[R] R-2.7.2 infected?

Duncan Murdoch murdoch at stats.uwo.ca
Tue Sep 30 12:27:43 CEST 2008 

Dave DeBarr wrote:
> For what it's worth, Computer Associates updated their signatures; and eTrust no longer reports the installation program for the Windows version of R-2.7.2 as infected.
>
> I found it surprisingly difficult to learn about how the Win32/Adclicker.JO virus operates, and how eTrust detects it.  I couldn't even get anyone to admit it was a false positive (though it seems clear now).
>   

Thanks for following up on this. 

Duncan Murdoch
> Regards,
> Dave
> ________________________________________
> From: r-help-bounces at r-project.org [r-help-bounces at r-project.org] On Behalf Of Ajay ohri [ohri2007 at gmail.com]
> Sent: Tuesday, September 23, 2008 1:06 AM
> To: Peter Dalgaard
> Cc: r-help at r-project.org; Dave DeBarr; Duncan Murdoch
> Subject: Re: [R] R-2.7.2 infected?
>
> This is what it does. It seems like a false alarm because in case of
> actual infection it seems
> quite conspicious
>
> Ajay
>
> www.decisionstats.com
>
>
>
> http://www.spywareguide.com/product_show.php?id=2569
>
>
> Full Name:
> Win32.AdClicker Websearch   Read More
> Type:Trojan
> SG Index: 5 [Explain]
> Removal tools:List of products that detect/remove/protect against
> Win32.AdClicker:
> Desktop Anti-malware: Pro User: X-Cleaner
> Control IM and P2P use, block spyware and other malware: RTGuardian
> Endpoint Spyware Remediation: Greynet Enterprise Manager
> IM, P2P control, malware prevention and web filtering in single
> appliance: Unified Security Gateway
> Category Description:A Trojan is a program that enables an attacker to
> get nearly complete control over an infected PC. Frequently used tool
> by malicious hackers. When this program executes, the program performs
> a specific set of actions. This usually works toward the goal of
> allowing the trojan to survive on a system and open up a backdoor
>
> .
> Comment:This Trojan downloads many executable.It changes the
> autostarter randomly. It also hijacks the desktop and puts a wall
> paper saying that the system is affected and advertises a sites
> ?smart-security.info?.It duplicates each and every file which the user
> creates with the same name and in the same Directory.
>
>
> Properties:
>  Adds other software
>  Autostarts/Stays Resident
>  Installs Through Exploit
>  Opens ports
> On Tue, Sep 23, 2008 at 1:29 PM, Peter Dalgaard
> <P.Dalgaard at biostat.ku.dk> wrote:
>   
>> Peter Dalgaard wrote:
>>     
>>> Dave DeBarr wrote:
>>>       
>>>>> Did you check the md5 checksum on it?
>>>>>
>>>>>           
>>>> Yes; it matched: 540090dd892657804d1099c54d6f770d
>>>>
>>>>
>>>>         
>>> And it is binary identical to the Austria CRAN one.
>>>       
>>>>> You're the first to report it, and 2.7.2 has been out for almost a
>>>>> month, so I think it's likely that the CRAN copy is uninfected.
>>>>>
>>>>>           
>>>> Sounds promising.  Perhaps it's a false positive from eTrust.
>>>>
>>>>
>>>>
>>>>         
>>> Likely. A quick Googling indicates that other programs have been
>>> "caught" too.
>>> This link is illuminative:
>>> http://www.cccp-project.net/forums/index.php?topic=2897.0
>>>       
>> (I wanted to do the same thing with R, but http://www.virustotal.com has
>> a 20M cap on the file size.)
>>
>> --
>>   O__  ---- Peter Dalgaard             Øster Farimagsgade 5, Entr.B
>>  c/ /'_ --- Dept. of Biostatistics     PO Box 2099, 1014 Cph. K
>>  (*) \(*) -- University of Copenhagen   Denmark      Ph:  (+45) 35327918
>> ~~~~~~~~~~ - (p.dalgaard at biostat.ku.dk)              FAX: (+45) 35327907
>>
>> ______________________________________________
>> R-help at r-project.org mailing list
>> https://stat.ethz.ch/mailman/listinfo/r-help
>> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
>> and provide commented, minimal, self-contained, reproducible code.
>>     
>
>
>
> --
> Regards,
>
> Ajay Ohri
> http://tinyurl.com/liajayohri
> ______________________________________________
> R-help at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>
> ______________________________________________
> R-help at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>

More information about the R-help mailing list