Antivirus failures - Win.Worm.Chir-552 found in NSIS executables

RESOLVED FIXED

Status

RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: nthomas, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
Eg Thunderbird 31.0b3 - all locales, complete mar and installer exe

/tmp/tmpDd1ZSj/pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/win32/nn-NO/Thunderbird Setup 31.0b3.exe/setup.exe: Win.Worm.Chir-552 FOUND
/tmp/tmpDd1ZSj/pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/win32/nn-NO/Thunderbird Setup 31.0b3.exe/core/maintenanceservice_installer.exe: Win.Worm.Chir-552 FOUND
/tmp/tmpDd1ZSj/pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/win32/nn-NO/Thunderbird Setup 31.0b3.exe/core/uninstall/helper.exe: Win.Worm.Chir-552 FOUND

Also Firefox 31.0esr - all locales, there's one extra file there. Firefox 31.0 build1 passed, but ran a little earlier. If I rerun (on an unpacked exe), then I it also fails:
 $ clamscan -o -r .
 ./setup.exe: Win.Worm.Chir-552 FOUND
 ./core/maintenanceservice_installer.exe: Win.Worm.Chir-552 FOUND
 ./core/uninstall/helper.exe: Win.Worm.Chir-552 FOUND
 ./core/webapp-uninstaller.exe: Win.Worm.Chir-552 FOUND

They're all NSIS installers; other exe like crashreporter.exe don't get flagged.
(Reporter)

Comment 1

4 years ago
Adding the --scan-pe=no argument to clamscan results in no match. From the man page:
>       --scan-pe[=yes(*)/no]
>              PE  stands for Portable Executable - it’s an executable file format used in all 32-bit versions of Win-
>              dows operating systems. By default ClamAV performs deeper analysis of executable files and attempts  to
>              decompress  popular  executable  packers such as UPX, Petite, and FSG. If you turn off this option, the
>              original files will still be scanned but without additional processing.

They're also clean on virus-total, eg
 https://www.virustotal.com/en/file/57ba1439c925f04097ffcd045e4411e63421e6c3cce91e156d04af9b44119e1b/analysis/1405499819/
 https://www.virustotal.com/en/file/a6e6e590e282227b1fdce9ffa054a27f7c96df87f82e21591b915c6c8dbf162d/analysis/1405456055/

MS have published this about Win32/Chir.D
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=%0A%09%09%09%09Worm:Win32/Chir.D@mm%0A%09%09%09%09#tab=2
I checked a build slave and there was no match for c:\windows\system*\runouce.exe.

Convinced this is a false positive, and will submit to clamav.net as such.
(Reporter)

Comment 2

4 years ago
Looks like clamav doesn't extact our executables by default, so it passes the installers on virustotal.com. We do extract the installers and mar files when we run our antivirus job in the release automation, so it flags the 4 files.

If I give virustotal the setup.exe from inside http://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/31.0-candidates/build1/win32/en-US/Firefox Setup 31.0.exe then we get 
 https://www.virustotal.com/en/file/050fa5168d9a77ae8e909c0fa6a9adf42368bcc8c9562e26cad88d87db726498/analysis/1405505060/
ie clamav finds something, but nothing else does.
(Reporter)

Comment 3

4 years ago
Submitted to clamav.net at the 2nd attempt.
(Reporter)

Comment 4

4 years ago
Looks like the matches have disappeared in a later virus definition, we'll rescan the affected files.
I just ran the following on stage:

extract_and_run_command.py -j2 clamdscan -m --no-summary -- /pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/update/win32/

extract_and_run_command.py -j2 clamdscan -m --no-summary -- /pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/win32

Both passed.
(Reporter)

Comment 6

4 years ago
Redid the 31.0esr checks:
$ ionice -c3 nice extract_and_run_command.py -j2 clamdscan -m --no-summary -- /pub/mozilla.org/firefox/candidates/31.0esr-candidates/build1/{,update}/win32 2>&1 | tee ~/31.0esr-rescan.log

Nothing was detected.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.