options because the detection database may occasionally generate false positives. We recommend reviewing flagged files carefully and making decisions based on your own judgment or submitting suspicious files to services like VirusTotal for further analysis.

Usage Guide · Raspirus/raspirus Wiki · GitHub

I would follow suit and check all the files flagged with VirusTotal as suggested also by @Ponce-De-Leon.

You will also find a link to a Discord server when you visit the Raspirus site. It may be a good idea to ask about this over there as well, as they'll probably have a better idea of what may have caused this flag. Even if it's a false positive, it'll be helpful to them.

2 Likes

Found this:

So to go back to the beginning, where did you download the uninstalled programs from?

1 Like

I tried with Rkhunter but gave up after it just didn't work and kept having errors. I just wish for a simpler preferably GUI based way to do these checks without downloading several programs through the terminal and hitting brick walls because of faulty/ unclear commands you're suppose to type in.

@zenzen I'll see if I can report it to the Discord after doing some more checks.
@swarfendor437 I installed all these programs using the in-built Zorin Software Store.

An additional problem I encountered is not being able to effectively scan large video files which is in the main area of concern. Virustotal won't do it and I think I read ClamAV can only go so far in gb before it won't scan something.

I've only recently discovered that no major announcements to rkhunter since 2018. I have run it in the past with no issues. One thing rkhunter can't check are containerised apps which are isolated from the system (snapd, flatpak, App Images). Chkrootkit is more up-to-date. When you start to create GUIs that is the first step to gaining malware. Viruses increased considerably once the Desktop left the terminal interface behind.

Check this out (Lynis uses rkhunter):

ClamAV is meant for email attachments. I haven't looked at the docs but I remember there was a flag that you can pass at the command line (assuming that is how you are running it, that is) to increase the maximum filesize it will scan. Keep in mind that it will consume a lot of memory if you do this, so make sure you have enough left. Otherwise, you might need to look at other alternatives.

For this would be ClamTK good. There You have a GUI and in the Settings, you can set up that it looks for bigger Files. and it scan the whole System.

1 Like

As an update. Things seem to look clear from all the checks. I can only assume that the Ultimate Media Downloader app was the one responsible for the appearance of odd cover images and the false alarm I had. Thanks for the help.

4 Likes