cat /dev/sda output contains references to malware

Question

When using "cat /dev/sda" I see the word trojan appear a lot as well as many names of known trojans like Nymaim, Bedep and so on. Here is a snippet:

b5928a2d2656ba5ef3001dc04350e5a0:399262:Win.Malwar e.Nymaim-5165:73
15739e1c0caeb02e3a2ab49dca1e630c:523584:Win.Malwar e.Nymaim-5166:73
d83bdaa831c5784f98dd9535c406abdd:398848:Win.Malwar e.Nymaim-5167:73
7f052f366d2db24e665df30a6c57e512:621568:Win.Malwar e.Nymaim-5168:73
92f97eddf93f2c1b60ad81d5ffe8e7b0:455450:Win.Malwar e.Nymaim-5169:73
af05d12c942d0b32b7c74f9b6260b7d1:858528:Win.Malwar e.Nymaim-5170:73
be3b18835ffb457d1adec8eb92454699:704656:Win.Malwar e.Nymaim-5171:73
a6b90fede77dd72bf3a22fb681174836:460659:Win.Malwar e.Nymaim-5172:73
9c67bc979b6b8a6a73f0b5bc9892af92:882176:Win.Malwar e.Nymaim-5173:73
9d521721d18d51a2c05001c6053e0fac:632832:Win.Malwar e.Nymaim-5174:73
ffcd0c4673e6bafe1d832c0c9c155df2:631808:Win.Malwar e.Nymaim-5175:73
e82598e1b5ec50ad0a2945d3decc8c47:459481:Win.Malwar e.Nymaim-5176:73
af8aa6dacd8ce8a1cb315ec8e575dc31:413306:Win.Malwar e.Nymaim-5177:73
ce7d2a159bf7ee9c9259a2a1562fc5d0:823808:Win.Malwar e.Nymaim-5178:73
0263a52151c4dbad15aa1f973e0fb667:878080:Win.Malwar e.Nymaim-5179:73
b9a6b570c06711f5353de0df378d938a:463672:Win.Malwar e.Nymaim-5180:73
761db21243595084594f3c24800793f6:621568:Win.Malwar e.Nymaim-5181:73
09b0e76ed51c2915ecb1c883f02541a3:628224:Win.Malwar e.Nymaim-5182:73
a3602215150edc5eb9c8d7e41e84a26c:492360:Win.Malwar e.Nymaim-5183:73
eabd837f079d154c08d971f11541ce16:126845:Win.Malwar e.Nymaim-5184:73
b54adf172042cb0b7b68cbffc500cf02:500351:Win.Malwar e.Nymaim-5185:73
88c1ade5713a32615b9e65a9d7b8d7fc:514936:Win.Malwar e.Nymaim-5186:73
255d34cd4244d56643f27b799f62e592:358766:Win.Malwar e.Nymaim-5187:73
17c3dbd3999be0e50b3b9d620e20b027:645632:Win.Malwar e.Nymaim-5188:73
ec6ad6c943dd497c46ccd9219471ccf9:458368:Win.Malwar e.Nymaim-5189:73
c4e1239d87fc4db44b0a56d0e6ec66da:496128:Win.Malwar e.Nymaim-5190:73
5f7c663c15dd0484274d22a899248523:651776:Win.Malwar e.Nymaim-5191:73
4ff7c4eab0ab82e7205fe123e1f7057b:637952:Win.Malwar e.Nymaim-5192:73
7f979bf76fdaea505356ba0133db5bdd:916320:Win.Malwar e.Nymaim-5193:73

I'm running Ubuntu 16.04 LTS.

Does this mean I a infected with various Malware/Trojans and if so how do I safely remove them?

Or is a full hard drive wipe the safest way?

Thanks in advance

No. `cat /dev/sda` prints the raw contents of your first hard disk. Probably what you see is part of a malware signature file used by some antivirus software you might have installed. — Byte Commander, Nov 23 '17 at 22:22
Hum, this is strange to see this kind of line when doing a cat of binary data, I just tried and got lot of �;��H��SH�+, not the same output than you. Is it somewhere at the beginning of the output? — ob2, Nov 23 '17 at 22:26
Thank you for the responses, I do get weird encoding as you mention @olivierb2 but amongst it is the odd bits of plaintext and that plain text contained the code listed above — Shaun Faulkner, Nov 23 '17 at 22:28
@olivierb2 If you really do `cat /dev/sda`, you will get gigabytes of data - everything your hard disk contains, including unpartitioned and unused space and all old remainders in there. Most of that will be binary or look like garbage, but it could be e.g. fed into `grep` or `strings` to filter the stuff. There's no real purpose for which one would ever do this all though. — Byte Commander, Nov 23 '17 at 22:30
So in that case, @Byte Commander has right, this is just a file somewhere in your hard drive. — ob2, Nov 23 '17 at 22:30
@Byte Commander, yes I know, I was just thinking this output what at the begin of the disk and was surprise of the "clean" output format. No worries as I immediately pressed CTRL+C ;-) — ob2, Nov 23 '17 at 22:32
@ShaunFaulkner Btw, if my answer below solved your problem, please consider accepting it by clicking the grey round check button on its left, in order to mark your question as answered. Thanks and welcome. — Byte Commander, Nov 24 '17 at 09:42

score 4 · Accepted Answer · answered Nov 23 '17 at 22:41

There is absolutely nothing to worry about.

cat /dev/sda prints the raw contents of your whole first hard disk (all partitions and unpartitioned space, including all files on there as well as all unused space which might contain remainders of stuff that was previously stored there).

What you see is part of a malware signature file used by some antivirus software you might have installed.

I actually checked these lines on my own system and I found them - they are part of the file /var/lib/clamav/daily.cld (and maybe some other files in that directory).

As expected, this file is part of ClamAV, a malware scanner. If you want, you can examine this file with a text viewer like less /var/lib/clamav/daily.cld (probably better not with a GUI editor, because the file is quite big, around 100-200MB).

Great, thanks a lot for that Byte Commander, I do have clamav, I ran a scan with it too which only picked up some false postives — Shaun Faulkner, Nov 24 '17 at 16:07

cat /dev/sda output contains references to malware

1 Answers1