An embedded and charset-unspecified text was scrubbed... Name: not available URL: <https://stat.ethz.ch/pipermail/r-help/attachments/20080922/5e95ff3f/attachment.pl>
R-2.7.2 infected?
11 messages · Peter Dalgaard, ajay ohri, Rory.WINSTON at rbs.com +2 more
Dave DeBarr wrote:
I tried downloading R-2.7.2 (http://cran.cnr.berkeley.edu/bin/windows/base/R-2.7.2-win32.exe, both from Berkeley and cran) and both times I got a warning from Computer Associates eTrust Antivirus (version 7.1.710) that the Win32/Adclicker.JO trojan was detected: The Win32/Adclicker.JO was detected in C:\USERS\USER\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\LOW\CONTENT.IE5\61HAYRTG\R-2.7.2-WIN32[1].EXE. Has anyone else seen this?
You're the first to report it, and 2.7.2 has been out for almost a month, so I think it's likely that the CRAN copy is uninfected. Did you check the md5 checksum on it? It matches on the original, so if it doesn't match at your end, you've got a bad download. If it matches and you still get the virus checker reporting, please let me know the details about that infection, and I'll try to do a manual inspection for it. Duncan Murdoch
could this be an intentional attack to compromise a very popular download, and infect thousands of people.....what could be the motivations...i hope its not some corporate thug here What exactly does the Win32/Adclicker.JO trojan do ??? Ajay www.decisionstats.com www.iwannacrib.com
On Tue, Sep 23, 2008 at 9:11 AM, Duncan Murdoch <murdoch at stats.uwo.ca> wrote:
Dave DeBarr wrote:
I tried downloading R-2.7.2 (http://cran.cnr.berkeley.edu/bin/windows/base/R-2.7.2-win32.exe, both from Berkeley and cran) and both times I got a warning from Computer Associates eTrust Antivirus (version 7.1.710) that the Win32/Adclicker.JO trojan was detected: The Win32/Adclicker.JO was detected in C:\USERS\USER\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\LOW\CONTENT.IE5\61HAYRTG\R-2.7.2-WIN32[1].EXE. Has anyone else seen this?
You're the first to report it, and 2.7.2 has been out for almost a month, so I think it's likely that the CRAN copy is uninfected. Did you check the md5 checksum on it? It matches on the original, so if it doesn't match at your end, you've got a bad download. If it matches and you still get the virus checker reporting, please let me know the details about that infection, and I'll try to do a manual inspection for it. Duncan Murdoch
______________________________________________ R-help at r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Regards, Ajay Ohri http://tinyurl.com/liajayohri
Did you check the md5 checksum on it?
Yes; it matched: 540090dd892657804d1099c54d6f770d
You're the first to report it, and 2.7.2 has been out for almost a month, so I think it's likely that the CRAN copy is uninfected.
Sounds promising. Perhaps it's a false positive from eTrust.
If it matches and you still get the virus checker reporting, please let me know the details about that infection
eTrust still reports the signature match for Win32/Adclicker.JO; but I don't know anything about Win32/Adclicker.JO. Unfortunately, eTrust doesn't provide a link to a description of Win32/Adclicker.JO. For what it's worth, I'm using version 7.1.710 of Computer Associates eTrust Antivirus (with version 31.6.6099 of its signature file). I'll try to find out more. Thanks, Dave -----Original Message----- From: Duncan Murdoch [mailto:murdoch at stats.uwo.ca] Sent: Monday, September 22, 2008 8:41 PM To: Dave DeBarr Cc: r-help at r-project.org Subject: Re: [R] R-2.7.2 infected?
Dave DeBarr wrote:
I tried downloading R-2.7.2 (http://cran.cnr.berkeley.edu/bin/windows/base/R-2.7.2-win32.exe, both from Berkeley and cran) and both times I got a warning from Computer Associates eTrust Antivirus (version 7.1.710) that the Win32/Adclicker.JO trojan was detected: The Win32/Adclicker.JO was detected in C:\USERS\USER\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\LOW\CONTENT.IE5\61HAYRTG\R-2.7.2-WIN32[1].EXE. Has anyone else seen this?
