[R] R-2.7.2 infected?

Dave DeBarr Dave.DeBarr at microsoft.com
Tue Sep 30 07:14:28 CEST 2008


For what it's worth, Computer Associates updated their signatures; and eTrust no longer reports the installation program for the Windows version of R-2.7.2 as infected.

I found it surprisingly difficult to learn about how the Win32/Adclicker.JO virus operates, and how eTrust detects it.  I couldn't even get anyone to admit it was a false positive (though it seems clear now).

Regards,
Dave
________________________________________
From: r-help-bounces at r-project.org [r-help-bounces at r-project.org] On Behalf Of Ajay ohri [ohri2007 at gmail.com]
Sent: Tuesday, September 23, 2008 1:06 AM
To: Peter Dalgaard
Cc: r-help at r-project.org; Dave DeBarr; Duncan Murdoch
Subject: Re: [R] R-2.7.2 infected?

This is what it does. It seems like a false alarm because in case of
actual infection it seems
quite conspicious

Ajay

www.decisionstats.com



http://www.spywareguide.com/product_show.php?id=2569


Full Name:
Win32.AdClicker Websearch   Read More
Type:Trojan
SG Index: 5 [Explain]
Removal tools:List of products that detect/remove/protect against
Win32.AdClicker:
Desktop Anti-malware: Pro User: X-Cleaner
Control IM and P2P use, block spyware and other malware: RTGuardian
Endpoint Spyware Remediation: Greynet Enterprise Manager
IM, P2P control, malware prevention and web filtering in single
appliance: Unified Security Gateway
Category Description:A Trojan is a program that enables an attacker to
get nearly complete control over an infected PC. Frequently used tool
by malicious hackers. When this program executes, the program performs
a specific set of actions. This usually works toward the goal of
allowing the trojan to survive on a system and open up a backdoor

.
Comment:This Trojan downloads many executable.It changes the
autostarter randomly. It also hijacks the desktop and puts a wall
paper saying that the system is affected and advertises a sites
?smart-security.info?.It duplicates each and every file which the user
creates with the same name and in the same Directory.


Properties:
 Adds other software
 Autostarts/Stays Resident
 Installs Through Exploit
 Opens ports
On Tue, Sep 23, 2008 at 1:29 PM, Peter Dalgaard
<P.Dalgaard at biostat.ku.dk> wrote:
>
> Peter Dalgaard wrote:
> > Dave DeBarr wrote:
> >>> Did you check the md5 checksum on it?
> >>>
> >>
> >> Yes; it matched: 540090dd892657804d1099c54d6f770d
> >>
> >>
> > And it is binary identical to the Austria CRAN one.
> >>
> >>> You're the first to report it, and 2.7.2 has been out for almost a
> >>> month, so I think it's likely that the CRAN copy is uninfected.
> >>>
> >>
> >> Sounds promising.  Perhaps it's a false positive from eTrust.
> >>
> >>
> >>
> > Likely. A quick Googling indicates that other programs have been
> > "caught" too.
> > This link is illuminative:
> > http://www.cccp-project.net/forums/index.php?topic=2897.0
>
> (I wanted to do the same thing with R, but http://www.virustotal.com has
> a 20M cap on the file size.)
>
> --
>   O__  ---- Peter Dalgaard             Øster Farimagsgade 5, Entr.B
>  c/ /'_ --- Dept. of Biostatistics     PO Box 2099, 1014 Cph. K
>  (*) \(*) -- University of Copenhagen   Denmark      Ph:  (+45) 35327918
> ~~~~~~~~~~ - (p.dalgaard at biostat.ku.dk)              FAX: (+45) 35327907
>
> ______________________________________________
> R-help at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.



--
Regards,

Ajay Ohri
http://tinyurl.com/liajayohri
______________________________________________
R-help at r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.



More information about the R-help mailing list