Author Topic: Possible Trojan Discovered in \CodeBlocks\MinGW\bin\zip.exe  (Read 9223 times)

John44

  • Guest
Possible Trojan Discovered in \CodeBlocks\MinGW\bin\zip.exe
« on: August 28, 2012, 09:02:38 am »
On August 25, 2012 I did a scan with Spybot Search & Destroy version 1.6.2 and detected a trojan. The Code::Blocks version is 10.05 from March 17, 2011 June 2, 2010 (sorry for the error). The operating system platform is Windows (more specifically, it was Windows XP and then I copied Code::Blocks over to Windows 7).

Here are the scan results:

FraudAV.SJhorwPa - TrojansC-05

(SBI $9495743C) Downloaded program file

C:\Users\.........\CodeBlocks\MinGW\bin\zip.exe

The View Report section shows the above (except for TrojansC-05) and the following:

Properties.size=135168

Properties.md5=83AF340778E7C353B9A2D2A788C3A13A

Properties.filedate=1151801600

Properties.filedatetext=2006-07-01 17:53:20

For those interested in running a scan, please do the following:

1.   Go to http://www.safer-networking.org/dl/ to download Spybot Search & Destroy 1.6.2, it is free of charge.

2.   Once installed, check for updates.

3.   At the top left of the Spybot Search & Destroy screen click on Mode, select Advanced mode and click Yes in the box that appears.

4.   Click Settings on the bottom left.

5.   Click Directories, which is the fourth option down.

6.   At the bottom, check the box called Check sub-directories of the above.

7.   Right click in the white box area and select Add a directory to this list.

8.   Locate where the CodeBlocks folder is kept on your computer and select it.

9.   Run a scan. It should take about 15 minutes since the whole computer is scanned.

10.   Right before the scan is complete FraudAV.SJhorwPa appears.

11.   Click the Fix selected problems button.

12.   Click the + sign to the left of the FraudAV.SJhorwPa to get a more detailed description. If you need the details, make sure to write down TrojansC-05. When you leave the current screen, TrojansC-05 can never be viewed again.

13.   To view the other information later, click on Tools (below Settings) and then click View Report.

14.   Next, click View previous report. Note there may be multiple reports relating to a single scan.
After running the scan I found the CodeBlocks\MinGW\bin location on the computer. However, the \zip.exe part of the file path is nowhere to be found. I did not check prior to the scan to see if the \zip.exe file path existed.

It may be worth the effort if a person or group can track down the location of the \zip.exe file path and/or look through the source code of the \MinGW\bin location. Such an effort may verify if the code for the trojan exists.

If there is a trojan, here are a couple ideas that may serve as a starting point for creating a long-term solution.

1.   Create a forum called Code::Blocks Security Problems so people can create posts about malicious software they find in Code::Blocks. Then a Volunteer Security Team can investigate, fix and submit the reported incidents back to the Code::Blocks team.

2.   Have a Volunteer Security Audit Team look through all the files of Code::Blocks. Then make and submit any corrections made along the way.

I am an average computer user and not in any way a software programmer.

Lastly, is this the right forum to post such a concern?

In advance, thank you everyone for helping, creating a great piece of software and being a great community!

-John44
« Last Edit: August 30, 2012, 06:05:30 pm by John44 »

Offline MortenMacFly

  • Administrator
  • Lives here!
  • *****
  • Posts: 9524
Re: Possible Trojan Discovered in \CodeBlocks\MinGW\bin\zip.exe
« Reply #1 on: August 28, 2012, 09:13:12 am »
You shouldn't over-do it. AV reports are very often wrong these days, especially with developer tools, as they "behave" often like viruses - they change executables, delete executables, create executables and so on.
For you investigations you should first ask yourself: Why didn't this happen earlier? I mean: This file is more than two years old, don't you think it would have been found earlier? Then use a resource like http://www.virustotal.com to cross-check with other AV scanners.

For this particular file: It is definitely virus-free.
Compiler logging: Settings->Compiler & Debugger->tab "Other"->Compiler logging="Full command line"
C::B Manual: http://www.codeblocks.org/docs/main_codeblocks_en.html
C::B FAQ: http://wiki.codeblocks.org/index.php?title=FAQ

Offline MortenMacFly

  • Administrator
  • Lives here!
  • *****
  • Posts: 9524
Re: Possible Trojan Discovered in \CodeBlocks\MinGW\bin\zip.exe
« Reply #2 on: August 28, 2012, 09:37:17 am »
...FWIW here is the output of VirusTotal.com (scanning with 41 up-to-date AV software packages):
SHA256:    e9929598c98359773b7c51e3c4461d0f99b1703790ff775aee3c63a9a9a74ca8
SHA1:    55c5a72010291fca2275ccfb5b497dd0bac11a60
MD5:    83af340778e7c353b9a2d2a788c3a13a
File size:    132.0 KB ( 135168 bytes )
File name:    zip.exe
File type:    Win32 EXE
Detection ratio:    0 / 41
Analysis date:    2012-08-28 07:34:28 UTC ( 1 minute ago )


Maybe you should better NOT trust Spybot Search & Destroy... what do you think?
Compiler logging: Settings->Compiler & Debugger->tab "Other"->Compiler logging="Full command line"
C::B Manual: http://www.codeblocks.org/docs/main_codeblocks_en.html
C::B FAQ: http://wiki.codeblocks.org/index.php?title=FAQ

Offline jens

  • Administrator
  • Lives here!
  • *****
  • Posts: 7265
    • Jens' unofficial debian-repository for the Code::Blocks - IDE
Re: Possible Trojan Discovered in \CodeBlocks\MinGW\bin\zip.exe
« Reply #3 on: August 28, 2012, 09:43:17 am »
Maybe you should better NOT trust Spybot Search & Destroy... what do you think?

