Jrb2 Premium Member join:2001-08-31
2 recommendations |
Jrb2
Premium Member
2013-Jan-29 6:55 am
Beware of Combofix - contains infected fileWarning by Marcos at the ESET forum: » www.wilderssecurity.com/ ··· t=340693Quote: We have discovered that the current installer of Combofix contains iexplore.exe infected with the Sality virus. It's pretty well detected by other vendors as well. We do not recommend downloading and using it until the author remedies the issue. |
|
norwegian Premium Member join:2005-02-15 Outback |
April 1st isn't here yet? Wow, no one is bulletproof then? |
|
|
MumRAR to Jrb2
Anon
2013-Jan-29 7:46 am
to Jrb2
Unsure where Eset got their installer from but the official Combofix download link is at Bleepingcomputer. The IExplorer.exe file is Nircmd.exe(renamed) with MD5 753BC16326FEE4A421ACB636CCD602F4 VT report would not say Sality for that file as its 3 year old legitimate tool. » www.virustotal.com/file/ ··· nalysis/ |
|
Jrb2 Premium Member join:2001-08-31
1 recommendation |
Jrb2
Premium Member
2013-Jan-29 7:56 am
Downloaded from BleepingComputer. Eset (NOD32) warning: see screenshot |
|
Jrb2 |
Jrb2
Premium Member
2013-Jan-29 8:00 am
Scanned at VirusTotal: 30/45
Agnitum Win32.Sality.BL 20130128 AhnLab-V3 - 20130129 AntiVir W32/Sality.AT 20130129 Antiy-AVL - 20130129 Avast Win32:Sality 20130129 AVG Win32/Sality 20130129 BitDefender Win32.Sality.3 20130129 ByteHero - 20130123 CAT-QuickHeal W32.Sality.U 20130129 ClamAV - 20130129 Commtouch W32/Sality.gen2 20130129 Comodo Virus.Win32.Sality.Gen 20130129 DrWeb Win32.Sector.22 20130129 Emsisoft Win32.Sality.3 (B) 20130129 eSafe - 20130127 ESET-NOD32 Win32/Sality.NBA 20130129 F-Prot W32/Sality.gen2 20130129 Fortinet - 20130129 GData Win32.Sality.3 20130129 Ikarus Virus.Win32.Sality 20130129 Jiangmin Trojan/JmGenGeneric.boe 20121221 K7AntiVirus Virus 20130128 Kaspersky Virus.Win32.Sality.gen 20130129 Kingsoft - 20130121 Malwarebytes - 20130129 McAfee W32/Sality.gen.z 20130129 McAfee-GW-Edition - 20130129 Microsoft Virus:Win32/Sality.AT 20130129 MicroWorld-eScan Win32.Sality.3 20130129 NANO-Antivirus Virus.Win32.Sality.beygb 20130129 Norman Sality.ZGZ 20130129 nProtect Win32.Sality.3 20130129 Panda W32/Sality.AA 20130128 PCTools - 20130129 Rising Win32.KUKU.ky 20130129 Sophos Mal/Sality-D 20130129 SUPERAntiSpyware - 20130129 Symantec - 20130129 TheHacker - 20130128 TotalDefense - 20130129 TrendMicro PE_SALITY.RL-O 20130129 TrendMicro-HouseCall PE_SALITY.RL-O 20130129 VBA32 Virus.Win32.Sality.bakc 20130129 VIPRE Virus.Win32.Sality.at (v) 20130129 ViRobot - 20130129
SHA256: 4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
MD5: c71b0515ef1200755ae61a5c4c9e8a86 |
|
Jrb2 |
Jrb2
Premium Member
2013-Jan-29 8:45 am
Thread at BleepingComputer forum: » www.bleepingcomputer.com ··· 407.htmlNo official responce yet there. |
|
RoboticsSee You On The Dark Side Premium Member join:2003-10-23 Louisa, VA |
to Jrb2
All I can say is wow!
How the hell did this happen? Is anyone saying yet? |
|
|
to Jrb2
This is almost unheard of. Did this happen just on that site or to the entire program? |
|
trog join:2001-03-25 Scarborough, ON
1 recommendation |
trog to Jrb2
Member
2013-Jan-29 10:23 am
to Jrb2
From wilders: said by Blade Z : Hello,
Just letting you know that the mirror at Bleeping Computer has been deactivated until this gets sorted out. So that should go a ways towards minimizing the exposure.
A big thanks to Marcos as it was this thread that first alerted our staff to the issue.
~Blade Bleeping Computer Forum Administrator
|
|
TheJoker MVM join:2001-04-26 Charlottesville, VA
3 recommendations |
And I notified sUBs this morning just in case. |
|
therube join:2004-11-11 Randallstown, MD |
to MumRAR
quote: IExplorer.exe file is Nircmd.exe(renamed)
Why would they do that, unless to act like a chameleon? |
|
|
|
to Jrb2
I downloaded Combofix on the 23rd Jan, from the mirror and it's got this md5 hash:
2D928456F2238FBB9C06F173691B0B83
So, look like the new version got put there since 23rd?? |
|
Jrb2 Premium Member join:2001-08-31
2 recommendations |
Jrb2
Premium Member
2013-Jan-29 11:56 am
Two posts at BleepingComputer: 1. » www.bleepingcomputer.com ··· 407.htmlBy Grinler: quote: The download has been pulled since earlier this morning as sUBs investigates the reports. At this time, I unfortunately do not have any other information for anyone.
Stay tuned.
2. » www.bleepingcomputer.com ··· 431.htmlBy Grinler Information about ComboFix being infected and what you should do quote: Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.
The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th. If this timeframe changes, I will update this topic to let you know. If you have used a new copy of ComboFix downloaded after 2am EST, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.
