Closed Bug 1690283 Opened 4 years ago Closed 4 years ago

Jiangmin on VirusTotal detected TrojanDropper.Autit.ra in stub installer

Categories

(Firefox :: Installer, defect)

Product:
Firefox
Component:
Installer
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox85 --- affected
firefox86 --- affected
firefox87 --- affected

People

(Reporter: ba.berean, Unassigned)

Details

Attachments

(1 file)

UnsafeFile.png
100.86 KB, image/png
Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36

Steps to reproduce:

I downloaded Firefox Installer.exe and ran it through https://www.virustotal.com/

Actual results:

Virus Total flagged it, identifying TrojanDropper.Autit.ra in the file.

Expected results:

There should not have been anything flagged.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Installer
Component: Installer → Untriaged

I downloaded Firefox Installer.exe

From where? Please provide complete steps to reproduce.

Flags: needinfo?(ba.berean)

I was able to reproduce this issue on latest Nightly 87.0a1 (2020-02-03)(64-bit) on Windows 10.
I've followed the next steps:

  1. Download Firefox Installer.en-US from https://archive.mozilla.org/pub/firefox/nightly/2021/02/2021-02-03-09-31-46-mozilla-central/
  2. Chose the file using URL: https://www.virustotal.com/

Actual result: 1 file unsafe with TrojanDropper.Autit.ra
I'll attach a file with evidence. I'll change flags accordingly.

Severity suggested: S3

Status: UNCONFIRMED → NEW
status-firefox85: --- → affected
status-firefox86: --- → affected
status-firefox87: --- → affected
Component: Untriaged → Installer
Ever confirmed: true
Severity: -- → S3

I wasn't able to match the hash of your screenshot, but I was able to use the hash to find the results on VirusTotal. I refreshed the scan today and none of the engines detected anything, including Jiangmin which had reported the Trojan before. It was likely a false positive that they fixed in later versions of the engine or definitions. Thanks for bringing it to our attention, sorry about the slow response.

Cylance is still sporadically saying the stub is unsafe, for instance on the en-US 87.0 stub from here, VirusTotal, but that seems to have been going on for years, it isn't clear what their issue is, their scanner probably just doesn't deal well with self-extractors.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(ba.berean)
Resolution: --- → WORKSFORME
Summary: TrojanDropper.Autit.ra → Jiangmin on VirusTotal detected TrojanDropper.Autit.ra in stub installer
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: