Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

worm Win32/Orbina!rts in win32forth from sourceforge

100 views
Skip to first unread message

Michael

unread,
May 17, 2011, 5:04:16 PM5/17/11
to
Hi.

Tryed to get win32forth today from sourceforge, and Microsoft Security
Essentials found
Worm: Win32/Orbina!rts - details below. Sorry that it is in German,
but I guess you get the essentials.

I got no message by MSE downloading W32for42.exe (10-Oct-2000 13:18
1.5M) here:
http://www.complang.tuwien.ac.at/forth/win32forth/

Michael


Worm: Win32/Orbina!rts

Kategorie: Wurm

Beschreibung: Dieses Programm ist gefährlich. Es verbreitet sich
selbst über eine Netzwerkverbindung.

Empfohlene Aktion: Lassen Sie dieses entdeckte Element nur zu, wenn
Sie dem Programm oder dem Softwareherausgeber vertrauen.

Security Essentials hat Programme erkannt, die Ihre Privatsphäre
gefährden oder Ihren Computer beschädigen könnten. Sie können auf die
von diesen Programmen verwendeten Dateien weiterhin zugreifen, ohne
sie zu entfernen (nicht empfohlen). Wählen Sie zum Zugreifen auf diese
Dateien die Aktion "Zulassen" aus, und klicken Sie dann auf "Aktionen
anwenden". Wenn diese Option nicht verfügbar ist, melden Sie sich als
Administrator an, oder bitten Sie den Sicherheitsadministrator um
Unterstützung.

Elemente:
containerfile:C:\Dokumente und Einstellungen\Michael\Eigene Dateien
\w32f61200.exe
file:C:\Dokumente und Einstellungen\Michael\Eigene Dateien
\w32f61200.exe->(nsis-3-fkernel.exe)
webfile:c:\Dokumente und Einstellungen\All Users\Anwendungsdaten
\Microsoft\Microsoft Antimalware\LocalCopy\{66A50D87-3169-4DE2-A80D-
B32924E041DF}-w32f61200.exe|http://heanet.dl.sourceforge.net/project/
win32forth/Win32Forth%20-%20stable%20release/Win32forth%20V6.12.00/
w32f61200.exe
webfile:C:\Dokumente und Einstellungen\Michael\Eigene Dateien
\w32f61200.exe|http://heanet.dl.sourceforge.net/project/win32forth/
Win32Forth%20-%20stable%20release/Win32forth%20V6.12.00/w32f61200.exe

Alex McDonald

unread,
May 17, 2011, 7:20:56 PM5/17/11
to

It's common to get hits due to the nature of the executable code; it's
perfectly safe, however.

Bluebee

unread,
May 19, 2011, 1:02:21 AM5/19/11
to
On 17 Mai, 19:20, Alex McDonald <b...@rivadpm.com> wrote:
> On May 17, 10:04 pm, Michael <michael.ka...@onlinehome.de> wrote:
>
> > Tryed to get win32forth today from sourceforge, and Microsoft Security
> > Essentials found
> > Worm: Win32/Orbina!rts - details below.
>
> It's common to get hits due to the nature of the executable code; it's
> perfectly safe, however.

It's interesting: Win32Forth version 6.12 gets complaints from various
anti-virus software.
Until I excluded the Win32Forth (version 6.12) folder from searching,
my avast anti-virus snatched away and pinched Win32for.exe every time
- but not so with Win32Forth version 6.14: there are no complaints
about version 6.14 - and no complaints about version 4.2 neither.

Despite Win32Forth version 6.14 being better off, it is irritating
that it says on sourceforge:

Looking for the latest version? Download Win32Forth V6.14.00 (5.9 MB)
but:
Win32Forth - stable release: Win32forth V6.12.00 2007-07-14
etc.

I am reading this text in a way that version 6.14. is not a stable
release, and other people may do so, too, and get in trouble with
their av-software when loading and/or using version 6.12.
Strange somehow.

Rod Pemberton

unread,
May 19, 2011, 5:44:50 AM5/19/11
to
"Bluebee" <visua...@rocketmail.com> wrote in message
news:f236a4a1-02c3-4618...@w36g2000vbi.googlegroups.com...

> On 17 Mai, 19:20, Alex McDonald <b...@rivadpm.com> wrote:
> > On May 17, 10:04 pm, Michael <michael.ka...@onlinehome.de> wrote:
> > > Tryed to get win32forth today from sourceforge, and Microsoft Security
> > > Essentials found
> > > Worm: Win32/Orbina!rts - details below.
>
> > It's common to get hits due to the nature of the executable code;
> > it's perfectly safe, however.
>
> It's interesting: Win32Forth version 6.12 gets complaints from various
> anti-virus software.

Personally, I've never gotten a false positive from anti-virus scanner no
matter how strict the scan. If doesn't pass your virus scanner, don't use
it. I think I'm going to re-run some on Win32Forth 6.12...


Rod Pemberton


Alex McDonald

unread,
May 19, 2011, 9:35:14 AM5/19/11
to
On May 19, 10:44 am, "Rod Pemberton" <do_not_h...@noavailemail.cmm>
wrote:
> "Bluebee" <visualfo...@rocketmail.com> wrote in message

The problem is the PE header built by 6.12, and the way the code
section is declared in it with a length descriptor that contains a
value that far exceeds the actual length of the section. It was
addressed in 6.14.

Coos Haak

unread,
May 19, 2011, 10:11:51 AM5/19/11
to
On 19 mei, 11:44, "Rod Pemberton" <do_not_h...@noavailemail.cmm>
wrote:
> "Bluebee" <visualfo...@rocketmail.com> wrote in message
Then you have never used Panda AV or AVG
They complain with Win32Forth 6.12 and 6.14 on Windows XP, Vista and
7.

groetjes Coos

rickman

unread,
May 19, 2011, 10:17:04 AM5/19/11
to

I get AV flags on version 6.14 from SuperAntiSpyware (with current
updates). I forget the exact messsage, but it is something about a
Trojan and I think a name Haoge or similar. I was just running a scan
but it won't let me go back to see the report. First I have to reboot
the computer and by the time that is done I'll likely not remember
what Forth is much less this thread... life with no memory is a
pita.

Rick

Alex McDonald

unread,
May 19, 2011, 8:31:14 PM5/19/11
to

I'd be interested to know why that's the case. Macafee makes no
complaint about either version.

0 new messages