Virus detected after Thunderbird update
Graham Bonham
(29/9/11) - the version number now shown is 7.0 - both Panda Global
Security and Windows Defender reported that the files thunderbird.exe
and helper.exe (to do with uninstalling Thunderbird) were infected
with W32/Xor-encoded.A. The files have now been disinfected.
I would be very interested to know whether a genuine Thunderbird
update has recently gone out containing the above virus.
If it did, I would have thought I'd see other reports of this on the
Internet. If it did not, I fear I have allowed malware, masquerading
as a Thunderbird update, to execute. Hopefully no harm has been done,
as regards me, but it would be worrying if there was a vulnerability
in the autoupdate process which allowed malware to be distributed in
the same way as genuine updates.
It's of course possible that I have misinterpreted what happened,
though the infection was found in two Thunderbird files and no virus
infection was found elsewhere in a full scan with up-to-date
definitions of the rest of the system.
I also acknowledge that occasionally security software gets things
wrong and flags non-existent problems.
Chris Ilias
download Thunderbird from Mozilla?
--
Chris Ilias <http://ilias.ca>
Mailing list/Newsgroup moderator
g
<>
> I would be very interested to know whether a genuine Thunderbird
> update has recently gone out containing the above virus.
you are using.
in addition, i do not know which v/r these pertain to, but these are
recent, as of 09/28/2011, notices from linux redhat security notices;
CVE-2011-2372 CVE-2011-2995 CVE-2011-2998
CVE-2011-2999 CVE-2011-3000
and could have cause you a problem.
> I also acknowledge that occasionally security software gets things
> wrong and flags non-existent problems.
--
peace out.
tc.hago,
g
.
****
in a free world without fences, who needs gates.
**
help microsoft stamp out piracy - give linux to a friend today.
**
to mess up a linux box, you need to work at it.
to mess up an ms windows box, you just need to *look* at it.
**
The installation instructions stated to install Windows 2000 or better.
So I installed Linux.
**
learn linux:
'Rute User's Tutorial and Exposition' http://rute.2038bug.com/index.html
'The Linux Documentation Project' http://www.tldp.org/
'LDP HOWTO-index' http://www.tldp.org/HOWTO/HOWTO-INDEX/index.html
'HowtoForge' http://howtoforge.com/
****
David H. Lipman
Security and Windows Defender...W32/Xor-encoded.A"
W32/Xor-encoded.A is NOT a "virus" as you stated in the subject.
http://www.pandasecurity.com/homeusers/security-info/194318/information/Xor-encoded.A
Please provide log snippets and/or log exerpts showing the event for MS Windows Defender
and Panda.
Additionally please elaborate on what you were doing.
Did you download T-Bird 7 ?
Did you initiate an older version of T-Bird to download and install a new version of
T-Bird ?
--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp
Graham Bonham
encoded.A spreads to other computers by copying its code to other
files or programs. It has damaging effects on the affected computer."
and that "Xor-encoded.A does not spread automatically using its own
means". Perhaps the fact that it does not spread automatically using
its own means prevents it from being a virus? I was thinking that if
it was damaging and it infects files then it is a virus.
I don't recall exactly what happened but I was not downloading and
installing afresh. I was updating an existing installation of
Thunderbird. I think how the update usually works, as Thunderbird is
configured on this Win7 PC, is that Thunderbird downloads any
available update and tells me a new version is available and seeks the
OK to install when Thunderbird is next started. However, I might be
misrecalling and/or confusing the process for updating Thunderbird
with that for updating Firefox.
There's nothing at all in the Windows Defender History (even after
hitting the View button). Maybe the Panda software dealt with the
files, so Windows Defender needed to do nothing? Maybe the History
has been cleared?
Here's the relevant stuff from the Panda log (redacted a bit):
Virus detected: W32/Xor-encoded.A Antivirus
protection 29/09/2011 10:33:25 Disinfected
Path: C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\LOCALCOPY\{C...[NOT
SURE WHAT THIS CODE CONTAINING LETTERS, NUMBERS AND DASHES IS BUT IT
MIGHT BE SOMETHING I OUGHT TO KEEP PRIVATE]...B}-
HELPER.EXE
Virus detected: W32/Xor-encoded.A Antivirus
protection 29/09/2011 10:33:24 Disinfected
Path: C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\LOCALCOPY\{A[... NOT
SURE WHAT THIS CODE CONTAINING LETTERS, NUMBERS AND DASHES IS BUT IT
MIGHT BE SOMETHING I OUGHT TO KEEP PRIVATE]...4}-
THUNDERBIRD.EXE
On Sep 29, 8:54 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: "Graham Bonham" <gb10...@googlemail.com>
>
> > After what I thought was a routine autoupdate by Thunderbird today
> > (29/9/11) - the version number now shown is 7.0 - both Panda Global
> > Security and Windows Defender reported that the files thunderbird.exe
> > and helper.exe (to do with uninstalling Thunderbird) were infected
> > with W32/Xor-encoded.A. The files have now been disinfected.
