While updating the built-in Debian+MATE, the update script detected three unexpected files in the /boot filesystem:
The updater offered to remove them, but couldn't because the filesystem was read-only (probably by design?). I made a copy of the files, remounted /boot as read-write, then removed them. I then rebooted to completed the update.
I then submitted the .exe and .pif files to Kaspersky's online scanner, which identified them both as "Trojan.Win32.Small.cox".
Any idea how these files could have made it onto my pristine-from-factory pinebook pro?
Also, can I download a pristine factory image online, verify it, and overwrite the entire eMMC to ensure there's no trace of the malware left?
Ah, I found this thread, which describes the problem and its resolution: https://forum.pine64.org/showthread.php?tid=8198
	
	
	
	
- autorun.inf
 
- darfrp.exe
 
- lxrx.pif
 
The updater offered to remove them, but couldn't because the filesystem was read-only (probably by design?). I made a copy of the files, remounted /boot as read-write, then removed them. I then rebooted to completed the update.
I then submitted the .exe and .pif files to Kaspersky's online scanner, which identified them both as "Trojan.Win32.Small.cox".
Any idea how these files could have made it onto my pristine-from-factory pinebook pro?
Also, can I download a pristine factory image online, verify it, and overwrite the entire eMMC to ensure there's no trace of the malware left?
Ah, I found this thread, which describes the problem and its resolution: https://forum.pine64.org/showthread.php?tid=8198

 Windows malware on /boot from factory?
 Windows malware on /boot from factory?
				


 
			