URGENT!! beta-INSTALLER IS VIRUSED!

Just let it all out, buddy. You're among friends here.
Trunx_

Post by Trunx_ »

Hello, i don't mean to be a spoilsport but i have just downloaded Resolume 2.0 from the download section and when attempting to install it my virus scanner detected a nasty in the .exe file. Can anyone else confirm this error and is it likely to be sorted today?

User avatar
bart
Team Resolume
Posts: 2236
Joined: Wed Sep 29, 2004 10:01
Location: Resolume HQ

Post by bart »

our systems are being cleaned by Stinger at the moment. Hopefully we will be back online in a bit ... sorry for the inconvenience ...

for those that have downloaded the file (should only be a couple of people because it was online for only 5 min or so) please do a full system scan with stinger: http://vil.nai.com/vil/stinger/

levon_

Post by levon_ »

http://www.free-av.com/ is also a good free antivirus piece of software

User avatar
bart
Team Resolume
Posts: 2236
Joined: Wed Sep 29, 2004 10:01
Location: Resolume HQ

Post by bart »

here is some more info about the virus ... it,s pretty harmless thank god.

Virus Characteristics
This is an encrypted parasitic file-infecting virus and network aware worm. It appends PE EXE and SCR files in the Windows directory and subdirectories on the local system, as well as on any accessible network share. The virus creates an additional PE section with a random 3 letter section header followed by the character "•".

The virus creates the following Registry key:

* HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentVersionExplorerPINF

The virus does not store the original file size, and hence cleaning of this virus will not leave the original executables at their original size. In the majority of cases this will not cause an issue as the growth in file size is non-infectious "garbage" data at the end of the file. Certain applications which undertake a self-check will not run after cleaning and should be deleted and restored from backup.

Additionally the virus may mis-infect files with an incomplete virus body and leave the executable non-functioning. These damaged samples are detected as W32/Pate.b.dam, cannot be repaired, and should be deleted and restored from backup.
Indications of Infection Back to Top
- Increase in file size by approximately 177Kb
- Presence of aforementioned registry key
Method of Infection Back to Top

The virus drops a UPX packed executable in the user temporary directory and executes it.

This file is actually a DLL, 176,128 bytes in length, bearing a random filename with a .TMP extension (eg. SQH9.TMP ). The DLL is injected into the EXPLORER.EXE process, thus keeping the virus memory resident.

The virus enumerates all network shares and infects all PE .EXE and .SCR files that it has write access to.

Removal Instructions Back to Top

Use specified engine and DAT files for detection and removal.

Infected systems should be removed from the network and repaired prior to placing them back on to the network. Failure to do so can results in further infections.

Note: The UPX-packed dropped DLL is injected into the EXPLORER.EXE process for the virus to remain memory resident. Cleaning involves the unloading of this DLL from EXPLORER, which requires the 4.2.60 engine (or greater). A reboot may be required after the .dll is removed from explorer.exe.

As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.

Jeremy_

Post by Jeremy_ »

Trunx and bart.

what is the name of the virus ?
w32.Pate.b.dam ?
or another one ?
I can help if I know exactly the name of the detection.

goebish_

Post by goebish_ »

Win32.Parite.b , that's what Kaspersky reports

Trunx_

Post by Trunx_ »

so is there any way i can repair resolume 2 on my system?

User avatar
bart
Team Resolume
Posts: 2236
Joined: Wed Sep 29, 2004 10:01
Location: Resolume HQ

Post by bart »

it was the W32/Pate.b virus ... but it's all gone now ... we,re recompiling resolume and building a new installer.

sancho p._

Post by sancho p._ »

how much time will it take?

Jeremy_

Post by Jeremy_ »

Thanks for the name.

Bart's advices are corrects.

Here is more details if youve been infected or want to verified.

This virus is a file infector = infect .exe file and scr file.
PE exe file = program
UPX packed executable = install file, or autoextract zip file in exe format.

You need to verified that your anti-virus is scanning the PE and UPX files (this is not the case for the old Anti-Virus software as: McAfee VirusScan 4.03, McAfee VirusScan 4.5, etc...)

You need to be sure that you have the latest:
- anti-virus software version
- virus definitions version
- scan engine version

this virus is a quick virus = will infect all .exe file in a couple of minutes.
this virus will also spray on your network only if you do not use password on your share folder.

Some applications may not run after infection, and
cleaning = you will need to restore the oriinal exe file.

Post Reply