Trojan horse in "clamav" source package???

Hey there,

Absolute complete newbie to Ubuntu here, although I have 10 years of experience (1986-1996) writing custom kernel device drivers for proprietary "real-time Unix" (NOT Linux) systems ... Perhaps this "question" should have been directed elsewhere -- bug reports? -- but this venue seemed to be the quickest and easiest way for an Ubuntu newbie like me ...

I installed Ubuntu 10.04.2 LTS (lucid) onto a 16 GB USB flash drive (HP v125w), using an "alternate installation CD" (i386) that I burned from the corresponding official Ubuntu ISO image, and I immediately upgraded all of the installed Ubuntu packages (including the kernel) to the latest (supported) 10.04.2 downloads available -- from "lucid/main", "lucid-updates/main", and "lucid-security/main" ... No packages are installed from any of the "restricted", "universe", or "multiverse" sources -- EXCEPT for "apt-src" from "lucid/universe" ... I've not experienced any problems whatsoever running this bootable-from-USB system ...

HOWEVER, I wrote a script using "apt-src" (unsupported by Canonical, I know) to download/install ALL of the available "main" and "restricted" (i.e., supported by Canonical) source packages on the 2.0 TB RAID 0 hard drive[s] on my Dell Studio XPS 8100 box (Core i7-860) ... I knew that this massive source download would be far too large for my 16 GB USB drive, which is why I used the massive drive on my Windows 7 Ultimate Edition system ... (But I forgot that "apt-src" ALSO automatically downloads/installs all of the binary packages needed for the build dependencies of the source packages, and of course, it does that in the root file system on the USB drive ... So this unattended installation of all source packages took a LOT longer than I expected, and it also used up a nice chunk of my USB drive as well ... Shoulda just used the supported "apt-get source", I guess ... SUB-QUESTION: Any way to identify/download/install source packages using Synaptic Package Manager???)

Anyway -- that whole process went about as well as I could expect (I think a few source packages failed to install somehow) ... BUT, shortly after I shutdown Ubuntu and booted to Windows, my Norton 360 Premier v4.0 notified me that a "quick scan" of my (NTFS) file system had detected a dangerous TROJAN HORSE file in the installed "clamav" source package, to wit:

clamav-0.96.5+dfsg\test\.split\split.clam-pespin.exeaa

Was this file actually downloaded from the source archives? (I still have the tar.gz file) ... Also, I should point out that the signatures for all of the source packages couldn't be verified, for some reason, but I assume the checksum(s) were OK? I believe Norton 360 would have protected my Windows system, but is it possible that this file got "planted" on my RAID 0 hard drive[s] while I was running Ubuntu off the USB drive? My RAID 0 volume was, of course, mounted at the time because I was using it for the download/install of source packages ...

My concern, obviously, is that this infected file is actually in the source archives, and could be downloaded by anyone fetching the "clamav" source package (at least) ... Any idea how this Trojan horse got imbedded in my installed source packages???

Thanks,
Kevin