>
> > I would be very interested to know whether a genuine Thunderbird
> > update has recently gone out containing the above virus.
>
> > If it did, I would have thought I'd see other reports of this on the
> > Internet. If it did not, I fear I have allowed malware, masquerading
> > as a Thunderbird update, to execute. Hopefully no harm has been done,
> > as regards me, but it would be worrying if there was a vulnerability
> > in the autoupdate process which allowed malware to be distributed in
> > the same way as genuine updates.
>
> > It's of course possible that I have misinterpreted what happened,
> > though the infection was found in two Thunderbird files and no virus
> > infection was found elsewhere in a full scan with up-to-date
> > definitions of the rest of the system.
>
> > I also acknowledge that occasionally security software gets things
> > wrong and flags non-existent problems.
>
> Strong possibility of a False Positive declaration. However, you write "Panda Global
> Security and Windows Defender...W32/Xor-encoded.A"
>
> W32/Xor-encoded.A is NOT a "virus" as you stated in the subject.http://www.pandasecurity.com/homeusers/security-info/194318/informati...
>
> Please provide log snippets and/or log exerpts showing the event for MS Windows Defender
> and Panda.
>
> Additionally please elaborate on what you were doing.
> Did you download T-Bird 7 ?
> Did you initiate an older version of T-Bird to download and install a new version of
> T-Bird ?
>
> --
> Dave
> Multi-AV Scanning Tool -http://multi-av.thespykiller.co.ukhttp://www.pctipp.ch/downloads/dl/35905.asp- Hide quoted text -
>
> - Show quoted text -
David H. Lipman
> I note that the entry in the Panda Virus Encyclopedia states that "Xor-
> encoded.A spreads to other computers by copying its code to other
> files or programs. It has damaging effects on the affected computer."
> and that "Xor-encoded.A does not spread automatically using its own
> means". Perhaps the fact that it does not spread automatically using
> its own means prevents it from being a virus? I was thinking that if
> it was damaging and it infects files then it is a virus.
files without self replication is the concept of "trojanizing" a legitimate file.
If a virus is a file infecting type virus then it can prepend, insert or append code to a
legitimate file and thus infect it. If it is an infected executable and can subsequently
infect other files then it is a virus.
A trojan can also prepend, insert or append code to a legitimate file thus infecting it.
If the infected file can then not spread the infection it has only become trojanized.
SAME exact decalkaration as Panda.
Unfortunately, to edited out crucial information that had nothing to do with privacy and
everything to do with assisting whether this was a False Positive declaration or a
righteous declaration without actually having a sample.
Of course a sample WOULD be best. If the file is in quarantine then you can restore the
file from quarantine and then upload it to; http://www.uploadmalware.com/
where I can examine the file to see if it is malicious or not.
--
Dave
David H. Lipman
> If you don't see anything from Windows Defender then I doubt Windows Defender made the
> SAME exact decalkaration as Panda.
>
> Unfortunately, to edited out crucial information that had nothing to do with privacy and
> everything to do with assisting whether this was a False Positive declaration or a
> righteous declaration without actually having a sample.
>
> Of course a sample WOULD be best. If the file is in quarantine then you can restore the
> file from quarantine and then upload it to; http://www.uploadmalware.com/
> where I can examine the file to see if it is malicious or not.
>
Once the file has been submitted to UploadMalware.Com you can put the file back into
quarantine.
Based upon my findings after analyzing the file, we can work from there.
John Mckenzie
running--windows defender, Malwarebytes, superantispyware.
Christoph Schmees
you could upload the files concerned one by one to virustotal.com
(guard or "on-access" disabled!) and let it scan there. Then
report the findings.
Christoph
--
email:
nurfuerspam -> gmx
de -> net