# ClamAV finds Linux.Lion worm signature in VMWare file?

## MadOtis

Hello all,

Due to a virus detected at work on about a gazillion Windows machines, I decided to do a precautionary scan of my Linux laptop.  Surprisingly, I ran across the following output from clam:

```
//home/cobbr/vmware/WinXPPro/Windows XP Professional-f001.vmdk: Linux.Lion worm FOUND
```

So, being cautious, I checked my chkrootkit output and found noting (output below)...  Are these signatures normal from virtual disk files that VMWare uses, or could a coincidental series of bytes in the file have triggered this find?

Thanks in advance!

Randy

Oh, the chkrootkit output:

```
benxrcobbnb ~ # chkrootkit

ROOTDIR is `/'

Checking `amd'... not found

Checking `basename'... not infected

Checking `biff'... not found

Checking `chfn'... not infected

Checking `chsh'... not infected

Checking `cron'... not infected

Checking `date'... not infected

Checking `du'... not infected

Checking `dirname'... not infected

Checking `echo'... not infected

Checking `egrep'... not infected

Checking `env'... not infected

Checking `find'... not infected

Checking `fingerd'... not found

Checking `gpm'... not infected

Checking `grep'... not infected

Checking `hdparm'... not infected

Checking `su'... not infected

Checking `ifconfig'... not infected

Checking `inetd'... not tested

Checking `inetdconf'... not found

Checking `identd'... not found

Checking `init'... not infected

Checking `killall'... not infected

Checking `ldsopreload'... not infected

Checking `login'... not infected

Checking `ls'... not infected

Checking `lsof'... not infected

Checking `mail'... not found

Checking `mingetty'... not found

Checking `netstat'... not infected

Checking `named'... not found

Checking `passwd'... not infected

Checking `pidof'... not infected

Checking `pop2'... not found

Checking `pop3'... not found

Checking `ps'... not infected

Checking `pstree'... not infected

Checking `rpcinfo'... not infected

Checking `rlogind'... not found

Checking `rshd'... not found

Checking `slogin'... not infected

Checking `sendmail'... not infected

Checking `sshd'... not infected

Checking `syslogd'... not tested

Checking `tar'... not infected

Checking `tcpd'... not infected

Checking `tcpdump'... not infected

Checking `top'... not infected

Checking `telnetd'... not infected

Checking `timed'... not found

Checking `traceroute'... not found

Checking `vdir'... not infected

Checking `w'... not infected

Checking `write'... not infected

Checking `aliens'... no suspect files

Searching for sniffer's logs, it may take a while... nothing found

Searching for HiDrootkit's default dir... nothing found

Searching for t0rn's default files and dirs... nothing found

Searching for t0rn's v8 defaults... nothing found

Searching for Lion Worm default files and dirs... nothing found

Searching for RSHA's default files and dir... nothing found

Searching for RH-Sharpe's default files... nothing found

Searching for Ambient's rootkit (ark) default files and dirs... nothing found

Searching for suspicious files and dirs, it may take a while...

/usr/lib/.keep /usr/lib/perl5/5.8.6/i686-linux/auto/DB_File/.packlist /usr/lib/perl5/5.8.6/i686-linux/.packlist /usr/lib/perl5/site_perl/5.8.6/i686-linux/auto/Image/Magick/.packlist /usr/lib/perl5/vendor_perl/5.8.4/i686-linux/auto/XML/Parser/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/IO/Zlib/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/IO/Socket/SSL/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Tk/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/CGI/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Log/TraceMessages/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Net/DNS/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Net/LDAP/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Net/Daemon/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Net/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/RPC/PlServer/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/URI/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Tie/IxHash/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/XML/SAX/Base/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/XML/SAX/Writer/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/XML/SAX/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/XML/Twig/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/XML/Filter/BufferText/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/XML/XPath/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/XML/LibXML/Common/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/XML/LibXML/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/XML/Writer/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/XML/NamespaceSupport/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/XML/Handler/YAWriter/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/WWW/Mechanize/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Date/Manip/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/HTML/Parser/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/HTML/FromText/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/HTML/LinkExtractor/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Glib/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Gtk2/Spell/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Gtk2/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/MIME/Base64/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/MIME/Lite/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/List/Util/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/SOAP/Lite/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Term/ReadKey/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Test/Harness/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Text/Iconv/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Text/Kakasi/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/YAML/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Digest/MD4/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Digest/MD5/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Digest/HMAC/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Digest/SHA1/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Digest/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Crypt/SSLeay/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Crypt/SmbHash/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Email/Find/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Email/Valid/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Archive/Zip/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Lingua/EN/Numbers/Ordinate/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Lingua/Preferred/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Module/Info/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/HTML-TableExtract/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/HTML-Tree/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/IO-stringy/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Convert/ASN1/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/libwww-perl/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Storable/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Memoize/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Exporter/Lite/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/ExtUtils/ParseXS/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/ExtUtils/Depends/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/ExtUtils/PkgConfig/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/ExtUtils/CBuilder/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Unicode/String/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IO/String/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/Tk/TableMatrix/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/DBI/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/Pod/Parser/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/XML/Generator/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/HTML/Tagset/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/HTTP/Cache/Transparent/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/Gaim/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/Mail/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/Test/Simple/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/Authen/PAM/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/XMLTV/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/Archive/Tar/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/Locale/gettext/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/libxml-perl/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/MIME-tools/.packlist /usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/Foomatic/.packlist /usr/lib/nsbrowser/plugins/.keep /usr/lib/ccache/bin/.keep /usr/lib/mozilla/include/ipc/.headerlist /usr/lib/mozilla/include/enigmime/.headerlist /usr/lib/transgaming_cedega/.transgaming /usr/lib/locale/ru_RU/LC_MESSAGES/.keep /usr/lib/python2.3/site-packages/OpenGL/Demo/NeHe/lesson43/.cvsignore /usr/lib/python2.3/site-packages/OpenGL/Demo/NeHe/lesson44/Art/.cvsignore /usr/lib/python2.3/site-packages/OpenGL/Demo/NeHe/lesson44/.cvsignore /usr/lib/python2.3/site-packages/OpenGL/Demo/NeHe/lesson48/.cvsignore /usr/lib/python2.3/site-packages/OpenGL/Demo/NeHe/.cvsignore /usr/lib/eclipse-3/.eclipseproduct /usr/lib/eclipse-3/configuration/org.eclipse.update/.lock /usr/lib/eclipse-3/configuration/org.eclipse.core.runtime/.registry.15 /usr/lib/eclipse-3/configuration/org.eclipse.core.runtime/.keyring /usr/lib/eclipse-3/configuration/org.eclipse.core.runtime/.manager /usr/lib/eclipse-3/configuration/org.eclipse.core.runtime/.manager/.fileTableLock /usr/lib/eclipse-3/configuration/org.eclipse.core.runtime/.manager/.fileTable /usr/lib/eclipse-3/configuration/org.eclipse.osgi/.bundledata /usr/lib/eclipse-3/configuration/org.eclipse.osgi/.state /usr/lib/eclipse-3/plugins/org.eclipse.jface.text_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.jdt.debug.ui_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.help.ui_3.0.0/.options /usr/lib/eclipse-3/plugins/org.eclipse.update.configurator_3.0.0/.options /usr/lib/eclipse-3/plugins/org.eclipse.jem.beaninfo_1.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.core.runtime_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.ui.externaltools_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.ui_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.ant.ui_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.debug.core_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.pde.build_3.0.1/feature/rootfiles/.eclipseproduct /usr/lib/eclipse-3/plugins/org.eclipse.pde.build_3.0.1/feature/.project /usr/lib/eclipse-3/plugins/org.eclipse.pde.build_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.update.core_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eptools.gaijin.core_0.9.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.core.expressions_3.0.0/.options /usr/lib/eclipse-3/plugins/org.eclipse.osgi_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.jem.proxy_1.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.team.core_3.0.0/.options /usr/lib/eclipse-3/plugins/org.eclipse.ant.core_3.0.0/.options /usr/lib/eclipse-3/plugins/org.eclipse.platform.source_3.0.1/src/org.eclipse.ui.intro_3.0.1/.options /usr/lib/eclipse-3/plugins/org.springframework.ide.eclipse.beans.ui_1.0.9/.options /usr/lib/eclipse-3/plugins/org.eclipse.jdt.debug_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.core.resources_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.jem_1.0.1/.options /usr/lib/eclipse-3/plugins/jp.azzurri.clay.ui_1.0.5/.options /usr/lib/eclipse-3/plugins/org.eclipse.team.cvs.ssh_3.0.0/.options /usr/lib/eclipse-3/plugins/org.eclipse.help_3.0.0/.options /usr/lib/eclipse-3/plugins/org.eclipse.help.webapp_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.ve.java.core_1.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.jem.ui_1.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.jdt.core_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.debug.ui_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.help.base_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.core.variables_3.0.0/.options /usr/lib/eclipse-3/plugins/com.ibm.wtp.common.util_1.0.1/.options /usr/lib/eclipse-3/plugins/org.springframework.ide.eclipse.beans.core_1.0.9/.options /usr/lib/eclipse-3/plugins/org.eclipse.jdt.ui_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.team.cvs.core_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.ui.intro_3.0.1/.options /usr/lib/eclipse-3/plugins/org.eclipse.ui.console_3.0.0/.options /usr/lib/eclipse-3/plugins/org.eclipse.ve.java.core_1.0.1.1/.options /lib/.keep /lib/dev-state/.keep /lib/dev-state/.udevdb /lib/rcscripts/sh/.keep /lib/rcscripts/awk/.keep /lib/rcscripts/.keep /lib/udev-state/.keep

/usr/lib/transgaming_cedega/.transgaming /usr/lib/eclipse-3/configuration/org.eclipse.core.runtime/.manager /lib/dev-state/.udevdb

Searching for LPD Worm files and dirs... nothing found

Searching for Ramen Worm files and dirs... nothing found

Searching for Maniac files and dirs... nothing found

Searching for RK17 files and dirs... nothing found

Searching for Ducoci rootkit... nothing found

Searching for Adore Worm... nothing found

Searching for ShitC Worm... nothing found

Searching for Omega Worm... nothing found

Searching for Sadmind/IIS Worm... nothing found

Searching for MonKit... nothing found

Searching for Showtee... nothing found

Searching for OpticKit... nothing found

Searching for T.R.K... nothing found

Searching for Mithra... nothing found

Searching for OBSD rk v1... nothing found

Searching for LOC rootkit... nothing found

Searching for Romanian rootkit... nothing found

Searching for Suckit rootkit... nothing found

Searching for Volc rootkit... nothing found

Searching for Gold2 rootkit... nothing found

Searching for TC2 Worm default files and dirs... nothing found

Searching for Anonoying rootkit default files and dirs... nothing found

Searching for ZK rootkit default files and dirs... nothing found

Searching for ShKit rootkit default files and dirs... nothing found

Searching for AjaKit rootkit default files and dirs... nothing found

Searching for zaRwT rootkit default files and dirs... nothing found

Searching for Madalin rootkit default files... nothing found

Searching for anomalies in shell history files... Warning: `//root/workspace/.metadata/.plugins/org.eclipse.core.resources/.history' is linked to another file

Checking `asp'... not infected

Checking `bindshell'... not infected

Checking `lkm'... nothing detected

Checking `rexedcs'... not found

Checking `sniffer'... /proc/23375/fd: No such file or directory

eth0: PF_PACKET(/sbin/dhcpcd, /sbin/dhcpcd)

vmnet1: not promisc and no PF_PACKET sockets

vmnet8: not promisc and no PF_PACKET sockets

Checking `w55808'... not infected

Checking `wted'... 1 deletion(s) between Thu Jan 20 10:16:24 2005 and Thu Jan 20 10:17:29 2005

Checking `scalper'... not infected

Checking `slapper'... not infected

Checking `z2'... nothing deleted

```

----------

## MadOtis

I also did a scan while the XP OS was running within VMWare, and it also found no virii...

Anyone have any idea if I should be worried about it or not?

----------

## frilled

Isn't that supposed to be a Linux worm? Then it should not be able to run in the XP VM. In which case I think it probably is a false alarm, since the VM disk file is not executable...

----------

