User forums > General (but related to Code::Blocks)

Possible Trojan Discovered in \CodeBlocks\MinGW\bin\zip.exe

(1/3) > >>

John44:
On August 25, 2012 I did a scan with Spybot – Search & Destroy version 1.6.2 and detected a trojan. The Code::Blocks version is 10.05 from March 17, 2011 June 2, 2010 (sorry for the error). The operating system platform is Windows (more specifically, it was Windows XP and then I copied Code::Blocks over to Windows 7).

Here are the scan results:

FraudAV.SJhorwPa - TrojansC-05

(SBI $9495743C) Downloaded program file

C:\Users\.........\CodeBlocks\MinGW\bin\zip.exe

The View Report section shows the above (except for TrojansC-05) and the following:

Properties.size=135168

Properties.md5=83AF340778E7C353B9A2D2A788C3A13A

Properties.filedate=1151801600

Properties.filedatetext=2006-07-01 17:53:20

For those interested in running a scan, please do the following:

1.   Go to http://www.safer-networking.org/dl/ to download Spybot – Search & Destroy 1.6.2, it is free of charge.

2.   Once installed, check for updates.

3.   At the top left of the Spybot – Search & Destroy screen click on Mode, select Advanced mode and click Yes in the box that appears.

4.   Click Settings on the bottom left.

5.   Click Directories, which is the fourth option down.

6.   At the bottom, check the box called Check sub-directories of the above.

7.   Right click in the white box area and select Add a directory to this list.

8.   Locate where the CodeBlocks folder is kept on your computer and select it.

9.   Run a scan. It should take about 15 minutes since the whole computer is scanned.

10.   Right before the scan is complete FraudAV.SJhorwPa appears.

11.   Click the Fix selected problems button.

12.   Click the + sign to the left of the FraudAV.SJhorwPa to get a more detailed description. If you need the details, make sure to write down TrojansC-05. When you leave the current screen, TrojansC-05 can never be viewed again.

13.   To view the other information later, click on Tools (below Settings) and then click View Report.

14.   Next, click View previous report. Note there may be multiple reports relating to a single scan.
After running the scan I found the CodeBlocks\MinGW\bin location on the computer. However, the \zip.exe part of the file path is nowhere to be found. I did not check prior to the scan to see if the \zip.exe file path existed.

It may be worth the effort if a person or group can track down the location of the \zip.exe file path and/or look through the source code of the \MinGW\bin location. Such an effort may verify if the code for the trojan exists.

If there is a trojan, here are a couple ideas that may serve as a starting point for creating a long-term solution.

1.   Create a forum called Code::Blocks Security Problems so people can create posts about malicious software they find in Code::Blocks. Then a Volunteer Security Team can investigate, fix and submit the reported incidents back to the Code::Blocks team.

2.   Have a Volunteer Security Audit Team look through all the files of Code::Blocks. Then make and submit any corrections made along the way.

I am an average computer user and not in any way a software programmer.

Lastly, is this the right forum to post such a concern?

In advance, thank you everyone for helping, creating a great piece of software and being a great community!

-John44

MortenMacFly:
You shouldn't over-do it. AV reports are very often wrong these days, especially with developer tools, as they "behave" often like viruses - they change executables, delete executables, create executables and so on.
For you investigations you should first ask yourself: Why didn't this happen earlier? I mean: This file is more than two years old, don't you think it would have been found earlier? Then use a resource like http://www.virustotal.com to cross-check with other AV scanners.

For this particular file: It is definitely virus-free.

MortenMacFly:
...FWIW here is the output of VirusTotal.com (scanning with 41 up-to-date AV software packages):
SHA256:    e9929598c98359773b7c51e3c4461d0f99b1703790ff775aee3c63a9a9a74ca8
SHA1:    55c5a72010291fca2275ccfb5b497dd0bac11a60
MD5:    83af340778e7c353b9a2d2a788c3a13a
File size:    132.0 KB ( 135168 bytes )
File name:    zip.exe
File type:    Win32 EXE
Detection ratio:    0 / 41
Analysis date:    2012-08-28 07:34:28 UTC ( 1 minute ago )

Maybe you should better NOT trust Spybot – Search & Destroy... what do you think?

Jenna:

--- Quote from: MortenMacFly on August 28, 2012, 09:37:17 am ---Maybe you should better NOT trust Spybot – Search & Destroy... what do you think?

--- End quote ---

Or his PC is really infected.

MortenMacFly:

--- Quote from: jens on August 28, 2012, 09:43:17 am ---Or his PC is really infected.

--- End quote ---
Indeed - that's another option. ::)

Navigation

[0] Message Index

[#] Next page