Or his PC is really infected.

Offline MortenMacFly

  • Administrator
  • Lives here!
  • *****
  • Posts: 9524
Re: Possible Trojan Discovered in \CodeBlocks\MinGW\bin\zip.exe
« Reply #4 on: August 28, 2012, 10:14:56 am »
Or his PC is really infected.
Indeed - that's another option. ::)
Compiler logging: Settings->Compiler & Debugger->tab "Other"->Compiler logging="Full command line"
C::B Manual: http://www.codeblocks.org/docs/main_codeblocks_en.html
C::B FAQ: http://wiki.codeblocks.org/index.php?title=FAQ

Offline scarphin

  • Lives here!
  • ****
  • Posts: 644
Re: Possible Trojan Discovered in \CodeBlocks\MinGW\bin\zip.exe
« Reply #5 on: August 28, 2012, 05:40:47 pm »
The Code::Blocks version is 10.05 from March 17, 2011.
Shouldn't this be version 11.03 if there ever was one or is it the date he installed CB?

John44

  • Guest
Re: Possible Trojan Discovered in \CodeBlocks\MinGW\bin\zip.exe
« Reply #6 on: August 28, 2012, 06:01:13 pm »
Thank you MortenMacFly and jens for your replies. It did cross my mind that if there was a trojan, the file may have been found earlier.  It also crossed my mind that Spybot Search & Destroy may be detecting a false positive. I did search the forums prior to posting and found the following topics:

http://forums.codeblocks.org/index.php/topic,14091.0.html

http://forums.codeblocks.org/index.php/topic,8070.0.html

My prior post could be a false alarm. However, I also thought that nothing is ever perfect and for whatever reason, the possibility of a Trojan existing in that file location could be real and may not be known to anyone else.

I do not like writing a post like the one above because it can create unnecessary stress, turn up nothing and be a waste of time. So the question is when should one write about a potential problem, if he/she does not know if it is an actual problem or a false alarm?

John44

  • Guest
Re: Possible Trojan Discovered in \CodeBlocks\MinGW\bin\zip.exe
« Reply #7 on: August 28, 2012, 06:01:54 pm »
scarphin,

It is the date that I installed Code::Blocks onto my computer.

Offline MortenMacFly

  • Administrator
  • Lives here!
  • *****
  • Posts: 9524
Re: Possible Trojan Discovered in \CodeBlocks\MinGW\bin\zip.exe
« Reply #8 on: August 28, 2012, 07:08:20 pm »
if he/she does not know if it is an actual problem or a false alarm?
As I said: Double-check with services like virustotal. If the detection rate is greater than 5% (so in the case of 41 AV software packages something like >2-3), ask here. In any case, if a lot more files are found to be infected on your PC, not only C::B - never ask here, but clean your PC. ;)
Compiler logging: Settings->Compiler & Debugger->tab "Other"->Compiler logging="Full command line"
C::B Manual: http://www.codeblocks.org/docs/main_codeblocks_en.html
C::B FAQ: http://wiki.codeblocks.org/index.php?title=FAQ

Offline thomas

  • Administrator
  • Lives here!
  • *****
  • Posts: 3979
Re: Possible Trojan Discovered in \CodeBlocks\MinGW\bin\zip.exe
« Reply #9 on: August 28, 2012, 08:02:50 pm »
Or his PC is really infected.
Indeed - that's another option. ::)
No, in this case the cryptographic checksums would differ. That's what they're for.
"We should forget about small efficiencies, say about 97% of the time: Premature quotation is the root of public humiliation."

Offline jens

  • Administrator
  • Lives here!
  • *****
  • Posts: 7265
    • Jens' unofficial debian-repository for the Code::Blocks - IDE
Re: Possible Trojan Discovered in \CodeBlocks\MinGW\bin\zip.exe
« Reply #10 on: August 28, 2012, 08:55:51 pm »
Or his PC is really infected.
Indeed - that's another option. ::)
No, in this case the cryptographic checksums would differ. That's what they're for.
That should be correct in general, until a virus is good "enough" to make the av software show a fake md5-hash.
I don't know if any viruses or rootkits can do this, but I think it might be possible, at least with poorly designed av-software.

Nevertheless, it's  always problematic to check a running (possibly infected) system from inside the system.

John44

  • Guest
Re: Possible Trojan Discovered in \CodeBlocks\MinGW\bin\zip.exe
« Reply #11 on: August 30, 2012, 03:32:33 am »
If anyone is wondering, I removed the two posts that existed earlier at the bottom.

I now realize that posting this topic was a mistake (I mean it as a constructive self-criticism).

Once again, thank you everyone for your help and your time! :)

Update: It is a false positive.
« Last Edit: August 31, 2012, 06:49:30 pm by John44 »