News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Backdoor in MASM 9.0 installer?

Started by roante, March 01, 2008, 12:24:35 PM

Previous topic - Next topic

roante

Hi everybody!

I'm new with masm, and when I installed it my av said there is a Backdoor.PoisonIvy.N in the installer! I'm using AVG free edition, and it seems not I'm the only one with this situation: http://www.masm32.com/board/index.php?PHPSESSID=f60bbfe53f545bd19b4282c9fc4338be&topic=8720.msg63474

Iirc I used this mirror:

  United Kingdom
  http://www.masm32.com/download/m32v9r.zipVersion 9.0

Could anybody plz explain me this situation?

hutch--

Yes,

Lousy heuristic scanning in the AV software you are using. It has been installed successfully by a very large number of people so the problem is not with the installation.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

MichaelW

On the linked page, when the suspect file was submitted to:

http://virusscan.jotti.org/

19 out of 21 scanners found no problem.

FWIW, I just downloaded the V9 Win2000+ version from all of the working links (7 total), and the zip files are all the same size, and produce identical MD5 sums.
eschew obfuscation

jj2007

See attachment - but I don't remember where this one crept in. The Masm32.zip was downloaded 24.08.2005


[attachment deleted by admin]

hutch--

jj,

Where did this file come from, the directory "trojan" has never been in the archive. I have the original installation for version 9.0 here and it certainly does not contain it.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

Vortex

Hi roante,

Welcome to the forum.

You should turn-off your antivirus software during the installation of the Masm32 package. The installer executable does not contain any malicious code. Like Hutch said, it's the heuristic feature triggering AVG.

asmfan

Russia is a weird place

roante

Ok, thank you for all the replies guys.
I've verified the checksum of my zip and some others as you suggested, and they're exactly the same.

Downloaded it again, but that's the same one I had. Also performed installation once more, but this time there was no anti-virus allerts!!
Performed an av scan of the full installation directory, and this time I got no virus warnings.

Sorry, it seems there's no trojan in the installer, it was fake report from me.

On the other hand, it seems I've alredy got some sort of nasty stuff installed that observes if I install MASM, pretty funny, eh?

hutch--

Igor,

Thanks for the link, here are the results.


AhnLab-V3 2008.2.29.1 2008.02.29 -
AntiVir 7.6.0.73 2008.02.29 -
Authentium 4.93.8 2008.03.01 -
Avast 4.7.1098.0 2008.03.01 -
AVG 7.5.0.516 2008.03.01 -
BitDefender 7.2 2008.03.02 -
CAT-QuickHeal 9.50 2008.03.01 -
ClamAV 0.92.1 2008.03.01 -
DrWeb 4.44.0.09170 2008.03.02 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5574 2008.02.29 -
Ewido 4.0 2008.03.02 -
FileAdvisor 1 2008.03.02 -
Fortinet 3.14.0.0 2008.03.02 -
F-Prot 4.4.2.54 2008.03.01 -
F-Secure 6.70.13260.0 2008.03.01 -
Ikarus T3.1.1.20 2008.03.02 -
Kaspersky 7.0.0.125 2008.03.02 -
McAfee 5242 2008.02.29 -
Microsoft 1.3301 2008.03.02 -
NOD32v2 2913 2008.03.01 -
Norman 5.80.02 2008.02.29 -
Panda 9.0.0.4 2008.03.01 -
Prevx1 V2 2008.03.02 -
Rising 20.33.62.00 2008.03.02 -
Sophos 4.27.0 2008.03.02 -
Sunbelt 3.0.906.0 2008.02.28 -
Symantec 10 2008.03.02 -
TheHacker 6.2.92.231 2008.03.02 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.03.02 -
Webwasher-Gateway 6.6.2 2008.03.02 BlockReason.0


One false positive from the last AV scanner.

The installation is buiilt from source code on an isolated machine and all of the servers it can be downloaded from are unix servers that do not run windows software.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

jj2007

Quote from: hutch-- on March 02, 2008, 09:40:18 AM
jj,

Where did this file come from, the directory "trojan" has never been in the archive. I have the original installation for version 9.0 here and it certainly does not contain it.

Good question, Hutch. I attach the patch.asm - it's not my programming style ;-)


[attachment deleted by admin]

ecube

lol at you naming your zip trojan like it's infected  malware and making a big deal out of crappy av results :D

Ghirai

Looks like a badly written trojan.

Might want to investigate how it landed (esp. the source) on your HD...
MASM32 Project/RadASM mirror - http://ghirai.com/hutch/mmi.html

jj2007

Quote from: Ghirai on March 02, 2008, 10:16:56 PM
Looks like a badly written trojan.

Might want to investigate how it landed (esp. the source) on your HD...

I don't remember what exactly I did in August 2005 but that's what I got, included in my masm32.zip - 13384591 bytes.
The trojan folder containts the readme.txt below - maybe somebody knows the guy.


both progs (patch/client) are written by drcmda (drcmda@gmx.de)
in masm. both are only done for educational purposes (thats the
truth!) and not to harm other people.

please note that if you start "patch.exe" the prog creates two
registry-keys: hkey-local-machine/software/microsoft/windows/
current versio/run/expIorer.exe and hkey-local-machine/software/
trojan software. delete them and the patch will not start again
after you reboot. the patch will create a copy of itself in your
windows/system directory,too. the name of this copy is
"expIorer.exe" (I not L!!!!!). the last action the patch will
do is start a socket on port 2027 (you can change that in the
source).

be care with the shutdown server function in the client 'cause
it will not delete the server, it just stops the server but after
reboot he's started again!

the upload/download functions in the client are not ready yet!

jj2007

Since I am a very curious person, I googled this up:

http://forums.techguy.org/malware-removal-hijackthis-logs/686537-braviax-exe-winreanimator.html

C:\Documents and Settings\Stephen\Desktop\Download\masm32\Examples\remote.zip/TROJAN/PATCH/PATCH.exe   Infected

Similar sources:
http://www.opensc.ws/asm/1302-remote.html
http://win32assembly.online.fr/source2.html (second in the list, "remote")

Again: I have no idea what exactly I did in August 2005 when I installed Masm32... but most probably I got the package from a well-known site  :wink

MichaelW

#14
I have MASM32 packages back to Jan 2003, and none of them contain a patch.exe, or anything that my AV app detected as a problem.
eschew obfuscation