In the meantime, it is important for those who may have used ComboFix recently and are concerned they are infected to get the help they need. As the Sality infection has been around for a while, almost all antivirus vendors will have detected it and blocked it when you ran ComboFix. Unfortunately, not everyone has up-to-date virus definitions or uses an AV program, so it is important to examine your system if you have downloaded a new copy and used it since 2am EST.
Read more at that second link! |
|
therube join:2004-11-11 Randallstown, MD 1 edit |
to alien8
A 28th Jan version gives this md5 hash: 0f6d28a70471051c4c7785335acba626 And oddly, VirusTotal only shows 1 / 46 for it: ComboFix_13-01-28.01.exeEdit to include SHA265 hash (that's like 256+9 for good luck): SHA256: 361548f74415a41f00d5345b3e3c489b3282b302c0c51266880eda586db01a12 |
|
therube |
to MumRAR
What version & size of nircmd.exe ? In what I have (Combofix.exe), both firefox.exe.VIR & iexplore.exe.VIR (both lower case, the .VIR added by me) are 256,000 bytes (& are exactly the same, chameleons if you will) but neither compare in any way to any nircmd.exe that I have? VirusTotal (1 / 46) iexplore.exe. |
|
|
Grinler
Member
2013-Jan-29 12:44 pm
The affected file was not nircmd. It was a different file unfortunately. |
|
therube join:2004-11-11 Randallstown, MD |
to Jrb2
Sure would be nice if they posted a hash of the infected version. And better yet if they also posted hashes for their prior, known good versions. (So like is my 1-28 version good or bad, or have I lucked out by a few hours?) If mine is good, then maybe I could use Combofix to fix Combofix . |
|
1 recommendation |
Grinler
Member
2013-Jan-29 12:46 pm
Waiting on this information from the developer. At the same time, if you scan your current version and it shows clean in virustotal then you are good to go. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
to Jrb2
fwiw, Jrb2 ESET users have some level of protection from SalityI hope that an uninfected version of combofix is made available soon. |
|
Smokey Bearveritas odium parit Premium Member join:2008-03-15 Annie's Pub
1 recommendation |
said by siljaline: ESET users have some level of protection from Sality
Most other vendors offer protection too, it's not just ESET. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC
1 recommendation |
That would be a fair assumtion that other A/V vendors do. Since I loan a hand with ESET support, the link I provided was an example. Additionally, some here run ESET A/V. |
|
siljaline |
to Smokey Bear
|
|
therube join:2004-11-11 Randallstown, MD |
quote: SHA256 Hashes of known affected versions are:
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333 e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d 4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333 e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8
quote: Added hashes of the known affected version to first post. Hashes can be found below as well:
SHA256: 4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333 MD5: c71b0515ef1200755ae61a5c4c9e8a86
» www.bleepingcomputer.com ··· 431.html(Now we need an SHA256 to MD5 converter .) So presumably what I had gotten earlier, 1 day prior, is OK. (It came from Softpedia, though I notified them of this issue so don't know if they're still hosting or not?) |
|
Jrb2 Premium Member join:2001-08-31 |
Jrb2
Premium Member
2013-Jan-29 8:03 pm
The file, which I scanned earlier at VT, was the one with checksums: SHA256: 4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333 MD5: c71b0515ef1200755ae61a5c4c9e8a86
I did post those checksums in my previous post in this thread, along with the results at VT at that moment, and with the alert by NOD32. I wasn't at that moment the first one who had scanned it there. |
|
Jrb2
1 recommendation |
Jrb2
Premium Member
2013-Jan-30 4:27 pm
Postings by Grinler at BleepingComputer: » www.bleepingcomputer.com ··· 431.htmlquote: ComboFix is now live, clean, and available to download from its normal links.
On a question whether Combofix would deal with the Sality infection: quote: I would avoid ComboFix until you have confirmed your computer is not infected with Sality. Ironically, CF will quarantine Sality infected files, other than OS files, if they are found.
About the version I downloaded from BleepingComputer about an half hour ago: ComboFix.exe Version 13.1.30.4 SHA256: a1ed6bc74db51c219c08d6126d7de5c60570b2f76c60ce602bf602096d2f85a1 MD5: 4f973e9d3fdaeb5347243e8e169714e7 VT: 2/45 AntiVir TR/Crypt.XPACK.Gen Jiangmin Trojan/JmGenGeneric.boe |
|
trparky Premium Member join:2000-05-24 Cleveland, OH ·AT&T U-Verse
1 recommendation |
trparky
Premium Member
2013-Jan-30 7:43 pm
I downloaded the same file you did, the signatures (MD5 and SHA256) match. I scanned the file with both Webroot and MalwareBytes AntiMalware using the latest definitions, no infection found. » www.virustotal.com/file/ ··· 9592743/ |
|
TheJoker MVM join:2001-04-26 Charlottesville, VA
1 recommendation |
From Grinler: quote: ComboFix is now live, clean, and available to download from its normal links.
» www.bleepingcomputer.com ··· _2962394 |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC
1 recommendation |
to Jrb2
Combofix: a cocktail of infective factors • » blog.eset.com/2013/02/01 ··· -factors |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI
1 recommendation |
Mele20
Premium Member
2013-Feb-1 9:00 pm
That was a good blog. It can never be said enough that users should NOT use sites like download.com to get applications but should always go to the vendor's site as that is where it is least likely one will get infected from a tainted download. Plus, as the blog points out, the official host site/vendor's site will react very rapidly if made aware of a problem, whereas, mirror sites may not...especially those that mirror without permission. If users would stop using sites like download.com maybe sites like it would disappear which would be good. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
Your welcome for the ESET Blog entry, it was well thought-out and well penned. Also see from Bill P of Win Patrol: » billpstudios.blogspot.ca ··· are.html |
|