You're the first to report it, and 2.7.2 has been out for almost a month, so I think it's likely that the CRAN copy is uninfected. Did you check the md5 checksum on it? It matches on the original, so if it doesn't match at your end, you've got a bad download. If it matches and you still get the virus checker reporting, please let me know the details about that infection, and I'll try to do a manual inspection for it. Duncan Murdoch
Dave DeBarr wrote:
Did you check the md5 checksum on it?
Yes; it matched: 540090dd892657804d1099c54d6f770d
And it is binary identical to the Austria CRAN one.
You're the first to report it, and 2.7.2 has been out for almost a month, so I think it's likely that the CRAN copy is uninfected.
Sounds promising. Perhaps it's a false positive from eTrust.
Likely. A quick Googling indicates that other programs have been "caught" too. This link is illuminative: http://www.cccp-project.net/forums/index.php?topic=2897.0
If it matches and you still get the virus checker reporting, please let me know the details about that infection
eTrust still reports the signature match for Win32/Adclicker.JO; but I don't know anything about Win32/Adclicker.JO. Unfortunately, eTrust doesn't provide a link to a description of Win32/Adclicker.JO. For what it's worth, I'm using version 7.1.710 of Computer Associates eTrust Antivirus (with version 31.6.6099 of its signature file). I'll try to find out more. Thanks, Dave -----Original Message----- From: Duncan Murdoch [mailto:murdoch at stats.uwo.ca] Sent: Monday, September 22, 2008 8:41 PM To: Dave DeBarr Cc: r-help at r-project.org Subject: Re: [R] R-2.7.2 infected? Dave DeBarr wrote:
I tried downloading R-2.7.2 (http://cran.cnr.berkeley.edu/bin/windows/base/R-2.7.2-win32.exe, both from Berkeley and cran) and both times I got a warning from Computer Associates eTrust Antivirus (version 7.1.710) that the Win32/Adclicker.JO trojan was detected: The Win32/Adclicker.JO was detected in C:\USERS\USER\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\LOW\CONTENT.IE5\61HAYRTG\R-2.7.2-WIN32[1].EXE. Has anyone else seen this?
You're the first to report it, and 2.7.2 has been out for almost a month, so I think it's likely that the CRAN copy is uninfected. Did you check the md5 checksum on it? It matches on the original, so if it doesn't match at your end, you've got a bad download. If it matches and you still get the virus checker reporting, please let me know the details about that infection, and I'll try to do a manual inspection for it. Duncan Murdoch
______________________________________________ R-help at r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
O__ ---- Peter Dalgaard ?ster Farimagsgade 5, Entr.B c/ /'_ --- Dept. of Biostatistics PO Box 2099, 1014 Cph. K (*) \(*) -- University of Copenhagen Denmark Ph: (+45) 35327918 ~~~~~~~~~~ - (p.dalgaard at biostat.ku.dk) FAX: (+45) 35327907
Peter Dalgaard wrote:
Dave DeBarr wrote:
Did you check the md5 checksum on it?
Yes; it matched: 540090dd892657804d1099c54d6f770d
And it is binary identical to the Austria CRAN one.
You're the first to report it, and 2.7.2 has been out for almost a
month, so I think it's likely that the CRAN copy is uninfected.
Sounds promising. Perhaps it's a false positive from eTrust.
Likely. A quick Googling indicates that other programs have been "caught" too. This link is illuminative: http://www.cccp-project.net/forums/index.php?topic=2897.0
(I wanted to do the same thing with R, but http://www.virustotal.com has a 20M cap on the file size.)
O__ ---- Peter Dalgaard ?ster Farimagsgade 5, Entr.B c/ /'_ --- Dept. of Biostatistics PO Box 2099, 1014 Cph. K (*) \(*) -- University of Copenhagen Denmark Ph: (+45) 35327918 ~~~~~~~~~~ - (p.dalgaard at biostat.ku.dk) FAX: (+45) 35327907
This is what it does. It seems like a false alarm because in case of actual infection it seems quite conspicious Ajay www.decisionstats.com http://www.spywareguide.com/product_show.php?id=2569 Full Name: Win32.AdClicker Websearch Read More Type:Trojan SG Index: 5 [Explain] Removal tools:List of products that detect/remove/protect against Win32.AdClicker: Desktop Anti-malware: Pro User: X-Cleaner Control IM and P2P use, block spyware and other malware: RTGuardian Endpoint Spyware Remediation: Greynet Enterprise Manager IM, P2P control, malware prevention and web filtering in single appliance: Unified Security Gateway Category Description:A Trojan is a program that enables an attacker to get nearly complete control over an infected PC. Frequently used tool by malicious hackers. When this program executes, the program performs a specific set of actions. This usually works toward the goal of allowing the trojan to survive on a system and open up a backdoor . Comment:This Trojan downloads many executable.It changes the autostarter randomly. It also hijacks the desktop and puts a wall paper saying that the system is affected and advertises a sites ?smart-security.info?.It duplicates each and every file which the user creates with the same name and in the same Directory. Properties: Adds other software Autostarts/Stays Resident Installs Through Exploit Opens ports On Tue, Sep 23, 2008 at 1:29 PM, Peter Dalgaard
<P.Dalgaard at biostat.ku.dk> wrote:
Peter Dalgaard wrote:
Dave DeBarr wrote:
Did you check the md5 checksum on it?
Yes; it matched: 540090dd892657804d1099c54d6f770d
And it is binary identical to the Austria CRAN one.
You're the first to report it, and 2.7.2 has been out for almost a month, so I think it's likely that the CRAN copy is uninfected.
Sounds promising. Perhaps it's a false positive from eTrust.
Likely. A quick Googling indicates that other programs have been "caught" too. This link is illuminative: http://www.cccp-project.net/forums/index.php?topic=2897.0
(I wanted to do the same thing with R, but http://www.virustotal.com has a 20M cap on the file size.) -- O__ ---- Peter Dalgaard ?ster Farimagsgade 5, Entr.B c/ /'_ --- Dept. of Biostatistics PO Box 2099, 1014 Cph. K (*) \(*) -- University of Copenhagen Denmark Ph: (+45) 35327918 ~~~~~~~~~~ - (p.dalgaard at biostat.ku.dk) FAX: (+45) 35327907
______________________________________________ R-help at r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
-- Regards, Ajay Ohri http://tinyurl.com/liajayohri
could this be an intentional attack to compromise a very popular download, and infect thousands of people.....what could be the motivations...i hope its not some corporate thug here
No. False positives are relatively common. What exactly does the Win32/Adclicker.JO trojan do ??? Ajay www.decisionstats.com www.iwannacrib.com
On Tue, Sep 23, 2008 at 9:11 AM, Duncan Murdoch <murdoch at stats.uwo.ca> wrote:
Dave DeBarr wrote:
I tried downloading R-2.7.2 (http://cran.cnr.berkeley.edu/bin/windows/base/R-2.7.2-win32.exe, both from Berkeley and cran) and both times I got a warning from Computer Associates eTrust Antivirus (version 7.1.710) that the Win32/Adclicker.JO trojan was detected: The Win32/Adclicker.JO was detected in C:\USERS\USER\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\LOW\CONTENT.IE5\61HAYRTG\R-2.7.2-WIN32[1].EXE. Has anyone else seen this?
You're the first to report it, and 2.7.2 has been out for almost a month, so I think it's likely that the CRAN copy is uninfected. Did you check the md5 checksum on it? It matches on the original, so if it doesn't match at your end, you've got a bad download. If it matches and you still get the virus checker reporting, please let me know the details about that infection, and I'll try to do a manual inspection for it. Duncan Murdoch
______________________________________________ R-help at r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
-- Regards, Ajay Ohri http://tinyurl.com/liajayohri ______________________________________________ R-help at r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code. *********************************************************************************** The Royal Bank of Scotland plc. Registered in Scotland No 90312. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. Authorised and regulated by the Financial Services Authority This e-mail message is confidential and for use by the=2...{{dropped:22}}
On 22/09/2008 8:38 PM, Dave DeBarr wrote:
I tried downloading R-2.7.2 (http://cran.cnr.berkeley.edu/bin/windows/base/R-2.7.2-win32.exe, both from Berkeley and cran) and both times I got a warning from Computer Associates eTrust Antivirus (version 7.1.710) that the Win32/Adclicker.JO trojan was detected: The Win32/Adclicker.JO was detected in C:\USERS\USER\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\LOW\CONTENT.IE5\61HAYRTG\R-2.7.2-WIN32[1].EXE. Has anyone else seen this?
