dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
6489
Jrb2
Premium Member
join:2001-08-31

2 recommendations

Jrb2

Premium Member

Beware of Combofix - contains infected file

Warning by Marcos at the ESET forum:
»www.wilderssecurity.com/ ··· t=340693

Quote:
We have discovered that the current installer of Combofix contains iexplore.exe infected with the Sality virus. It's pretty well detected by other vendors as well.
We do not recommend downloading and using it until the author remedies the issue.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member

April 1st isn't here yet?

Wow, no one is bulletproof then?

MumRAR
@sky.com

MumRAR to Jrb2

Anon

to Jrb2
Unsure where Eset got their installer from but the official Combofix download link is at Bleepingcomputer.

The IExplorer.exe file is Nircmd.exe(renamed) with MD5 753BC16326FEE4A421ACB636CCD602F4

VT report would not say Sality for that file as its 3 year old legitimate tool.
»www.virustotal.com/file/ ··· nalysis/
Jrb2
Premium Member
join:2001-08-31

1 recommendation

Jrb2

Premium Member

Downloaded from BleepingComputer.
Eset (NOD32) warning: see screenshot
Jrb2

Jrb2

Premium Member

Scanned at VirusTotal:
30/45

Agnitum Win32.Sality.BL 20130128
AhnLab-V3 - 20130129
AntiVir W32/Sality.AT 20130129
Antiy-AVL - 20130129
Avast Win32:Sality 20130129
AVG Win32/Sality 20130129
BitDefender Win32.Sality.3 20130129
ByteHero - 20130123
CAT-QuickHeal W32.Sality.U 20130129
ClamAV - 20130129
Commtouch W32/Sality.gen2 20130129
Comodo Virus.Win32.Sality.Gen 20130129
DrWeb Win32.Sector.22 20130129
Emsisoft Win32.Sality.3 (B) 20130129
eSafe - 20130127
ESET-NOD32 Win32/Sality.NBA 20130129
F-Prot W32/Sality.gen2 20130129
Fortinet - 20130129
GData Win32.Sality.3 20130129
Ikarus Virus.Win32.Sality 20130129
Jiangmin Trojan/JmGenGeneric.boe 20121221
K7AntiVirus Virus 20130128
Kaspersky Virus.Win32.Sality.gen 20130129
Kingsoft - 20130121
Malwarebytes - 20130129
McAfee W32/Sality.gen.z 20130129
McAfee-GW-Edition - 20130129
Microsoft Virus:Win32/Sality.AT 20130129
MicroWorld-eScan Win32.Sality.3 20130129
NANO-Antivirus Virus.Win32.Sality.beygb 20130129
Norman Sality.ZGZ 20130129
nProtect Win32.Sality.3 20130129
Panda W32/Sality.AA 20130128
PCTools - 20130129
Rising Win32.KUKU.ky 20130129
Sophos Mal/Sality-D 20130129
SUPERAntiSpyware - 20130129
Symantec - 20130129
TheHacker - 20130128
TotalDefense - 20130129
TrendMicro PE_SALITY.RL-O 20130129
TrendMicro-HouseCall PE_SALITY.RL-O 20130129
VBA32 Virus.Win32.Sality.bakc 20130129
VIPRE Virus.Win32.Sality.at (v) 20130129
ViRobot - 20130129

SHA256: 4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333

MD5: c71b0515ef1200755ae61a5c4c9e8a86
Jrb2

Jrb2

Premium Member

Thread at BleepingComputer forum:
»www.bleepingcomputer.com ··· 407.html

No official responce yet there.

Robotics
See You On The Dark Side
Premium Member
join:2003-10-23
Louisa, VA

Robotics to Jrb2

Premium Member

to Jrb2
All I can say is wow!

How the hell did this happen? Is anyone saying yet?

dandelion
MVM
join:2003-04-29
Germantown, TN

dandelion to Jrb2

MVM

to Jrb2
This is almost unheard of. Did this happen just on that site or to the entire program?
trog
join:2001-03-25
Scarborough, ON

1 recommendation

trog to Jrb2

Member

to Jrb2
From wilders:
said by Blade Z :
Hello,

Just letting you know that the mirror at Bleeping Computer has been deactivated until this gets sorted out. So that should go a ways towards minimizing the exposure.

A big thanks to Marcos as it was this thread that first alerted our staff to the issue.

~Blade
Bleeping Computer Forum Administrator

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

3 recommendations

TheJoker

MVM

And I notified sUBs this morning just in case.

therube
join:2004-11-11
Randallstown, MD

therube to MumRAR

Member

to MumRAR
quote:
IExplorer.exe file is Nircmd.exe(renamed)
Why would they do that, unless to act like a chameleon?
alien8
join:2004-03-03
UK

alien8 to Jrb2

Member

to Jrb2
I downloaded Combofix on the 23rd Jan, from the mirror and
it's got this md5 hash:

2D928456F2238FBB9C06F173691B0B83

So, look like the new version got put there since 23rd??
Jrb2
Premium Member
join:2001-08-31

2 recommendations

Jrb2

Premium Member

Two posts at BleepingComputer:

1.
»www.bleepingcomputer.com ··· 407.html

By Grinler:
quote:
The download has been pulled since earlier this morning as sUBs investigates the reports. At this time, I unfortunately do not have any other information for anyone.

Stay tuned.

2.
»www.bleepingcomputer.com ··· 431.html

By Grinler
Information about ComboFix being infected and what you should do
quote:
Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.

The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th. If this timeframe changes, I will update this topic to let you know. If you have used a new copy of ComboFix downloaded after 2am EST, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.

