Menu

#366 Virus alarm in joewinpty.exe

Unknown
closed
John J. Jordan
None
v4.3
5
2017-09-26
2017-03-21
Phil Roessler
No

Hi,

since recently I can't use Term Emulator (started through function keys F1 - F4) in Joe 4.4 Final (4.4.0.31319) anymore. The virus scanner pops up saying "Virus detected, Access blocked; Virus: Gen:Variant.Graftor.353084 (Engine A); File: joewinpty.exe; Directory: C:\Program Files (x86)\JoeEditor\vt" (cf. screenshot attached).

Is it really a virus?

Philipp

1 Attachments
joewinpty-virus-detected.PNG

Discussion

  • John J. Jordan

    John J. Jordan - 2017-03-22

    Thanks for the report.

    That EXE is basically the terminal driver for the Virtual Terminal feature. It connects to console windows, screen-scrapes, and outputs ANSI codes that are interpreted by the standard VT feature. If that EXE hasn't been tampered with, it is not a virus.

    All the binaries in the distribution are signed. You can check the signature in Powershell:

    Get-AuthenticodeSignature "C:\Program Files (x86)\JoeEditor\vt\joewinpty.exe" | Format-List

    and you should see this output (modulo timezones):

    SignerCertificate      : [Subject]
                           E=jjjordan@users.sf.net, CN="Open Source Developer, John Jordan", O=Open
                         Source Developer, C=US

                         [Issuer]
                           CN=Certum Code Signing CA SHA2, OU=Certum Certification Authority,
                         O=Unizeto Technologies S.A., C=PL

                         [Serial Number]
                           1D84E3FD69B5BDDBCFFBF3043386AED9

                         [Not Before]
                           11/10/2016 4:51:10 AM

                         [Not After]
                           11/10/2017 4:51:10 AM

                         [Thumbprint]
                           AA0BC03ABBF58A9DC2F751E2C20D54FF0EA3E3B5

TimeStamperCertificate :
Status                 : Valid
StatusMessage          : Signature verified.
Path                   : C:\Program Files (x86)\JoeEditor\vt\joewinpty.exe
SignatureType          : Authenticode
IsOSBinary             : False

    If you see a different output, then you should assume the file has been tampered with, and all bets are off.

    Otherwise, it looks like a false-positive from your virus scanner. The definition of Trojan:W32/Graftor looks fairly generic -- not a specific threat. If your copy passed the signature check above, then I can submit this as a false-positive to the company that makes the scanner, along with a bit more technical information. In the meantime, there should be an option to ignore this particular file.

    HTH -john

     

  • Phil Roessler

    Phil Roessler - 2017-03-24

    Thanks for your support!

    I had to download a new copy of the joe MSI installer from sourceforge (since the original joewinpty.exe was put under quarantine by G Data Security Client).

    The freshly installed EXE passed the signature verification and F1 brings up a command line smoothly ...

    SignerCertificate      : [Subject]
                           E=jjjordan@users.sf.net, CN="Open Source Developer, John Jordan", O=Open Source Developer, C=US

                         [Issuer]
                           CN=Certum Code Signing CA SHA2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

                         [Serial Number]
                           1D84E3FD69B5BDDBCFFBF3043386AED9

                         [Not Before]
                           10.Nov.2016 13:51:10

                         [Not After]
                           10.Nov.2017 13:51:10

                         [Thumbprint]
                           AA0BC03ABBF58A9DC2F751E2C20D54FF0EA3E3B5

TimeStamperCertificate : [Subject]
                           CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US

                         [Issuer]
                           CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US

                         [Serial Number]
                           0ECFF438C8FEBF356E04D86A981B1A50

                         [Not Before]
                           18.Okt.2012 02:00:00

                         [Not After]
                           30.Dez.2020 00:59:59

                         [Thumbprint]
                           65439929B67973EB192D6FF243E6767ADF0834E4

Status                 : Valid
StatusMessage          : Signatur wurde überprüft.
Path                   : C:\Program Files (x86)\JoeEditor\vt\joewinpty.exe

    Issue solved.

    Regards

    Philipp

     

    Last edit: Phil Roessler 2017-03-24

  • John J. Jordan

    John J. Jordan - 2017-03-25

    Glad to hear it. You might want to do a scan to be safe. Do let me know if this crops up again.

    For future reference, you can repair the installation (which would have reinstalled joewinpty) from the control panel under "Programs and Features", or whatever it is on your version of Windows - no need to redownload it.

    -john

     

  • John J. Jordan

    John J. Jordan - 2017-09-26
    • status: open --> closed
    • assigned_to: John J. Jordan
     

Log in to post a comment.

MongoDB Logo MongoDB