Antivirus failures - Win.Worm.Chir-552 found in NSIS executables



4 years ago
4 years ago


(Reporter: nthomas, Unassigned)


Firefox Tracking Flags

(Not tracked)




4 years ago
Eg Thunderbird 31.0b3 - all locales, complete mar and installer exe

/tmp/tmpDd1ZSj/pub/ Setup 31.0b3.exe/setup.exe: Win.Worm.Chir-552 FOUND
/tmp/tmpDd1ZSj/pub/ Setup 31.0b3.exe/core/maintenanceservice_installer.exe: Win.Worm.Chir-552 FOUND
/tmp/tmpDd1ZSj/pub/ Setup 31.0b3.exe/core/uninstall/helper.exe: Win.Worm.Chir-552 FOUND

Also Firefox 31.0esr - all locales, there's one extra file there. Firefox 31.0 build1 passed, but ran a little earlier. If I rerun (on an unpacked exe), then I it also fails:
 $ clamscan -o -r .
 ./setup.exe: Win.Worm.Chir-552 FOUND
 ./core/maintenanceservice_installer.exe: Win.Worm.Chir-552 FOUND
 ./core/uninstall/helper.exe: Win.Worm.Chir-552 FOUND
 ./core/webapp-uninstaller.exe: Win.Worm.Chir-552 FOUND

They're all NSIS installers; other exe like crashreporter.exe don't get flagged.

Comment 1

4 years ago
Adding the --scan-pe=no argument to clamscan results in no match. From the man page:
>       --scan-pe[=yes(*)/no]
>              PE  stands for Portable Executable - it’s an executable file format used in all 32-bit versions of Win-
>              dows operating systems. By default ClamAV performs deeper analysis of executable files and attempts  to
>              decompress  popular  executable  packers such as UPX, Petite, and FSG. If you turn off this option, the
>              original files will still be scanned but without additional processing.

They're also clean on virus-total, eg

MS have published this about Win32/Chir.D
I checked a build slave and there was no match for c:\windows\system*\runouce.exe.

Convinced this is a false positive, and will submit to as such.

Comment 2

4 years ago
Looks like clamav doesn't extact our executables by default, so it passes the installers on We do extract the installers and mar files when we run our antivirus job in the release automation, so it flags the 4 files.

If I give virustotal the setup.exe from inside Setup 31.0.exe then we get
ie clamav finds something, but nothing else does.

Comment 3

4 years ago
Submitted to at the 2nd attempt.

Comment 4

4 years ago
Looks like the matches have disappeared in a later virus definition, we'll rescan the affected files.
I just ran the following on stage: -j2 clamdscan -m --no-summary -- /pub/ -j2 clamdscan -m --no-summary -- /pub/

Both passed.

Comment 6

4 years ago
Redid the 31.0esr checks:
$ ionice -c3 nice -j2 clamdscan -m --no-summary -- /pub/{,update}/win32 2>&1 | tee ~/31.0esr-rescan.log

Nothing was detected.
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.