SourceForge has been redesigned. Learn more.
Close

#1161 Virus/Trojan in Nightly Builds

closed-rejected
nobody
Web Pages (6)
5
2013-05-25
2006-07-03
Anonymous
No

I received this message from Symantec AntiVirus today:

Scan type:

Auto-Protect Scan
Event: Security Risk Found!
Risk: Trojan.Zlob
File: C:\Program Files\SDCC\uninstall.exe
Location: Quarantine
Computer: BRW-WORTHWOR00
User: ASIAPACIFIC\worthwor
Action taken: Quarantine succeeded : Access denied
Date found: Monday, 3 July 2006 11:42:09 AM

Same thing in the installer exe itself. This is from
the 06/24 nightly build, and the 07/01.

I didn't have this issue with previous nightly builds.
I suspect that this is in error and is due to SAV
definition updates, but hopefully someone can check it
out.

Discussion

  • Maarten Brock

    Maarten Brock - 2006-07-04

    Logged In: YES
    user_id=888171

    I checked the file sdcc-20060701-4252-setup.exe with
    McAfee Anti-Virus and found nothing. Then I tried to find
    out if it was even known by McAfee, but allthough Symantec
    knows it since April 24 2005 I cannot find anything
    resembling this trojan on the McAfee website. So I'm not
    yet convinced we're clean.

     
  • Frieder Ferlemann

    Logged In: YES
    user_id=589052

    unlikely but it could also have been someone in the middle.
    Checksums of the file as I downloaded it are:

    > sha1sum sdcc-20060701-4252-setup.exe
    50e85a0819773a3607792cbadc2cdfec33314fd3
    sdcc-20060701-4252-setup.exe

    > md5sum sdcc-20060701-4252-setup.exe
    bff179eae88e6d8d237ef88bba662bcb sdcc-20060701-4252-setup.exe

     
  • Borut Ražem

    Borut Ražem - 2006-07-04

    Logged In: YES
    user_id=568035

    The WIN32 sdcc setup.exe is cross compliled on SF Compile
    Farm Linux machine; the gcc compiler and NSIS installer were
    compiled on the same machine from sources, so I doubt that
    the sdcc binaries are infected - I suspect it is a false alarm.

    But you newer know :-(

    Borut

     
  • Maarten Brock

    Maarten Brock - 2006-07-08

    Logged In: YES
    user_id=888171

    Is there anyone else out there also using Symantec
    Antivirus who can confirm this bug or disprove it? We need
    some help here.

     
  • Frieder Ferlemann

    Logged In: YES
    user_id=589052

    There are strong indications that this is a false positive
    caused by a failure in the Symantec product:

    The affected NSIS project:
    http://nsis.sourceforge.net/NSIS_False_Positives

    An arbitrary link which a web search turned up:
    http://isc.sans.org/diary.php?date=2006-07-05

    Another example of an affected project:
    http://www.inkscape.org/?lang=en

    Note, none of the above links can be considered verified.

    I was not able to find something relevant at Symantecs web
    site:

    - their "security response weblog" only dates back a few days:(

    - their "thread explorer" shows a signature for
    Trojan.Zlob.L being added at 06-30-2006. (In ISO 8601 format
    this should probably read 2006-06-30) The original report
    for SDCC is about Trojan.Zlob and not about the
    Trojan.Zlob.L as on Symantecs web site so this might or
    might not be related.

    - following the link for Trojan.Zlob.L given there results
    in an empty page being shown. Both for Firefox 1.5.0.4 (X11;
    U;) and Konqueror (3.5.2).

     
  • Maarten Brock

    Maarten Brock - 2006-07-23

    Logged In: YES
    user_id=888171

    Nobody was able to reproduce this and the NSIS site seems
    to indicate there were more false positives by Symantec
    around the same date for (almost) the same trojan. It's a
    pity the OP never responded again.

    I think it's fair to assume this was a false positive and
    will close it now as unreproducable.

     
  • Maarten Brock

    Maarten Brock - 2006-07-23
    • milestone: --> unreproducable
    • status: open --> closed-rejected
     

Log in to post a comment.