WIN32:vitro found in Linux distribution

I downloaded Knoppix distro:
ftp://ftp.uni-kl.de/pub/linux/knoppix-dvd/KNOPPIX_V8.1-2017-09-05-EN.iso

Then ran Rufus to write the file to USB stick to be an bootable Linux image.
https://rufus.akeo.ie/?locale=en_US

When Rufus finished Avast automatically claimed to have found WIN32:vitro
on the USB stick inside the Linux pathways but there is no file called linux nor any
linux without extension, its possible to put this file into virus chest but delete from
Avast on USB makes no difference:
E:\KNOPPIX\bootonly.iso|>boot\isolinux\linux

Ideas on what’s going on since vitro is a highly destructive thing!

Tanks for your time and insight.

How big is the file?

you can check suspicious file(s) at www.virustotal.com i think max is 160mb

The Knoppix iso file is 4.2Gbyte, yes i had prior already tested (sorry for not mentioning that) all files in that last (isolinux) map of the installed USB image Avast detected in VT, all vent green. But is this “linux” a hidden map/file? Shouldn’t Avast say something like, linux.xxx are infected by WIN32:vitro or map linux has a file file.xxx that’s infected rather then just linux!?

AWG people seams to say the DE iso file is clean, so maybe Avast is also overreacting?

https://support.avg.com/answers?id=906b0000000TlkuAAC

AVG and avast is the same >> https://blog.avast.com/avast-and-avg-become-one

Is your avast updated?

Ah! had no idea they merged, yes its updated and the SHA256 for the downladed iso
is the same as the Knoppix generated.

Re: https://support.avg.com/answers?id=906b0000000TlkuAAC

This, the above, makes it likely this could indeed be a FP. This thread in the given link (which is rather recent) seems to suggest that the detection of this virus in a Knoppix ISO is a false detection. Even if the virus were really present in the ISO and you installed and used the operating system, it’s not likely that it would damage the Knoppix OS installation.

Well the booting as a “live disk” on a Windows machine could change things to make them look slightly different.

Here the file went all green: ftp://ftp.uni-kl.de/pub/linux/knoppix-dvd/KNOPPIX_V8.1-2017-09-05-EN.iso

Always good to check your image using md5to rule out hacks.

But the final verdict can only come from an avast team member, so wait for one to appear and come up with a conclusive answer,
as avast team members are the only ones that are entitled to give that answer with authority, as win32:vitro is a very serious and often irrepairable infestation of the Window OS. We aren’t to treat that detection lightly and we won’t.

polonus (volunteer website security analyst and website error-hunter)

If it does i just kill MBR and wipe out the directory chains. That ought to do it.

Always good to check your image using md5to rule out hacks.
Either one (md5 or SHA256) will do i recon since the well known source of the file.
Well the booting as a "live disk" on a Windows machine could change things to make them look slightly different.

But the final verdict can only come from an avast team member, so wait for one to appear and come up with a conclusive answer, as avast team members are the only ones that are entitled to give that answer with authority, as win32:vitro is a very serious and often irrepairable infestation of the Window OS. We aren’t to treat that detection lightly and we won’t.


Indeed, my biggest concern was my Win7 machine on which i made the Knoppix image.(have not booted the image on this machine due to Avast alarming. What concerns me that Avast is not presenting the file name and extension, just linux. But yes i will wait for final verdict.

Hello,
detection should be fixed.

Milos

Hello Milos!

Should or are?

Only way is to try to make Avast! detect it again.

Side Note: Nothing in Computer Science is ever a sure thing. what they may have intended to do, may not be how Avast! read that new update.

An update 3 months from now may cause Avast! to once again detect it.

Source: Studying Computer Science && Developer (Not for Avast! though. Mostly A3 stuff or personal programs)

And the point of that exercise is to achieve exactly what?

Alright, as per Michael Nostradamus prophecy above , the latest update of Avast now detects win32:vitro twice on the same position instead of once. ::slight_smile: