Advanced search

Message boards : Number crunching : BOINC Trojan

Author Message
PappaLitto
Send message
Joined: 21 Mar 16
Posts: 399
Credit: 2,740,072,772
RAC: 1,017,203
Level
Phe
Scientific publications
watwat
Message 49337 - Posted: 20 Apr 2018 | 13:14:13 UTC
Last modified: 20 Apr 2018 | 13:16:32 UTC

I just checked all my machines and noticed that multiple of them had a Trojan listed as "severe." None of these machines have ever opened a internet browser so the only way they can communicate with the outside world is BOINC. Below is a picture of what windows defender caught: Trojan: Script/Cloxer.D!cl
https://ibb.co/cW4ME7

I highly suggest everyone check all of their systems and update windows. It should download and install the latest windows defender definitions of which hopefully will help.

Please let me know if anyone else has received this virus.

Richard Haselgrove
Send message
Joined: 11 Jul 09
Posts: 883
Credit: 1,731,732,320
RAC: 1,222,231
Level
His
Scientific publications
watwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwat
Message 49339 - Posted: 20 Apr 2018 | 14:02:44 UTC - in response to Message 49337.
Last modified: 20 Apr 2018 | 14:04:16 UTC

Have you submitted it to https://www.virustotal.com/#/home/upload for a second (multiple) opinion?

Which project had a task running in your slots\4 at the time? Oh, sorry - forget that, it's one of ours.



It's not one of the files sent to us by the project as part of a workunit, and it isn't one we send back as part of a result, either. It's just part of the checkpointing that enables up to pick up on a part-processed task after a restart. The creation time for my example suggests that, too - it was written, on my machine, by a program running on my machine: namely, the acemd program we will have received months ago with our first cuda80 task.

Check it further by all means, but I'd be pretty damn sure it's another proof of the Shakespearean principle: an infinite number of monkeys, using an infinite number of typewriters, will eventually write something that looks like a computer virus

Profile Retvari Zoltan
Avatar
Send message
Joined: 20 Jan 09
Posts: 1943
Credit: 12,295,783,919
RAC: 3,257,605
Level
Trp
Scientific publications
watwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwat
Message 49340 - Posted: 20 Apr 2018 | 14:59:52 UTC - in response to Message 49339.
Last modified: 20 Apr 2018 | 15:01:44 UTC

(The file in question is restart.idx, which is the part of the checkpoint the app makes frequently)

Have you submitted it to https://www.virustotal.com/#/home/upload for a second (multiple) opinion?
This is quite futile for two reasons:
1. The content of this file is changing, so the submitted sample will be different from what the original AV checked.
2. If it has the same content then the same algorithm (pattern recognition, heuristics, AI) of different AV will detect the same threat.

The practice of checking a file in question with multiple AV is ambiguous in general because in most cases it could give both positive and negative results, so it depends on the user which one to believe. (The most of AV softwares use a common database for pattern recognition.)

... but I'd be pretty damn sure it's another proof of the Shakespearean principle: an infinite number of monkeys, using an infinite number of typewriters, will eventually write something that looks like a computer virus
I agree: this is a false positive.

Profile Retvari Zoltan
Avatar
Send message
Joined: 20 Jan 09
Posts: 1943
Credit: 12,295,783,919
RAC: 3,257,605
Level
Trp
Scientific publications
watwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwat
Message 49349 - Posted: 21 Apr 2018 | 8:35:42 UTC - in response to Message 49337.
Last modified: 21 Apr 2018 | 8:36:47 UTC

Please let me know if anyone else has received this virus.
I've had similar virus warning this morning.
Your is Cloxer.D!cl
Mine is Cloxer.A!cl
BTW if I check the file (restart.idx) now, it won't detect any threat in it.
Accidentally I have two AV on my hosts; but only Microsoft's builtin AV finds this trojan in this file, my other AV (Malwarebyte's Antimalware) does not. (perhaps MSAV quarantined the file before the other AV could check it.)

Post to thread

Message boards : Number crunching : BOINC Trojan