Hi everybody!
I'm new with masm, and when I installed it my av said there is a Backdoor.PoisonIvy.N in the installer! I'm using AVG free edition, and it seems not I'm the only one with this situation: http://www.masm32.com/board/index.php?PHPSESSID=f60bbfe53f545bd19b4282c9fc4338be&topic=8720.msg63474
Iirc I used this mirror:
United Kingdom
http://www.masm32.com/download/m32v9r.zipVersion 9.0
Could anybody plz explain me this situation?
Yes,
Lousy heuristic scanning in the AV software you are using. It has been installed successfully by a very large number of people so the problem is not with the installation.
On the linked page, when the suspect file was submitted to:
http://virusscan.jotti.org/
19 out of 21 scanners found no problem.
FWIW, I just downloaded the V9 Win2000+ version from all of the working links (7 total), and the zip files are all the same size, and produce identical MD5 sums.
See attachment - but I don't remember where this one crept in. The Masm32.zip was downloaded 24.08.2005
[attachment deleted by admin]
jj,
Where did this file come from, the directory "trojan" has never been in the archive. I have the original installation for version 9.0 here and it certainly does not contain it.
Hi roante,
Welcome to the forum.
You should turn-off your antivirus software during the installation of the Masm32 package. The installer executable does not contain any malicious code. Like Hutch said, it's the heuristic feature triggering AVG.
Use www.virustotal.com (http://www.virustotal.com) to check.
Ok, thank you for all the replies guys.
I've verified the checksum of my zip and some others as you suggested, and they're exactly the same.
Downloaded it again, but that's the same one I had. Also performed installation once more, but this time there was no anti-virus allerts!!
Performed an av scan of the full installation directory, and this time I got no virus warnings.
Sorry, it seems there's no trojan in the installer, it was fake report from me.
On the other hand, it seems I've alredy got some sort of nasty stuff installed that observes if I install MASM, pretty funny, eh?
Igor,
Thanks for the link, here are the results.
AhnLab-V3 2008.2.29.1 2008.02.29 -
AntiVir 7.6.0.73 2008.02.29 -
Authentium 4.93.8 2008.03.01 -
Avast 4.7.1098.0 2008.03.01 -
AVG 7.5.0.516 2008.03.01 -
BitDefender 7.2 2008.03.02 -
CAT-QuickHeal 9.50 2008.03.01 -
ClamAV 0.92.1 2008.03.01 -
DrWeb 4.44.0.09170 2008.03.02 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5574 2008.02.29 -
Ewido 4.0 2008.03.02 -
FileAdvisor 1 2008.03.02 -
Fortinet 3.14.0.0 2008.03.02 -
F-Prot 4.4.2.54 2008.03.01 -
F-Secure 6.70.13260.0 2008.03.01 -
Ikarus T3.1.1.20 2008.03.02 -
Kaspersky 7.0.0.125 2008.03.02 -
McAfee 5242 2008.02.29 -
Microsoft 1.3301 2008.03.02 -
NOD32v2 2913 2008.03.01 -
Norman 5.80.02 2008.02.29 -
Panda 9.0.0.4 2008.03.01 -
Prevx1 V2 2008.03.02 -
Rising 20.33.62.00 2008.03.02 -
Sophos 4.27.0 2008.03.02 -
Sunbelt 3.0.906.0 2008.02.28 -
Symantec 10 2008.03.02 -
TheHacker 6.2.92.231 2008.03.02 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.03.02 -
Webwasher-Gateway 6.6.2 2008.03.02 BlockReason.0
One false positive from the last AV scanner.
The installation is buiilt from source code on an isolated machine and all of the servers it can be downloaded from are unix servers that do not run windows software.
Quote from: hutch-- on March 02, 2008, 09:40:18 AM
jj,
Where did this file come from, the directory "trojan" has never been in the archive. I have the original installation for version 9.0 here and it certainly does not contain it.
Good question, Hutch. I attach the patch.asm - it's not my programming style ;-)
[attachment deleted by admin]
lol at you naming your zip trojan like it's infected malware and making a big deal out of crappy av results :D
Looks like a badly written trojan.
Might want to investigate how it landed (esp. the source) on your HD...
Quote from: Ghirai on March 02, 2008, 10:16:56 PM
Looks like a badly written trojan.
Might want to investigate how it landed (esp. the source) on your HD...
I don't remember what exactly I did in August 2005 but that's what I got, included in my masm32.zip - 13384591 bytes.
The trojan folder containts the readme.txt below - maybe somebody knows the guy.
both progs (patch/client) are written by drcmda (drcmda@gmx.de)
in masm. both are only done for educational purposes (thats the
truth!) and not to harm other people.
please note that if you start "patch.exe" the prog creates two
registry-keys: hkey-local-machine/software/microsoft/windows/
current versio/run/expIorer.exe and hkey-local-machine/software/
trojan software. delete them and the patch will not start again
after you reboot. the patch will create a copy of itself in your
windows/system directory,too. the name of this copy is
"expIorer.exe" (I not L!!!!!). the last action the patch will
do is start a socket on port 2027 (you can change that in the
source).
be care with the shutdown server function in the client 'cause
it will not delete the server, it just stops the server but after
reboot he's started again!
the upload/download functions in the client are not ready yet!
Since I am a very curious person, I googled this up:
http://forums.techguy.org/malware-removal-hijackthis-logs/686537-braviax-exe-winreanimator.html
C:\Documents and Settings\Stephen\Desktop\Download\masm32\Examples\remote.zip/TROJAN/PATCH/PATCH.exe Infected
Similar sources:
http://www.opensc.ws/asm/1302-remote.html
http://win32assembly.online.fr/source2.html (second in the list, "remote")
Again: I have no idea what exactly I did in August 2005 when I installed Masm32... but most probably I got the package from a well-known site :wink
I have MASM32 packages back to Jan 2003, and none of them contain a patch.exe, or anything that my AV app detected as a problem.
jj,
There is only one place to get the masm32 project, www.masm32.com and the sites it links to, anything else is dangerous. They are all properly secured sites and they all get the same installation. It appears some sh*tbox modified a copy and attached a trojan to it.
@jj2007:
Yea, there's no doubt that you got the malware from somewhere else.
I don't know the guy, but opensc.ws is a popular place for script kiddies and the like.
@Hutch, maybe it would be a good idea to post sha-256 checksums (NOT md5 since it's broken) on the main site, right before the mirror list, and make a small note to ask people to verify the hash of the downloaded file.
It's common practice for popular files, and it helps prevent users from running stuff got off rogue mirrors, infected files downloaded from random places on the net, etc.