Ubuntu
initramfs-tools package

  1. Bug #1641230
  2. Comment #15

Comment 15 for bug 1641230

Revision history for this message
Clayton M. (cemarrio) wrote : Re: package linux-image-4.4.0-43-generic 4.4.0-43.63 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 due to /usr/share/initramfs-tools/hooks/fsck failed with return 1

I shut down the VM and used a live ISO to take a look at the filesystem. You were correct - there is an /etc/ld.so.preload which points to /lib/libgcwrap.so. There is also a /usr/lib/libgcwrap.so copy.

These files were marked as immutable and were not visible from the booted system. I took a look at the cron configurations and found the root user had an entry for "perfcc". Looking this up, perfcc/perfctl is a crypto-miner malware.

Thanks for all your help in troubleshooting this. I hope it clarifies for someone what may be afoot if they find libgcwrap present on their system; there was nothing available on the popular search engines about it.