Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Virus?

Anton
2014-01-12
2014-02-13
  • fnukyguy d
    fnukyguy d
    2014-01-13

    There was definitely a trojan on the camstudio.org yesterday named CamStudio_Setup_v2.7.2_r326_(build_19Oct2013).exe

    The trojan tried to steal website login/passwords from all browsers using webbrowserpassview and send it over the net
    just check here =

    https://www.virustotal.com/en/file/15611846820c3eb828a7e1ec837f4747b3190e18bc84c45edddf3ac8d8145be9/analysis/

    I ran the file and saw it myself, it unpacked 4 instances of WebBrowserPassView.exe files to the tmp folder and made .txt files that it tried to send over the net

     
  • Anton
    Anton
    2014-01-13

    Seems that somebody hacked camstudio.org and uploaded a virus instead of normal setup.

     
  • fnukyguy d
    fnukyguy d
    2014-01-13

    I just downloaded and ran the .exe file, and was puzzled as to why it seemed like nothing whas happening on my screen.

    then I went into the windows temp folder and found those WebBrowserPassView.exe files and empty .txt files created the exact same time the camstudio .exe file was run

    I dont know if it sucessfully sent anything over the net on my computer, but
    just to be sure I changed all the passwords that my browsers had saved.

     
  • Ilya S
    Ilya S
    2014-02-12

    Hi guys. Please tell if is it safe to download and install Camstudio from AmazonS3 link https://s3.amazonaws.com/csg7f89g7f9/CamStudio_Setup_v2.7.2_r326_(build_19Oct2013).exe
    >sigcheck "CamStudio_Setup_v2.7.2_r326_(build_19Oct2013).exe"
    Verified: Signed
    Signing date: 14:18 29.01.2014
    Publisher: WorldSetup
    MD5:0062580edda7e80516482ea00539c9f9
    SHA1:250db9e37c980365ff38ebbca5715b356b672c76
    It downloads a trojan into icreinstall_camstudio_setup_v2.7.2_r326_(build_19oct2013).exe file of the same hash (so it downloads itself again) right after start even before Next is pressed in installer window
    https://www.virustotal.com/ru/file/2166cf784596f9e620c65dedd3ee20a4f9058a9beb1a8e882843bbbecc0ab44a/analysis/
    This is scaring, because you've said on 2014-01-13 that the installer is clean. Why the file was signed later on 2014-01-29?
    Do you own or have control upon WorldSetup certificate (Thumbprint:dd 36 a7 d7 66 eb ed 9c 98 0d c5 c0 b9 1a 80 1b 97 1f 95 e0) which is used to sign the installer with?

     
    • Nick Smith
      Nick Smith
      2014-02-12

      Yes it is safe - it is mistakenly flagged by some AVs as malware - it isn't.

      Cheers

      Nick :o)

      On Wed, Feb 12, 2014 at 10:04 AM, Ilya S astrocourier@users.sf.net wrote:

      Hi guys. Please tell if is it safe to download and install Camstudio from
      AmazonS3 link
      https://s3.amazonaws.com/csg7f89g7f9/CamStudio_Setup_v2.7.2_r326_
      (build_19Oct2013).exe

      sigcheck "CamStudio_Setup_v2.7.2_r326_(build_19Oct2013).exe"
      Verified: Signed
      Signing date: 14:18 29.01.2014
      Publisher: WorldSetup
      MD5:0062580edda7e80516482ea00539c9f9
      SHA1:250db9e37c980365ff38ebbca5715b356b672c76
      It downloads a trojan into
      icreinstall_camstudio_setup_v2.7.2_r326_(build_19oct2013).exe file of the
      same hash (so it downloads itself again) right after start even before Next
      is pressed in installer window

      https://www.virustotal.com/ru/file/2166cf784596f9e620c65dedd3ee20a4f9058a9beb1a8e882843bbbecc0ab44a/analysis/
      This is scaring, because you've said on 2014-01-13 that the installer is
      clean. Why the file was signed later on 2014-01-29?
      Do you own or have control upon WorldSetup certificate (Thumbprint:dd 36
      a7 d7 66 eb ed 9c 98 0d c5 c0 b9 1a 80 1b 97 1f 95 e0) which is used to
      sign the installer with?


      Virus?https://sourceforge.net/p/camstudio/discussion/447910/thread/3aa44d33/?limit=25#2357

      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/camstudio/discussion/447910/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

       
      Attachments
      • Ilya S
        Ilya S
        2014-02-13

        OK, thank you, Nick. I've reported false alarm to my AV vendor.
        Could you please elaborate why the installer was re-signed on 2014-01-29 after its re-release on 2014-01-13?
        I'm not sure, but it might be a sign of re-infection and re-signing of the file, if you for whatever reason didn't re-signed the file yourself. This tactics is used when private key of your signing certificate is stolen.