It's not R, it's CA: see the message below. Is there any way for you to post the false positive to their tech support? Duncan Murdoch
Path: news.jrsoftware.org!not-for-mail From: Martin Holmes <mholmes at uvic.ca> Newsgroups: jrsoftware.innosetup Subject: The latest silly antivirus false positive Date: Tue, 23 Sep 2008 07:43:56 -0700 Hi folks, CA Antivirus this morning flagged all of my recent InnoSetup-created setup exe files as having the Win32/Adclicker.JO trojan in them. CA, by default, just deletes infected files, but having been bitten by this before, I had set it to quarantine them instead, and was able to restore them. So you might want to prepare for a stack of emails from users who have CA AV installed. Cheers, Martin
6 days later
For what it's worth, Computer Associates updated their signatures; and eTrust no longer reports the installation program for the Windows version of R-2.7.2 as infected. I found it surprisingly difficult to learn about how the Win32/Adclicker.JO virus operates, and how eTrust detects it. I couldn't even get anyone to admit it was a false positive (though it seems clear now). Regards, Dave
From: r-help-bounces at r-project.org [r-help-bounces at r-project.org] On Behalf Of Ajay ohri [ohri2007 at gmail.com]
Sent: Tuesday, September 23, 2008 1:06 AM
To: Peter Dalgaard
Cc: r-help at r-project.org; Dave DeBarr; Duncan Murdoch
Subject: Re: [R] R-2.7.2 infected?
Sent: Tuesday, September 23, 2008 1:06 AM
To: Peter Dalgaard
Cc: r-help at r-project.org; Dave DeBarr; Duncan Murdoch
Subject: Re: [R] R-2.7.2 infected?
This is what it does. It seems like a false alarm because in case of actual infection it seems quite conspicious Ajay www.decisionstats.com http://www.spywareguide.com/product_show.php?id=2569 Full Name: Win32.AdClicker Websearch Read More Type:Trojan SG Index: 5 [Explain] Removal tools:List of products that detect/remove/protect against Win32.AdClicker: Desktop Anti-malware: Pro User: X-Cleaner Control IM and P2P use, block spyware and other malware: RTGuardian Endpoint Spyware Remediation: Greynet Enterprise Manager IM, P2P control, malware prevention and web filtering in single appliance: Unified Security Gateway Category Description:A Trojan is a program that enables an attacker to get nearly complete control over an infected PC. Frequently used tool by malicious hackers. When this program executes, the program performs a specific set of actions. This usually works toward the goal of allowing the trojan to survive on a system and open up a backdoor . Comment:This Trojan downloads many executable.It changes the autostarter randomly. It also hijacks the desktop and puts a wall paper saying that the system is affected and advertises a sites ?smart-security.info?.It duplicates each and every file which the user creates with the same name and in the same Directory. Properties: Adds other software Autostarts/Stays Resident Installs Through Exploit Opens ports On Tue, Sep 23, 2008 at 1:29 PM, Peter Dalgaard <P.Dalgaard at biostat.ku.dk> wrote: > > Peter Dalgaard wrote: > > Dave DeBarr wrote: > >>> Did you check the md5 checksum on it? > >>> > >> > >> Yes; it matched: 540090dd892657804d1099c54d6f770d > >> > >> > > And it is binary identical to the Austria CRAN one. > >> > >>> You're the first to report it, and 2.7.2 has been out for almost a > >>> month, so I think it's likely that the CRAN copy is uninfected. > >>> > >> > >> Sounds promising. Perhaps it's a false positive from eTrust. > >> > >> > >> > > Likely. A quick Googling indicates that other programs have been > > "caught" too. > > This link is illuminative: > > http://www.cccp-project.net/forums/index.php?topic=2897.0 > > (I wanted to do the same thing with R, but http://www.virustotal.com has > a 20M cap on the file size.) > > -- > O__ ---- Peter Dalgaard ?ster Farimagsgade 5, Entr.B > c/ /'_ --- Dept. of Biostatistics PO Box 2099, 1014 Cph. K > (*) \(*) -- University of Copenhagen Denmark Ph: (+45) 35327918 > ~~~~~~~~~~ - (p.dalgaard at biostat.ku.dk) FAX: (+45) 35327907 > > ______________________________________________ > R-help at r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code. -- Regards, Ajay Ohri http://tinyurl.com/liajayohri ______________________________________________ R-help at r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Dave DeBarr wrote:
For what it's worth, Computer Associates updated their signatures; and eTrust no longer reports the installation program for the Windows version of R-2.7.2 as infected. I found it surprisingly difficult to learn about how the Win32/Adclicker.JO virus operates, and how eTrust detects it. I couldn't even get anyone to admit it was a false positive (though it seems clear now).