In the meantime, it is important for those who may have used ComboFix recently and are concerned they are infected to get the help they need. As the Sality infection has been around for a while, almost all antivirus vendors will have detected it and blocked it when you ran ComboFix. Unfortunately, not everyone has up-to-date virus definitions or uses an AV program, so it is important to examine your system if you have downloaded a new copy and used it since 2am EST.

Read more at that second link!

therube
join:2004-11-11
Randallstown, MD

1 edit

therube to alien8

Member

to alien8
A 28th Jan version gives this md5 hash:

0f6d28a70471051c4c7785335acba626

And oddly, VirusTotal only shows 1 / 46 for it: ComboFix_13-01-28.01.exe

Edit to include SHA265 hash (that's like 256+9 for good luck):

SHA256: 361548f74415a41f00d5345b3e3c489b3282b302c0c51266880eda586db01a12
therube

therube to MumRAR

Member

to MumRAR
What version & size of nircmd.exe ?

In what I have (Combofix.exe), both firefox.exe.VIR & iexplore.exe.VIR (both lower case, the .VIR added by me) are 256,000 bytes (& are exactly the same, chameleons if you will) but neither compare in any way to any nircmd.exe that I have?

VirusTotal (1 / 46) iexplore.exe.
Grinler
join:2004-03-31
New York, NY

Grinler

Member

The affected file was not nircmd. It was a different file unfortunately.

therube
join:2004-11-11
Randallstown, MD

therube to Jrb2

Member

to Jrb2
Sure would be nice if they posted a hash of the infected version.
And better yet if they also posted hashes for their prior, known good versions.

(So like is my 1-28 version good or bad, or have I lucked out by a few hours?)

If mine is good, then maybe I could use Combofix to fix Combofix .
Grinler
join:2004-03-31
New York, NY

1 recommendation

Grinler

Member

Waiting on this information from the developer. At the same time, if you scan your current version and it shows clean in virustotal then you are good to go.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to Jrb2

Premium Member

to Jrb2
fwiw, Jrb2 See Profile

ESET users have some level of protection from Sality

I hope that an uninfected version of combofix is made available soon.

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

1 recommendation

Smokey Bear

Premium Member

said by siljaline:
ESET users have some level of protection from Sality


Most other vendors offer protection too, it's not just ESET.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

1 recommendation

siljaline

Premium Member

That would be a fair assumtion that other A/V vendors do.
Since I loan a hand with ESET support, the link I provided was an example. Additionally, some here run ESET A/V.
siljaline

siljaline to Smokey Bear

Premium Member

to Smokey Bear
Noted: A Query of MS MMPC yields:
»www.microsoft.com/securi ··· y=Sality

therube
join:2004-11-11
Randallstown, MD

therube

Member

quote:
SHA256 Hashes of known affected versions are:

4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8

quote:
Added hashes of the known affected version to first post. Hashes can be found below as well:

SHA256:
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
MD5: c71b0515ef1200755ae61a5c4c9e8a86

»www.bleepingcomputer.com ··· 431.html

(Now we need an SHA256 to MD5 converter .)

So presumably what I had gotten earlier, 1 day prior, is OK.
(It came from Softpedia, though I notified them of this issue so don't know if they're still hosting or not?)
Jrb2
Premium Member
join:2001-08-31

Jrb2

Premium Member

The file, which I scanned earlier at VT, was the one with checksums:
SHA256:
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
MD5: c71b0515ef1200755ae61a5c4c9e8a86

I did post those checksums in my previous post in this thread, along with the results at VT at that moment, and with the alert by NOD32.
I wasn't at that moment the first one who had scanned it there.
Jrb2

1 recommendation

Jrb2

Premium Member

Postings by Grinler at BleepingComputer:
»www.bleepingcomputer.com ··· 431.html
quote:
ComboFix is now live, clean, and available to download from its normal links.

On a question whether Combofix would deal with the Sality infection:
quote:
I would avoid ComboFix until you have confirmed your computer is not infected with Sality. Ironically, CF will quarantine Sality infected files, other than OS files, if they are found.

About the version I downloaded from BleepingComputer about an half hour ago:

ComboFix.exe

Version 13.1.30.4

SHA256: a1ed6bc74db51c219c08d6126d7de5c60570b2f76c60ce602bf602096d2f85a1
MD5: 4f973e9d3fdaeb5347243e8e169714e7

VT:
2/45

AntiVir TR/Crypt.XPACK.Gen
Jiangmin Trojan/JmGenGeneric.boe

trparky
Premium Member
join:2000-05-24
Cleveland, OH
·AT&T U-Verse

1 recommendation

trparky

Premium Member

I downloaded the same file you did, the signatures (MD5 and SHA256) match. I scanned the file with both Webroot and MalwareBytes AntiMalware using the latest definitions, no infection found.

»www.virustotal.com/file/ ··· 9592743/

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

1 recommendation

TheJoker

MVM

From Grinler:
quote:
ComboFix is now live, clean, and available to download from its normal links.
»www.bleepingcomputer.com ··· _2962394

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

1 recommendation

siljaline to Jrb2

Premium Member

to Jrb2
Combofix: a cocktail of infective factors
• »blog.eset.com/2013/02/01 ··· -factors
Mele20
Premium Member
join:2001-06-05
Hilo, HI

1 recommendation

Mele20

Premium Member

That was a good blog. It can never be said enough that users should NOT use sites like download.com to get applications but should always go to the vendor's site as that is where it is least likely one will get infected from a tainted download. Plus, as the blog points out, the official host site/vendor's site will react very rapidly if made aware of a problem, whereas, mirror sites may not...especially those that mirror without permission. If users would stop using sites like download.com maybe sites like it would disappear which would be good.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline

Premium Member

Your welcome for the ESET Blog entry, it was well thought-out and well penned.
Also see from Bill P of Win Patrol:
»billpstudios.blogspot.ca ··· are.html