Hi My avg 7.5 found the trojan Vundo.t in both of my copies of notepad++ 4.2.2 anyone else had this issue or know more about it? or could tell me how to escalate this ?
the infected file is scilexer.dll file size is 168448 bytes.
cheers
sedgy
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
"Looking at what Vundo is, I doubt it can place itself in SciLexer.dll, Vundo seems to be generating whole new DLLs, not inject itself into existing ones."
Agreed but with so many seeing this as a problem and no one actually explaining why the issue arises is enough to concern me, it is alll to easy masking a problem by an upgrade, i need a trojan like a hole in the head. thanks for the tip on sandboxie I will give that a go.
"1. AVG 7.5 is obsolete; 8.0 is current now (I use it); "
I did use avg 8.0 ... once until it screwed up on install wiping out only half of the old installation, not deleting the running services and installing itself into a poor state where nothing functioned, AVGs solution to this was to install a third party registry cleaner to get rid of all the crud. I have seen it work ok on some machines but am waiting to get forced to upgrade. AVG have extended the support period until the end of this month ..... I wonder why :) btw there also a number of features that if you turn off, like the new url scanner, puts the taskbar icon into its alert state which is useless to my mind, avg is turning into bloatware, like NAV did :( such a shame .... time for clam methinks
sedgy
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
> ... actually explaining why the issue arises ...
Probably because the code in the 4.2.2 version of SciLexer uses some routines that resemble the Vundo ones a bit, thus resulting in the same fingerprint. Most virusscanner manufactures dont give the exact way their scanners work (for obvious reasons =]), so it can only remain a guess, but I've seen someone pull some tricks on virusscanners that gives a pretty good insight on how it globally works.
Adjusting a string in a program that is usually considered a hacking tool (something about getting password hashes form windows, its opensource and afaik populair with administrators) resulted in scanners not finding it anymore, but the reverse can probably be applied in some form aswell.
Anyway, only AVG seems to detect it and no other scanner, and only since recently (and SciLexer 4.2.2. is pretty old imo). judging form this http://67.97.80.71/vil/content/v_127690.htm
, Vundo is known since 2004 (or its something else called Vundo too, I have no idea), 4.2.2 was released in 2007. I'd say 3 years is enough to find a real Vundo threat in the DLL, even if heuristics are needed :)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Please take a look here: http://sourceforge.net/forum/forum.php?thread_id=2077157&forum_id=331753
there is a similar issue. As with that case, its probably a false positive. SciLexer probably has some code with the same fingerprint as Vundo.t, though its unlikely its infected. Also, upgrading seems to help (v4.9 or new 5.0 alpha)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I downloaded 4.2.2 and indeed it triggers a detection. Though I doubt its valid, to be safe you can just use another version of notepad++. 4.2.2 is pretty outdated and I've not encountered a problem with the more recent versions.
Looking at what Vundo is, I doubt it can place itself in SciLexer.dll, Vundo seems to be generating whole new DLLs, not inject itself into existing ones.
You can also try to run a sandbox like sandboxie, see if its safe.
But in the end, if you trust AVGs report, you can just remove N++. Notepad++ places data in Program Files\Notepad++, your start menu and in %APPDATA%\Notepad++. In the registry the file association key is called Notepad++_file.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi My avg 7.5 found the trojan Vundo.t in both of my copies of notepad++ 4.2.2 anyone else had this issue or know more about it? or could tell me how to escalate this ?
the infected file is scilexer.dll file size is 168448 bytes.
cheers
sedgy
"Looking at what Vundo is, I doubt it can place itself in SciLexer.dll, Vundo seems to be generating whole new DLLs, not inject itself into existing ones."
Agreed but with so many seeing this as a problem and no one actually explaining why the issue arises is enough to concern me, it is alll to easy masking a problem by an upgrade, i need a trojan like a hole in the head. thanks for the tip on sandboxie I will give that a go.
"1. AVG 7.5 is obsolete; 8.0 is current now (I use it); "
I did use avg 8.0 ... once until it screwed up on install wiping out only half of the old installation, not deleting the running services and installing itself into a poor state where nothing functioned, AVGs solution to this was to install a third party registry cleaner to get rid of all the crud. I have seen it work ok on some machines but am waiting to get forced to upgrade. AVG have extended the support period until the end of this month ..... I wonder why :) btw there also a number of features that if you turn off, like the new url scanner, puts the taskbar icon into its alert state which is useless to my mind, avg is turning into bloatware, like NAV did :( such a shame .... time for clam methinks
sedgy
> ... actually explaining why the issue arises ...
Probably because the code in the 4.2.2 version of SciLexer uses some routines that resemble the Vundo ones a bit, thus resulting in the same fingerprint. Most virusscanner manufactures dont give the exact way their scanners work (for obvious reasons =]), so it can only remain a guess, but I've seen someone pull some tricks on virusscanners that gives a pretty good insight on how it globally works.
Adjusting a string in a program that is usually considered a hacking tool (something about getting password hashes form windows, its opensource and afaik populair with administrators) resulted in scanners not finding it anymore, but the reverse can probably be applied in some form aswell.
Anyway, only AVG seems to detect it and no other scanner, and only since recently (and SciLexer 4.2.2. is pretty old imo). judging form this
http://67.97.80.71/vil/content/v_127690.htm
, Vundo is known since 2004 (or its something else called Vundo too, I have no idea), 4.2.2 was released in 2007. I'd say 3 years is enough to find a real Vundo threat in the DLL, even if heuristics are needed :)
Please take a look here:
http://sourceforge.net/forum/forum.php?thread_id=2077157&forum_id=331753
there is a similar issue. As with that case, its probably a false positive. SciLexer probably has some code with the same fingerprint as Vundo.t, though its unlikely its infected. Also, upgrading seems to help (v4.9 or new 5.0 alpha)
Have Taken a look at the link you sent and have also been involved in this thread over at portable apps.
http://portableapps.com/node/13991
The link you sent makes assumptions that it is a false positive despite AVG doing a file scan and saying it was correct.
My concern is that upgrading without knowing for sure may hide an issue rather than fixing it
Thanks for your comments but I am still Confused :( am busily deleting every bit of notepad++ i can find until i know otherwise
Hi,
1. AVG 7.5 is obsolete; 8.0 is current now (I use it);
2. Npp 4.92 works fine here with AVG 8.0, and other recent versions worked with AVG 7.5.
So updating all should solve all.
Best
Idris
I downloaded 4.2.2 and indeed it triggers a detection. Though I doubt its valid, to be safe you can just use another version of notepad++. 4.2.2 is pretty outdated and I've not encountered a problem with the more recent versions.
Looking at what Vundo is, I doubt it can place itself in SciLexer.dll, Vundo seems to be generating whole new DLLs, not inject itself into existing ones.
You can also try to run a sandbox like sandboxie, see if its safe.
But in the end, if you trust AVGs report, you can just remove N++. Notepad++ places data in Program Files\Notepad++, your start menu and in %APPDATA%\Notepad++. In the registry the file association key is called Notepad++_file.