You are here

Winmerge site issue: Virus download

15 posts / 0 new
Last post
arinlares
Offline
Last seen: 12 years 8 months ago
Joined: 2008-12-13 04:57
Winmerge site issue: Virus download

I was trying to read up on WinMerge, so I went to the site. When I went to read the documentation (under Manual on their homepage), Avast! HE gave me a virus warning. I don't know if anybody else has encountered this, but I'm just putting it out there for somebody else to check out, if possible. Suffice it to say, I'm not using WinMerge until it's handled.

Tim Clark
Tim Clark's picture
Offline
Last seen: 12 years 11 months ago
Joined: 2006-06-18 13:55
???

1. Please give us something to check out, got a link?
2. If it's at their site you should be reporting it to them.

Tim

Things have got to get better, they can't get worse, or can they?

arinlares
Offline
Last seen: 12 years 8 months ago
Joined: 2008-12-13 04:57
I see.

The page: http:// www.winmerge.org /docs/manual/

I'll email them now.

[Link broken by mod Tim, just in case, see below]

Hey! Where'd it go?

Tim Clark
Tim Clark's picture
Offline
Last seen: 12 years 11 months ago
Joined: 2006-06-18 13:55
Interesting, Dr Web also does

Interesting, Dr Web also does not like the page.

Mind you I am no fan of Dr Web, but it does give you the option of feeding in a URL of a page and giving you feed back about what it finds w/o your having to go there:

The response to one item was:
http://betbigwager.cn/in.cgi?income61//Script.0 infected with Trojan.DownLoad.35036

I will hazard a guess that betbigwager.cn is some sort of Adserver that is giving them money.

The link to http: // betbigwager.cn/ in.cgi?income61 seems to be in an iframe banner at the top of the page, so I would guess that it could be the link in the page itself that is the problem and not the Winmerge program,

Neither McAfee SiteAdvisor or WOT liked betbigwager.cn very much either

Note I visited the page with both JS and IFrames disabled.

Just my feed back,
Let them know about it, and thanks

Tim

Things have got to get better, they can't get worse, or can they?

arinlares
Offline
Last seen: 12 years 8 months ago
Joined: 2008-12-13 04:57
Thanks for checking.

Anyway, the forum post I made got a response referring me to another thread, so I put what you did in there. So, somebody knows.

Hey! Where'd it go?

Chris Morgan
Chris Morgan's picture
Offline
Last seen: 8 years 9 months ago
Joined: 2007-04-15 21:08
Confirmed

I used wget to download the files and then viewed them in a text editor. It has an invisible iframe at the top of the page, which goes to that page you've mentioned. This page then checks to see if you've got a "Adobe Acrobat" or "Adobe PDF" plugin, and then a "Flash" plugin. When it finds them, it puts another iframe inside it, source cache/readme.pdf or cache/flash.swf - which are probably advertising things.

This is an obtrusive ad (and possibly a malware downloader)... sad to see on such a site.

I am a Christian and a developer and moderator here.

“A soft answer turns away wrath, but a harsh word stirs up anger.” – Proverbs 15:1

JarC
Offline
Last seen: 7 months 2 weeks ago
Joined: 2007-08-27 12:37
sad to see a developer make

sad to see a developer make such an unfounded statement.

Did you _check_ to see if the PDF or SWF actually tried loading malware?

Did you _check_ to see if there was actually _something_ loaded other than an ad?

I also looked at the 1x1 iframe, and for me it went to a site liteautoexcelent.... someplace in China, returning a 0 byte big nada...

So am sadly not able to confirm it does anything other than wasting connection slots

I would also have expected to at least see someone comment on the OP's "I'm not using WinMerge until it's handled."... as the two are totally unrelated. The PAF installer is downloaded from sourceforge, totally different site, totally different location, and absolutely not in anyway connected to that ad iframe...

Even if every scanner in the world would scream bloody murder about that online manual page, activating sirens and what not, total internet connection lock down even, it would not say anything about the trustworthiness of software downloaded elsewhere.

Let's keep a cool head, not be the starting point of unfounded rumors which may start leading a life of their own and scare off inexperienced users from an otherwise very safe, very clean, very useful utility for nothing.

John T. Haller
John T. Haller's picture
Offline
Last seen: 1 hour 42 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Yeah, That Was Malware

If there is a detector doing flash and pdfs originating from china, I can guarantee you that was spyware at some point. Flash is a great entry vector for spyware if you're not on the latest version. But the PDF detector is the kicker as No legitimate ad network uses PDFs as ads... they're used to load spyware. Adobe's PDF plugin has become one of the most popular attack vectors for drive-by installs due to some of the bugs that have surfaced and the fact that most people don't update it. Plus that site you mentioned is listed in malware reports on other sites online.

This happens on sites even without the site meaning to do it. They could have been hacked. Sometimes even the ad network itself is hacked and large sites end up delivering malware. It's happened before.

Sometimes, the impossible can become possible, if you're awesome!

RMB Fixed
Offline
Last seen: 14 years 2 months ago
Joined: 2006-10-24 10:30
..

I seriously doubt that the adserver has been "hacked" in these cases,
they just take the money and serve the "ads" without further checking ..

John T. Haller
John T. Haller's picture
Offline
Last seen: 1 hour 42 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
On the contrary

There was an incident where this happened a couple of years ago. It wasn't even ads at the time (it was an EXE it was downloading and auto-runing in another IE bug). And it affected larger commercial sites like the Kelly Blue Book site.

If a legit ad network allowed virus-infected stuff in, everyone would drop them. Even in the case where the above network was hacked, they lost a lot of business as a result.

Sometimes, the impossible can become possible, if you're awesome!

arinlares
Offline
Last seen: 12 years 8 months ago
Joined: 2008-12-13 04:57
JarC:

I didn't mean in terms of software boycotting or anything, I just don't like using software without giving the documentation a good read. The issue, I'm pretty sure, will be resolved. I'll be keeping an eye on the Winmerge forum.

Hey! Where'd it go?

arinlares
Offline
Last seen: 12 years 8 months ago
Joined: 2008-12-13 04:57
It's clean

A post in the development forum says the files were replaced with clean files, and I checked, Avast! gave no popup, so it's safe now. Figured I'd post an update.

Hey! Where'd it go?

horusofoz
horusofoz's picture
Offline
Last seen: 6 months 3 weeks ago
Joined: 2008-04-03 22:45
For more information

PortableApps.com Advocate

ceroni
Offline
Last seen: 1 year 4 months ago
Joined: 2009-05-17 10:36
Still infected

After visiting WinMerge's site I found wJQS.EXE (on temp dir) and digiwet.dll (on system32).
A few minutes ago I visited again while monitoring with Proccess Explorer (Sysinternals) and I can confirm the site tried to open Acrobat.
Apparently it's still infected.

arinlares
Offline
Last seen: 12 years 8 months ago
Joined: 2008-12-13 04:57
Yup.

It was cleaned, but got re-infected on the 17th, apparently.

Hey! Where'd it go?

Log in or register to post comments