You are here

Home » Forums » Support Forums » Development Apps Support

Virus detected in Kompozer.exe (by multiple checkers)

5 posts / 0 new
Log in or register to post comments
Last post
November 12, 2007 - 12:49pm
#1
DF
Offline
Last seen: 11 years 5 months ago
Joined: 2007-11-12 11:32
Virus detected in Kompozer.exe (by multiple checkers)

Today Sophos has detected a virus in the Kompozer.exe file (and probably most of the other exe's as well) - It was fine on Friday so I guess this is down to a very recent definition update.

I have run it through Virus Total and got the following responses (23/30 have detected a 'virus'):


Antivirus        Version        Last Update       Result

AhnLab-V3    2007.11.12.0    2007.11.12    Win32/Virut
AntiVir        7.6.0.34    2007.11.12    W32/Virut.AQ
Authentium    4.93.8        2007.11.10    -
Avast        4.7.1074.0    2007.11.11    Win32:Virtob
AVG        7.5.0.503    2007.11.12    Win32/Virut
BitDefender    7.2        2007.11.12    Win32.Virtob.BF
CAT-QuickHeal    9.00        2007.11.12    W32.Virut.V
ClamAV        0.91.2        2007.11.12    W32.Virut-12
DrWeb        4.44.0.09170    2007.11.12    Win32.Virut.25
eSafe        7.0.15.0    2007.11.08    suspicious Trojan/Worm
eTrust-Vet    31.2.5289    2007.11.12    Win32/Virut.6561
Ewido        4.0        2007.11.12    -
FileAdvisor    1        2007.11.12    -
Fortinet    3.11.0.0    2007.10.19    -
F-Prot        4.4.2.54    2007.11.10    W32/Injector.A.gen!Eldorado
F-Secure    6.70.13030.0    2007.11.12    Virus.Win32.Virut.aq
Ikarus        T3.1.1.12    2007.11.12    Virus.Win32.Virut.au
McAfee        5160        2007.11.09    W32/Virut.gen.a
Microsoft    1.3007        2007.11.12    Virus:Win32/Virut.Y
NOD32v2        2653        2007.11.12    Win32/Virut.AQ
Norman        5.80.02        2007.11.09    W32/Virut.AC
Panda        9.0.0.4        2007.11.11    W32/Virutas.AD
Prevx1        V2        2007.11.12    -
Rising        20.18.02.00    2007.11.12    Win32.Virut.ae
Sunbelt        2.2.907.0    2007.11.12    VIPRE.Suspicious
Symantec    10        2007.11.12    W32.Virut.W
TheHacker    6.2.9.124    2007.11.12    -
VBA32        3.12.2.4    2007.11.11    -
VirusBuster    4.3.26:9    2007.11.12    Win32.Virut.Gen.4
Webwasher-Gateway    6.0.1    2007.11.12    Win32.Virut.AQ

It's fine suggesting that the Checker is getting it wrong, but if the majority of them are detecting a problem I doubt if Sophos will do anything about it...

Unfortunately I have a corporate version of Sophos so neither can I turn it off nor can I report an issue directly to them - basically I now have no way of running Kompozer!

Any suggestions?

Top
November 12, 2007 - 12:56pm
wsm23
Offline
Last seen: 11 years 3 months ago
Joined: 2006-01-09 22:05
Can you update your definitions for Sophos?

Does it allow you an exception?

Why can't you report the error to Sophos? Just because it is a corporate version should not mean that you don't have support.

Life is about the journey not the destination!

The Kazoo Spartan

Top
November 12, 2007 - 1:40pm
rab040ma
Offline
Last seen: 2 months 1 day ago
Joined: 2007-08-27 13:35
I just downloaded and

I just downloaded and installed Kompozer from this site, and had no problem. I uploaded it to Virustotal, and only one of the lines is similar to yours.

You did not include the lines from virustotal that include important information like file size and hash, so I can't tell if you have the same version of the file that I have. However, it looks doubtful. So I'd recommend you download it from the menu on the left and install it again, and see if that doesn't help.

If you upload it to Virustotal and get a different result, you might want to include the last few lines of the virustotal report, where it includes the "additional information", as I have done below. 

