Closed Bug 636092 Opened 14 years ago Closed 14 years ago

Ad-Aware reported 7zsd.sfx infected with Trojan.Win32.Generic

Categories

(mozilla.org :: Security Assurance, task)

x86
Windows XP
task
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: mozilla_by, Assigned: ygjb)

Details

Recently I scanned my computer with Ad Aware and it reported a repository file contains a trojan: Quarantined items: Description: ... \mozilla-central\other-licenses\7zstub\firefox\7zsd.sfx Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 53e575a6f0c5597e425ab8bc2609213a Details: Ad-Aware 9.0.2 http://www.lavasoft.com/
Assignee: nobody → server-ops
Component: General → Server Operations: Security
Product: Firefox → mozilla.org
QA Contact: general → clyon
Version: Trunk → other
Assignee: server-ops → infrasec
Component: Server Operations: Security → Infrastructure Security
This is almost certainly a false positive or local infection. The file has not changed in the repo in several months: http://hg.mozilla.org/mozilla-central/log/88752f2b3088/other-licenses/7zstub/firefox/7zSD.sfx
Group: core-security
Severity: critical → normal
[root@dm-svn01 mozilla]# file mozilla-central/other-licenses/7zstub/firefox/7zSD.sfx mozilla-central/other-licenses/7zstub/firefox/7zSD.sfx: PE32 executable for MS Windows (GUI) Intel 80386 32-bit [root@dm-svn01 mozilla]# clamscan mozilla-central/other-licenses/7zstub/firefox/7zSD.sfx mozilla-central/other-licenses/7zstub/firefox/7zSD.sfx: OK http://www.virustotal.com/file-scan/report.html?id=fb590dfadc96fdae469d46bae519ed5d90533ecb9e61db42aca2a3777c3991bd-1298461069 VirusTotal says: File name: 7zSD.sfx Submission date: 2011-02-23 11:37:49 (UTC) Current status: finished Result: 2/ 43 (4.7%) nProtect 2011-02-10.01 2011.02.15 Trojan-Downloader/W32.Banload.121344.D SUPERAntiSpyware 4.40.0.1006 2011.02.23 Trojan.Agent/Gen-BanLoad
I uploaded the raw file off the server, it's probably stored in hg's internal format and not what you get on a checkout. nthomas uploaded the checked-out version to virustotal and got 9/43 on it. https://www.virustotal.com/file-scan/report.html?id=30df6acd0c57aedab88c2b3cbba92e207ecfed284862ddbe27a3b69ba1b6a456-1298461420
So we are thinking this is still a false positive?
Retested - 8/43: http://www.virustotal.com/file-scan/report.html?id=30df6acd0c57aedab88c2b3cbba92e207ecfed284862ddbe27a3b69ba1b6a456-1299552456 Ad-Aware isn't one of the products tested, the 8 failures are on Antiy-AVL, Norman, nProtect, Panda, SUPERAntiSpyware, TheHacker, TheHacker, VIPRE. I scanned the win32 en-US installer of 4.0rc1, which is a binary cat of 7zsd.sfx + a text file + 7zip archive of data, and got 0/43: http://www.virustotal.com/file-scan/report.html?id=a3159386f1e967e16a977c17c59b2b1f0329300bbaf1c0ba6910aedc786d27dc-1299553359 Note that upx is used to compress 7zsd.sfx before the files are combined. Any suggestions for how we proceed ?
Assignee: infrasec → yboily
I have investigated this, and as far as I can tell it is a false positive. The 7zSD.sfx file is a win32 stub that is prepended to an archive to implement a self-extracting archive to be used as an installer. Typically the file will have a customized icon attached, and then be upx packed. I have reached out to Lavasoft in an attempt to find out if they can update the signature that triggers on the file, but haven't had a response yet.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.