Thanks for following up on this. Duncan Murdoch
Regards, Dave
________________________________________ From: r-help-bounces at r-project.org [r-help-bounces at r-project.org] On Behalf Of Ajay ohri [ohri2007 at gmail.com] Sent: Tuesday, September 23, 2008 1:06 AM To: Peter Dalgaard Cc: r-help at r-project.org; Dave DeBarr; Duncan Murdoch Subject: Re: [R] R-2.7.2 infected? This is what it does. It seems like a false alarm because in case of actual infection it seems quite conspicious Ajay www.decisionstats.com http://www.spywareguide.com/product_show.php?id=2569 Full Name: Win32.AdClicker Websearch Read More Type:Trojan SG Index: 5 [Explain] Removal tools:List of products that detect/remove/protect against Win32.AdClicker: Desktop Anti-malware: Pro User: X-Cleaner Control IM and P2P use, block spyware and other malware: RTGuardian Endpoint Spyware Remediation: Greynet Enterprise Manager IM, P2P control, malware prevention and web filtering in single appliance: Unified Security Gateway Category Description:A Trojan is a program that enables an attacker to get nearly complete control over an infected PC. Frequently used tool by malicious hackers. When this program executes, the program performs a specific set of actions. This usually works toward the goal of allowing the trojan to survive on a system and open up a backdoor . Comment:This Trojan downloads many executable.It changes the autostarter randomly. It also hijacks the desktop and puts a wall paper saying that the system is affected and advertises a sites ?smart-security.info?.It duplicates each and every file which the user creates with the same name and in the same Directory. Properties: Adds other software Autostarts/Stays Resident Installs Through Exploit Opens ports On Tue, Sep 23, 2008 at 1:29 PM, Peter Dalgaard <P.Dalgaard at biostat.ku.dk> wrote: Peter Dalgaard wrote: Dave DeBarr wrote: Did you check the md5 checksum on it? Yes; it matched: 540090dd892657804d1099c54d6f770d And it is binary identical to the Austria CRAN one. You're the first to report it, and 2.7.2 has been out for almost a month, so I think it's likely that the CRAN copy is uninfected. Sounds promising. Perhaps it's a false positive from eTrust. Likely. A quick Googling indicates that other programs have been "caught" too. This link is illuminative: http://www.cccp-project.net/forums/index.php?topic=2897.0 (I wanted to do the same thing with R, but http://www.virustotal.com has a 20M cap on the file size.) -- O__ ---- Peter Dalgaard ?ster Farimagsgade 5, Entr.B c/ /'_ --- Dept. of Biostatistics PO Box 2099, 1014 Cph. K (*) \(*) -- University of Copenhagen Denmark Ph: (+45) 35327918 ~~~~~~~~~~ - (p.dalgaard at biostat.ku.dk) FAX: (+45) 35327907 ______________________________________________ R-help at r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code. -- Regards, Ajay Ohri http://tinyurl.com/liajayohri ______________________________________________ R-help at r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code. ______________________________________________ R-help at r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.