AhnLab-V3		2007.11.13.0	2007.11.12	-
AntiVir			7.6.0.34	2007.11.12	-
Authentium		4.93.8	2007.11.10	-
Avast			4.7.1074.0	2007.11.11	-
AVG			7.5.0.503	2007.11.12	-
BitDefender		7.2	2007.11.12	-
CAT-QuickHeal		9.00	2007.11.12	-
ClamAV			0.91.2	2007.11.12	-
DrWeb			4.44.0.09170	2007.11.12	-
eSafe			7.0.15.0	2007.11.08	suspicious Trojan/Worm
eTrust-Vet		31.2.5289	2007.11.12	-
Ewido			4.0	2007.11.12	-
FileAdvisor		1	2007.11.12	-
Fortinet		3.11.0.0	2007.10.19	-
F-Prot			4.4.2.54	2007.11.10	-
F-Secure		6.70.13030.0	2007.11.12	-
Ikarus			T3.1.1.12	2007.11.12	-
Kaspersky		7.0.0.125	2007.11.12	-
McAfee	5161		2007.11.12	-
Microsoft		1.3007	2007.11.12	-
NOD32v2	2653		2007.11.12	-
Norman			5.80.02	2007.11.09	-
Panda			9.0.0.4	2007.11.11	-
Rising			20.18.02.00	2007.11.12	-
Sophos			4.23.0	2007.11.12	-
Sunbelt			2.2.907.0	2007.11.12	-
Symantec		10	2007.11.12	-
TheHacker		6.2.9.124	2007.11.12	-
VBA32			3.12.2.4	2007.11.11	-
VirusBuster		4.3.26:9	2007.11.12	-
Webwasher-Gateway	6.0.1	2007.11.12	Win32.ModifiedUPX.gen!90 (suspicious)
Additional information
File size: 117760 bytes
MD5: 86eaa9d33d0dd94f4aea09297660a44a
SHA1: dacb2bc639a63c643d6c6a43bfc7621db43f3be9
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX

MC

Top
November 13, 2007 - 8:56am
(Reply to #3)
DF
Offline
Last seen: 11 years 5 months ago
Joined: 2007-11-12 11:32
Not the same file?

I think you only uploaded what I assume is the Portableapps 'shell' exe (which is in the root of the install) rather than the 'actual' kompozer.exe file (which is under \App\kompozer\).

The 'additional info' for the shell is:
File size: 127896 bytes
MD5: eb824e2c73b8108443af58c6604abdb4
SHA1: ad472f88451e36a705778f102e13a6d2a2d2fd2d

and it does not trigger any virus alerts.

The 'additional info' for the 'actual' exe is:
Additional information
File size: 124928 bytes
MD5: 1d2f6ab052e187d695a737bec08900f1
SHA1: 8c5049116da116277259c74ea7f9814e11d15692
packers: UPX

I've just downloaded the whole thing again (using the link to the left) and the files are identical to the ones I already had. I don't understand how this is different to your file?

Top
November 13, 2007 - 10:30am
(Reply to #4)
rab040ma
Offline
Last seen: 2 months 1 day ago
Joined: 2007-08-27 13:35
You're making my point

You're making my point exactly. I just downloaded the KompoZer_Portable_0.77_en-us.paf.exe (md5 d046200b6ad4f8b9734bf487b7374c6e) using the menu at the left. I installed it fresh. The Launcher (named KompoZerPortable.exe) has md5 eb824e2c73b8108443af58c6604abdb4 (which matches yours) but the kompozer.exe file has md5 86eaa9d33d0dd94f4aea09297660a44a, same as before. It is 117,760 bytes.

Either you downloaded and installed a different version than I did, or something changed the kompozer.exe file after it was installed on one or both of our machines.

John has begun signing his releases, which will make this all much easier to manage for future releases. But for right now, about all we can conclude is that you and I have submitted different copies of kompozer.exe to VirusTotal. We both claim to have downloaded it from the same place. We are both using the same launcher.

(Perhaps one or more others can try the same experiment, and see which MD5 is more common...)

Someone who downloads KompoZer and installs it and uses winMd5Sum (also from the left hand menu) or VirusTotal and gets the same MD5 you do will get lots of warnings about possible malware. Someone who downloads KompoZer and installs it and uses winMd5Sum or VirusTotal and gets the same MD5 I got will only see a couple of minor warnings.

Oh, I did try one more test. I used 7zip to "test" the KompoZer_Portable_0.77_en-us.paf.exe file; it was reported to have no errors. I then opened it in 7zip's explorer, and noted that the CRC for kompozer.exe is BE04B382. I then used 7zip to create an archive from the kompozer in the installed directory, opened it with 7zip's explorer, and saw that it has the same CRC. This suggests to me that I am in fact running the test on the kompozer.exe that is inside the installer.

MC

Top
Log in or register to post comments