First virus picked up by ClamXav...

Discussion in 'OS X Mavericks (10.9)' started by Braders88, Jun 28, 2014.

  1. Braders88 macrumors newbie

    Braders88

    Joined:
    Oct 2, 2013
    Location:
    Liverpool, England
    #1
    Hello Macrumors community,

    I ran a scan like I do every once a week on my Mac and today I heard a 'ping' sound. It appears that ClamXav has picked up my very first virus?

    Filename 'hl2.exe'
    Win.Trojan.Skintrim-5564
    Status: Quarantined

    I understand that hl2.exe comes from a game I have installed on my Mac via Steam (Half Life 2) although I have had this game installed for years!
    Is this for any reason a cause for concern? Shall I delete the file or keep it quarantined? Is this file a clone name?

    If anybody could pass on some information on the next steps to take or even identify this as a false positive I would be very grateful

    Kindest Regards
     
  2. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #2
    That's not a virus, but malware - a windows malware at that.

    Both OS X and windows have malware, but there are no viruses in the wild of OS X.
     
  3. Shrink macrumors G3

    Shrink

    Joined:
    Feb 26, 2011
    Location:
    New England, USA
    #3
    Sorry to be a fuss budget...but it's not a virus, as there are no viruses in the wild that effect Mac OS at this time.

    Generally, not a reason for concern. I would just delete it...but there are others who will respond and give you more authoritative advice than mine.:D
     
  4. Braders88 thread starter macrumors newbie

    Braders88

    Joined:
    Oct 2, 2013
    Location:
    Liverpool, England
    #4
    Apologies for my vague title, I have tried putting it in the recycle bin, is this how you remove Windows Malware from a Mac? I have never really been in a situation with this on my Mac. I will try a second scan when it is complete.
    I find it odd though that a big company like Steam, would have such a "odd" file unless of course it is a false positive but I am unaware of this.
     
  5. DeltaMac macrumors 604

    DeltaMac

    Joined:
    Jul 30, 2003
    Location:
    Delaware
    #5
    Trojans, and other forms of malware, often are disguised as seemingly-harmless files, or just appearing as something else, like a video or picture file.
    Although you may see a file named "hl2.exe", it may simply be the package that the malware is using. Looks completely ordinary, yet has a hidden "surprise". They also typically will change appearance, and take on some file that is already on your computer.
    Your ClamXav gets frequent updates for threats. Some updates may be for threats that you have had on your computer for a long time.
    It's nearly impossible for ANY antivirus to keep up with all threats.

    The trojan Skintrim is a threat when booted to Windows, but will not cause harm to OS X.

    As others have said - you can bin that quarantined file, so when you run your ClamXav, that threat is gone.
    If you do boot to Windows (boot camp) to run your games, then there's a more involved process for removing that threat. I read that there is a Skintrim removal tool. If you need that for Windows, google for it.
     
  6. Braders88 thread starter macrumors newbie

    Braders88

    Joined:
    Oct 2, 2013
    Location:
    Liverpool, England
    #6
    Thank you for your valuable information DeltaMac, when you say delete it from my Mac using the recycle bin does this mean I have actually removed the infected file or simply removed the hunt for it on my machine so it will not show up in future scans but instead lay dormant? I don't really use bootcamp but with you saying it is no use to OSX then I am feeling much better.

    Thank you again!
     
  7. DeltaMac macrumors 604

    DeltaMac

    Joined:
    Jul 30, 2003
    Location:
    Delaware
    #7
    If that one file (hl2.exe) is reported and quarantined, then put that file in the trash, then empty the trash. Nothing will be laying dormant, unless you are using Windows on your Mac. Run your scan again afterwards, to check for "no threats found"
    You said that you "don't really use bootcamp" ….
    Does that mean that you don't have Windows installed at all, or do you have Windows in a virtual machine like Parallels or VMWare?
    How do you run your Steam games? do you ONLY use Mac games in Steam, or do you use Windows for that, which would give you a lot more choices for games?
     
  8. Braders88 thread starter macrumors newbie

    Braders88

    Joined:
    Oct 2, 2013
    Location:
    Liverpool, England
    #8
    That is great news, I removed it from the trash and the scan is around 80% complete and no threats have been found.
    I used it on an old machine but there is no bootcamp or similar software on here - strictly OSX only.
    Yes, I only use Steam for Mac, I bought the games years ago for PC but thankfully Steam converted them to be able to run on Mac so this is how I get around playing them. I sadly don't have time for playing many games these days other than the ones on my iPhone.

    The only game I installed on my machine recently is The Sims 3, but the disk states it can run on Windows or Mac.

    I am starting to believe this file has been on my machine for a while and like you stated has only been noted recently with ClamXav updates.
     
  9. CommandoD macrumors newbie

    CommandoD

    Joined:
    Jul 5, 2014
    #9
    Win.Trojan.Skintrim-5564

    I ran ClamXav today and it has has just picked up two Win.Trojan.Skintrim-5564 files "hl2.exe" and "hl2 16.12.16.exe"

    They have now been dispatched to that place where all Windows products belong.
     
  10. macgeneral macrumors newbie

    Joined:
    Oct 7, 2014
    #10
    same thing here, probably a wrong signature

    I had the same result today, but because I got Half Life 2 (legal) over Steam I doubted the result (.exe files don't affect you on Macs anyway and I doubt Valve pushes malware to their customers).

    So I uploaded the file to virustotal.com and the result is that it's harmless:
    https://www.virustotal.com/de/file/...3cc0a2929f249d4cd1a81641/analysis/1412698718/


    Probably just a wrong signature in Clam(X)AV
     

    Attached Files:

  11. Peace macrumors Core

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
  12. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #12
    No, ClamXav detects both OS X and Windows malware, so it's normal.
     
  13. macgeneral macrumors newbie

    Joined:
    Oct 7, 2014
    #13
    Yes I know, that's why I uploaded the file to Virustotal which says its no virus (54 of 55 scanners say it's nothing)! The only way this could have gotten onto my Mac was through Steam directly which I doubt is the case (I guess Valve is not stupid).

    Clam(X)AV often finds things that are nothing - for example today it marked 60 EMails as Heuristic Phishing Mail and they all were from Amazon and Paypal (original ones I had stored for years).


    Never trust one Virus/Malware Scanner... happens now and then that on Windows they misdetect System Libraries for malware and kill your OS.

    I still doubt the use of Malware Scanners on Mac.


    Oh and Avast, Avira & Co (those who install kext's) often made my Mac crash upon shutdown (which forced me to force shutting it down holding the power button) which 2 times already resulted in damaged/corrupt Filevault Headers which forced me to reformat my HDD and restore from Backup. So I'm glad at least ClamXAV doesn't install those things
     

Share This Page