dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4784
share rss forum feed

Jrb2
Premium
join:2001-08-31
kudos:3

2 recommendations

Beware of Combofix - contains infected file

Warning by Marcos at the ESET forum:
»www.wilderssecurity.com/showthre···t=340693

Quote:
We have discovered that the current installer of Combofix contains iexplore.exe infected with the Sality virus. It's pretty well detected by other vendors as well.
We do not recommend downloading and using it until the author remedies the issue.



norwegian
Premium
join:2005-02-15
Outback

April 1st isn't here yet?

Wow, no one is bulletproof then?



MumRAR

@sky.com
reply to Jrb2

Unsure where Eset got their installer from but the official Combofix download link is at Bleepingcomputer.

The IExplorer.exe file is Nircmd.exe(renamed) with MD5 753BC16326FEE4A421ACB636CCD602F4

VT report would not say Sality for that file as its 3 year old legitimate tool.
»www.virustotal.com/file/24ca5ceb···nalysis/


Jrb2
Premium
join:2001-08-31
kudos:3

1 recommendation

reply to Jrb2

Downloaded from BleepingComputer.
Eset (NOD32) warning: see screenshot

Jrb2
Premium
join:2001-08-31
kudos:3
reply to Jrb2

Scanned at VirusTotal:
30/45

Agnitum Win32.Sality.BL 20130128
AhnLab-V3 - 20130129
AntiVir W32/Sality.AT 20130129
Antiy-AVL - 20130129
Avast Win32:Sality 20130129
AVG Win32/Sality 20130129
BitDefender Win32.Sality.3 20130129
ByteHero - 20130123
CAT-QuickHeal W32.Sality.U 20130129
ClamAV - 20130129
Commtouch W32/Sality.gen2 20130129
Comodo Virus.Win32.Sality.Gen 20130129
DrWeb Win32.Sector.22 20130129
Emsisoft Win32.Sality.3 (B) 20130129
eSafe - 20130127
ESET-NOD32 Win32/Sality.NBA 20130129
F-Prot W32/Sality.gen2 20130129
Fortinet - 20130129
GData Win32.Sality.3 20130129
Ikarus Virus.Win32.Sality 20130129
Jiangmin Trojan/JmGenGeneric.boe 20121221
K7AntiVirus Virus 20130128
Kaspersky Virus.Win32.Sality.gen 20130129
Kingsoft - 20130121
Malwarebytes - 20130129
McAfee W32/Sality.gen.z 20130129
McAfee-GW-Edition - 20130129
Microsoft Virus:Win32/Sality.AT 20130129
MicroWorld-eScan Win32.Sality.3 20130129
NANO-Antivirus Virus.Win32.Sality.beygb 20130129
Norman Sality.ZGZ 20130129
nProtect Win32.Sality.3 20130129
Panda W32/Sality.AA 20130128
PCTools - 20130129
Rising Win32.KUKU.ky 20130129
Sophos Mal/Sality-D 20130129
SUPERAntiSpyware - 20130129
Symantec - 20130129
TheHacker - 20130128
TotalDefense - 20130129
TrendMicro PE_SALITY.RL-O 20130129
TrendMicro-HouseCall PE_SALITY.RL-O 20130129
VBA32 Virus.Win32.Sality.bakc 20130129
VIPRE Virus.Win32.Sality.at (v) 20130129
ViRobot - 20130129

SHA256: 4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333

MD5: c71b0515ef1200755ae61a5c4c9e8a86


Jrb2
Premium
join:2001-08-31
kudos:3
reply to Jrb2

Thread at BleepingComputer forum:
»www.bleepingcomputer.com/forums/···407.html

No official responce yet there.



Robotics
See You On The Dark Side
Premium
join:2003-10-23
Louisa, VA
reply to Jrb2

All I can say is wow!

How the hell did this happen? Is anyone saying yet?



dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
kudos:5
reply to Jrb2

This is almost unheard of. Did this happen just on that site or to the entire program?


trog

join:2001-03-25
Scarborough, ON

1 recommendation

reply to Jrb2

From wilders:

said by Blade Z :
Hello,

Just letting you know that the mirror at Bleeping Computer has been deactivated until this gets sorted out. So that should go a ways towards minimizing the exposure.

A big thanks to Marcos as it was this thread that first alerted our staff to the issue.

~Blade
Bleeping Computer Forum Administrator


TheJoker
Premium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:5

3 recommendations

And I notified sUBs this morning just in case.



therube

join:2004-11-11
Randallstown, MD
reply to MumRAR

quote:
IExplorer.exe file is Nircmd.exe(renamed)
Why would they do that, unless to act like a chameleon?

alien8

join:2004-03-03
UK
reply to Jrb2

I downloaded Combofix on the 23rd Jan, from the mirror and
it's got this md5 hash:

2D928456F2238FBB9C06F173691B0B83

So, look like the new version got put there since 23rd??
--
»sanesecurity.blogspot.com/


Jrb2
Premium
join:2001-08-31
kudos:3

2 recommendations

reply to Jrb2

Two posts at BleepingComputer:

1.
»www.bleepingcomputer.com/forums/···407.html

By Grinler:

quote:
The download has been pulled since earlier this morning as sUBs investigates the reports. At this time, I unfortunately do not have any other information for anyone.

Stay tuned.

2.
»www.bleepingcomputer.com/forums/···431.html

By Grinler
Information about ComboFix being infected and what you should do

quote:
Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.

The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th. If this timeframe changes, I will update this topic to let you know. If you have used a new copy of ComboFix downloaded after 2am EST, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.

In the meantime, it is important for those who may have used ComboFix recently and are concerned they are infected to get the help they need. As the Sality infection has been around for a while, almost all antivirus vendors will have detected it and blocked it when you ran ComboFix. Unfortunately, not everyone has up-to-date virus definitions or uses an AV program, so it is important to examine your system if you have downloaded a new copy and used it since 2am EST.

Read more at that second link!


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

1 edit
reply to alien8

A 28th Jan version gives this md5 hash:

0f6d28a70471051c4c7785335acba626

And oddly, VirusTotal only shows 1 / 46 for it: ComboFix_13-01-28.01.exe

Edit to include SHA265 hash (that's like 256+9 for good luck):

SHA256: 361548f74415a41f00d5345b3e3c489b3282b302c0c51266880eda586db01a12



therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL
reply to MumRAR

What version & size of nircmd.exe ?

In what I have (Combofix.exe), both firefox.exe.VIR & iexplore.exe.VIR (both lower case, the .VIR added by me) are 256,000 bytes (& are exactly the same, chameleons if you will) but neither compare in any way to any nircmd.exe that I have?

VirusTotal (1 / 46) iexplore.exe.


Grinler

join:2004-03-31
New York, NY

The affected file was not nircmd. It was a different file unfortunately.



therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL
reply to Jrb2

Sure would be nice if they posted a hash of the infected version.
And better yet if they also posted hashes for their prior, known good versions.

(So like is my 1-28 version good or bad, or have I lucked out by a few hours?)

If mine is good, then maybe I could use Combofix to fix Combofix .


Grinler

join:2004-03-31
New York, NY

1 recommendation

Waiting on this information from the developer. At the same time, if you scan your current version and it shows clean in virustotal then you are good to go.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to Jrb2

fwiw, Jrb2 See Profile

ESET users have some level of protection from Sality

I hope that an uninfected version of combofix is made available soon.



Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4

1 recommendation

said by siljaline:
ESET users have some level of protection from Sality


Most other vendors offer protection too, it's not just ESET.
--
»bit.ly/gUqYaH - C. Brian Smith: Think of the exclamation point as a car horn: a little goes a long way. Lay on it too hard and everyone’s going to think you’re a moron.
»bit.ly/V5mACB - How-To: Destroying a faulty keyboard


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17

1 recommendation

That would be a fair assumtion that other A/V vendors do.
Since I loan a hand with ESET support, the link I provided was an example. Additionally, some here run ESET A/V.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
reply to Smokey Bear

Noted: A Query of MS MMPC yields:
»www.microsoft.com/security/porta···y=Sality



therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL
reply to therube

quote:
SHA256 Hashes of known affected versions are:

4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8

quote:
Added hashes of the known affected version to first post. Hashes can be found below as well:

SHA256:
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
MD5: c71b0515ef1200755ae61a5c4c9e8a86

»www.bleepingcomputer.com/forums/···431.html

(Now we need an SHA256 to MD5 converter .)

So presumably what I had gotten earlier, 1 day prior, is OK.
(It came from Softpedia, though I notified them of this issue so don't know if they're still hosting or not?)

Jrb2
Premium
join:2001-08-31
kudos:3

The file, which I scanned earlier at VT, was the one with checksums:
SHA256:
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
MD5: c71b0515ef1200755ae61a5c4c9e8a86

I did post those checksums in my previous post in this thread, along with the results at VT at that moment, and with the alert by NOD32.
I wasn't at that moment the first one who had scanned it there.


Jrb2
Premium
join:2001-08-31
kudos:3

1 recommendation

reply to Jrb2

Postings by Grinler at BleepingComputer:
»www.bleepingcomputer.com/forums/···431.html

quote:
ComboFix is now live, clean, and available to download from its normal links.

On a question whether Combofix would deal with the Sality infection:

quote:
I would avoid ComboFix until you have confirmed your computer is not infected with Sality. Ironically, CF will quarantine Sality infected files, other than OS files, if they are found.

About the version I downloaded from BleepingComputer about an half hour ago:

ComboFix.exe

Version 13.1.30.4

SHA256: a1ed6bc74db51c219c08d6126d7de5c60570b2f76c60ce602bf602096d2f85a1
MD5: 4f973e9d3fdaeb5347243e8e169714e7

VT:
2/45

AntiVir TR/Crypt.XPACK.Gen
Jiangmin Trojan/JmGenGeneric.boe


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

1 recommendation

I downloaded the same file you did, the signatures (MD5 and SHA256) match. I scanned the file with both Webroot and MalwareBytes AntiMalware using the latest definitions, no infection found.

»www.virustotal.com/file/a1ed6bc7···9592743/
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)



TheJoker
Premium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:5

1 recommendation

From Grinler:

quote:
ComboFix is now live, clean, and available to download from its normal links.
»www.bleepingcomputer.com/forums/···_2962394
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17

1 recommendation

reply to Jrb2

Combofix: a cocktail of infective factors
• »blog.eset.com/2013/02/01/combofi···-factors


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

That was a good blog. It can never be said enough that users should NOT use sites like download.com to get applications but should always go to the vendor's site as that is where it is least likely one will get infected from a tainted download. Plus, as the blog points out, the official host site/vendor's site will react very rapidly if made aware of a problem, whereas, mirror sites may not...especially those that mirror without permission. If users would stop using sites like download.com maybe sites like it would disappear which would be good.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

Your welcome for the ESET Blog entry, it was well thought-out and well penned.
Also see from Bill P of Win Patrol:
»billpstudios.blogspot.ca/2012/10···are.html