Help - infected with Copyright 1193

[gewb]

Help!

 

My 9.0 has been infected with Copyright 1193. The file infected is in "/proc" file name "kcore" (looks to be a crash dump file, 267meg in size). The file will not allow deletion or changing priviledges.

 

What is the "kcore" file? Does the system need it? How can I delete it?

 

Note that I have recently update my system from two sources: Mandrake update (I forgot what mirror) and Ximian Redcarpet update. I have not installed any other software EXCEPT the AV software that found the infection.

 

Regards,

Linux-newbie

NOSPAMgewb@att.net

(remove NOSPAM)

[DragonMage]

I think your antivirus is screwed up. If you check the kcore file using ls -al kcore, you see that it is updated every minute. I have a feeling it is something very important to kde, maybe something like a swap file or memory mapping perhaps? Do you have 256 mb of memory?

[Guest anon]

I think DragonMage is correct. Besides a quick check on that virus says:

 

Platform: PC/MS-DOS

Reported to infect .COM files incl COMMAND.COM, and load itself into RAM

and remain resident, and directly or indirectly corrupt file linkages.

[theYinYeti]

/proc/kcore is a kernel working file. Don't touch it. Don't worry about it. It is not actually the size it seems to be. Aside from that, I don't know anything else. It is not (cannot be?) corrupted, else your system would probably not run anymore.

 

Yves.

[Cannonfodder]

gewb, another to consider is that you should have a clean backup so if your really were infected, you can restore your partitions from the backup

[MottS]

kcore This file represents the physical memory of the system and is stored in the core file format. With this pseudo-file, and an unstripped kernel (/usr/src/linux/tools/zSystem) binary, GDB can be used to examine the current state of any kernel data structures.  

 

The total length of the file is the size of physical memory (RAM) plus 4KB.  

For more reading: http://www.mandrakeuser.org/mub/viewtopic....ic=6726&forum=5

 

Also, even if you think that this file is big, it is not! ..like the rest of the /proc directory. Those files are not real actually. Look at that:

 

[root@localhost gd]# du -sh /proc/kcore

0       /proc/kcore

[root@localhost gd]# du -sh /proc

0       /proc

 

And you CAN'T actually delete kcore. Try! you'll see. Just reboot and with Konq (or Nautilus) right clic kcore and select 'properties'. The file will be exactly the size of your memory. When you shutdown your computer, the file is deleted and when you restart the file is rebuilded.

 

About Copyright 1193, I have no idea

 

MOttS

[gewb]

Thanks to all who responded. I had a terrible night of sleep thinking about this. I've been a Winblows user since Winblows 286 (1989) and NEVER had an infection so you can imagine how upset I was thinking my 2 year Linux record had ended!

 

Given the appearant nature of the kcore file, I think the virus definition list may have been loaded into it - thus, when I ran a system scan it showed up as infected.

 

I'll not worry about it and I'll drop a line to the programer.

 

Thanks again to everyone!

 

Regards,

Linux-newbie