Closed
Bug 636092
Opened 14 years ago
Closed 14 years ago
Ad-Aware reported 7zsd.sfx infected with Trojan.Win32.Generic
Categories
(mozilla.org :: Security Assurance, task)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: mozilla_by, Assigned: ygjb)
Details
Recently I scanned my computer with Ad Aware and it reported a repository file contains a trojan:
Quarantined items:
Description: ... \mozilla-central\other-licenses\7zstub\firefox\7zsd.sfx Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 53e575a6f0c5597e425ab8bc2609213a
Details:
Ad-Aware 9.0.2
http://www.lavasoft.com/
Updated•14 years ago
|
Assignee: nobody → server-ops
Component: General → Server Operations: Security
Product: Firefox → mozilla.org
QA Contact: general → clyon
Version: Trunk → other
Updated•14 years ago
|
Assignee: server-ops → infrasec
Component: Server Operations: Security → Infrastructure Security
Comment 1•14 years ago
|
||
This is almost certainly a false positive or local infection. The file has not changed in the repo in several months:
http://hg.mozilla.org/mozilla-central/log/88752f2b3088/other-licenses/7zstub/firefox/7zSD.sfx
Group: core-security
Severity: critical → normal
Comment 2•14 years ago
|
||
[root@dm-svn01 mozilla]# file mozilla-central/other-licenses/7zstub/firefox/7zSD.sfx
mozilla-central/other-licenses/7zstub/firefox/7zSD.sfx: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
[root@dm-svn01 mozilla]# clamscan mozilla-central/other-licenses/7zstub/firefox/7zSD.sfx
mozilla-central/other-licenses/7zstub/firefox/7zSD.sfx: OK
http://www.virustotal.com/file-scan/report.html?id=fb590dfadc96fdae469d46bae519ed5d90533ecb9e61db42aca2a3777c3991bd-1298461069
VirusTotal says:
File name: 7zSD.sfx
Submission date: 2011-02-23 11:37:49 (UTC)
Current status: finished
Result: 2/ 43 (4.7%)
nProtect 2011-02-10.01 2011.02.15 Trojan-Downloader/W32.Banload.121344.D
SUPERAntiSpyware 4.40.0.1006 2011.02.23 Trojan.Agent/Gen-BanLoad
Comment 3•14 years ago
|
||
I uploaded the raw file off the server, it's probably stored in hg's internal format and not what you get on a checkout. nthomas uploaded the checked-out version to virustotal and got 9/43 on it.
https://www.virustotal.com/file-scan/report.html?id=30df6acd0c57aedab88c2b3cbba92e207ecfed284862ddbe27a3b69ba1b6a456-1298461420
Comment 4•14 years ago
|
||
So we are thinking this is still a false positive?
Comment 5•14 years ago
|
||
Retested - 8/43: http://www.virustotal.com/file-scan/report.html?id=30df6acd0c57aedab88c2b3cbba92e207ecfed284862ddbe27a3b69ba1b6a456-1299552456
Ad-Aware isn't one of the products tested, the 8 failures are on Antiy-AVL, Norman, nProtect, Panda, SUPERAntiSpyware, TheHacker, TheHacker, VIPRE.
I scanned the win32 en-US installer of 4.0rc1, which is a binary cat of 7zsd.sfx + a text file + 7zip archive of data, and got 0/43: http://www.virustotal.com/file-scan/report.html?id=a3159386f1e967e16a977c17c59b2b1f0329300bbaf1c0ba6910aedc786d27dc-1299553359
Note that upx is used to compress 7zsd.sfx before the files are combined.
Any suggestions for how we proceed ?
Assignee | ||
Updated•14 years ago
|
Assignee: infrasec → yboily
Assignee | ||
Comment 6•14 years ago
|
||
I have investigated this, and as far as I can tell it is a false positive. The 7zSD.sfx file is a win32 stub that is prepended to an archive to implement a self-extracting archive to be used as an installer. Typically the file will have a customized icon attached, and then be upx packed. I have reached out to Lavasoft in an attempt to find out if they can update the signature that triggers on the file, but haven't had a response yet.
Assignee | ||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•