Jrb2Premium
join:2001-08-31
kudos:3 | Beware of Combofix - contains infected file Warning by Marcos at the ESET forum:
»www.wilderssecurity.com/showthre···t=340693
Quote:
We have discovered that the current installer of Combofix contains iexplore.exe infected with the Sality virus. It's pretty well detected by other vendors as well.
We do not recommend downloading and using it until the author remedies the issue. |
|
|
|
| April 1st isn't here yet? 
Wow, no one is bulletproof then? |
|
| reply to Jrb2
Unsure where Eset got their installer from but the official Combofix download link is at Bleepingcomputer.
The IExplorer.exe file is Nircmd.exe(renamed) with MD5 753BC16326FEE4A421ACB636CCD602F4
VT report would not say Sality for that file as its 3 year old legitimate tool.
»www.virustotal.com/file/24ca5ceb···nalysis/ |
|
Jrb2Premium
join:2001-08-31
kudos:3 | reply to Jrb2
Downloaded from BleepingComputer.
Eset (NOD32) warning: see screenshot |
|
Jrb2Premium
join:2001-08-31
kudos:3 | reply to Jrb2
Scanned at VirusTotal:
30/45
Agnitum Win32.Sality.BL 20130128
AhnLab-V3 - 20130129
AntiVir W32/Sality.AT 20130129
Antiy-AVL - 20130129
Avast Win32:Sality 20130129
AVG Win32/Sality 20130129
BitDefender Win32.Sality.3 20130129
ByteHero - 20130123
CAT-QuickHeal W32.Sality.U 20130129
ClamAV - 20130129
Commtouch W32/Sality.gen2 20130129
Comodo Virus.Win32.Sality.Gen 20130129
DrWeb Win32.Sector.22 20130129
Emsisoft Win32.Sality.3 (B) 20130129
eSafe - 20130127
ESET-NOD32 Win32/Sality.NBA 20130129
F-Prot W32/Sality.gen2 20130129
Fortinet - 20130129
GData Win32.Sality.3 20130129
Ikarus Virus.Win32.Sality 20130129
Jiangmin Trojan/JmGenGeneric.boe 20121221
K7AntiVirus Virus 20130128
Kaspersky Virus.Win32.Sality.gen 20130129
Kingsoft - 20130121
Malwarebytes - 20130129
McAfee W32/Sality.gen.z 20130129
McAfee-GW-Edition - 20130129
Microsoft Virus:Win32/Sality.AT 20130129
MicroWorld-eScan Win32.Sality.3 20130129
NANO-Antivirus Virus.Win32.Sality.beygb 20130129
Norman Sality.ZGZ 20130129
nProtect Win32.Sality.3 20130129
Panda W32/Sality.AA 20130128
PCTools - 20130129
Rising Win32.KUKU.ky 20130129
Sophos Mal/Sality-D 20130129
SUPERAntiSpyware - 20130129
Symantec - 20130129
TheHacker - 20130128
TotalDefense - 20130129
TrendMicro PE_SALITY.RL-O 20130129
TrendMicro-HouseCall PE_SALITY.RL-O 20130129
VBA32 Virus.Win32.Sality.bakc 20130129
VIPRE Virus.Win32.Sality.at (v) 20130129
ViRobot - 20130129
SHA256: 4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
MD5: c71b0515ef1200755ae61a5c4c9e8a86 |
|
Jrb2Premium
join:2001-08-31
kudos:3 | reply to Jrb2
Thread at BleepingComputer forum:
»www.bleepingcomputer.com/forums/···407.html
No official responce yet there. |
|
 RoboticsSee You On The Dark SidePremium
join:2003-10-23
Louisa, VA | reply to Jrb2
All I can say is wow!
How the hell did this happen? Is anyone saying yet? |
|
 dandelionPremium,MVM
join:2003-04-29
Germantown, TN
kudos:4 | reply to Jrb2
This is almost unheard of. Did this happen just on that site or to the entire program? |
|
trog
join:2001-03-25
Scarborough, ON | reply to Jrb2
From wilders:
said by Blade Z :
Hello,
Just letting you know that the mirror at Bleeping Computer has been deactivated until this gets sorted out. So that should go a ways towards minimizing the exposure.
A big thanks to Marcos as it was this thread that first alerted our staff to the issue.
~Blade
Bleeping Computer Forum Administrator
|
|
 TheJokerPremium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:5 | And I notified sUBs this morning just in case. |
|
 therube
join:2004-11-11
Randallstown, MD | reply to MumRAR
quote:
IExplorer.exe file is Nircmd.exe(renamed)
Why would they do that, unless to act like a chameleon? |
|
| reply to Jrb2
I downloaded Combofix on the 23rd Jan, from the mirror and
it's got this md5 hash:
2D928456F2238FBB9C06F173691B0B83
So, look like the new version got put there since 23rd??
--
»sanesecurity.blogspot.com/ |
|
Jrb2Premium
join:2001-08-31
kudos:3 | reply to Jrb2
Two posts at BleepingComputer:
1.
»www.bleepingcomputer.com/forums/···407.html
By Grinler:
quote:
The download has been pulled since earlier this morning as sUBs investigates the reports. At this time, I unfortunately do not have any other information for anyone.
Stay tuned.
2.
»www.bleepingcomputer.com/forums/···431.html
By Grinler
Information about ComboFix being infected and what you should do
quote:
Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.
The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th. If this timeframe changes, I will update this topic to let you know. If you have used a new copy of ComboFix downloaded after 2am EST, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.
In the meantime, it is important for those who may have used ComboFix recently and are concerned they are infected to get the help they need. As the Sality infection has been around for a while, almost all antivirus vendors will have detected it and blocked it when you ran ComboFix. Unfortunately, not everyone has up-to-date virus definitions or uses an AV program, so it is important to examine your system if you have downloaded a new copy and used it since 2am EST.
Read more at that second link! |
|
therube
join:2004-11-11
Randallstown, MD
1 edit | reply to alien8
A 28th Jan version gives this md5 hash:
0f6d28a70471051c4c7785335acba626
And oddly, VirusTotal only shows 1 / 46 for it: ComboFix_13-01-28.01.exe
Edit to include SHA265 hash (that's like 256+9 for good luck):
SHA256: 361548f74415a41f00d5345b3e3c489b3282b302c0c51266880eda586db01a12 |
|
therube
join:2004-11-11
Randallstown, MD | reply to MumRAR
What version & size of nircmd.exe ?
In what I have (Combofix.exe), both firefox.exe.VIR & iexplore.exe.VIR (both lower case, the .VIR added by me) are 256,000 bytes (& are exactly the same, chameleons if you will) but neither compare in any way to any nircmd.exe that I have?
VirusTotal (1 / 46) iexplore.exe. |
|
| The affected file was not nircmd. It was a different file unfortunately. |
|
therube
join:2004-11-11
Randallstown, MD | reply to Jrb2
Sure would be nice if they posted a hash of the infected version.
And better yet if they also posted hashes for their prior, known good versions.
(So like is my 1-28 version good or bad, or have I lucked out by a few hours?)
If mine is good, then maybe I could use Combofix to fix Combofix  . |
|
| Waiting on this information from the developer. At the same time, if you scan your current version and it shows clean in virustotal then you are good to go. |
|
 siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17
 ·Bell Sympatico
| reply to Jrb2
fwiw, Jrb2  
ESET users have some level of protection from Sality
I hope that an uninfected version of combofix is made available soon. |
|
 Smokey Bearveritas odium paritPremium
join:2008-03-15
Annie's Pub
kudos:4 | said by siljaline:
ESET users have some level of protection from Sality
Most other vendors offer protection too, it's not just ESET.
--
»bit.ly/gUqYaH - C. Brian Smith: Think of the exclamation point as a car horn: a little goes a long way. Lay on it too hard and everyone’s going to think you’re a moron.
»bit.ly/V5mACB - How-To: Destroying a faulty keyboard |
|
