Bad Mirror

General discussion for topics related to the FreeBASIC project or its community.
albert
Posts: 6000
Joined: Sep 28, 2006 2:41
Location: California, USA

Bad Mirror

Post by albert »

I downloaded FBIDE form SourceForge and FB 0.24 from the Denmark mirror.
One of the two or both had a virus in it.

Microsoft Security essentials warned on the two downloads, that they wern't often downloaded and could harm my computer.
And that they didn't have a valid software signature.
I ran them anyways and had to reinstall Windows and go thru the gigabyte plus of updates.

I found this program to be helpfull if you get a nasty virus, that AV software can't find. http://www.macrium.com/reflectfree.aspx

It works with "Windows Automated Installation Kitt" (WAIK) to restore all your partitions to whenever they were saved.
Of all the partition copiers and backup programs i tried this one is best.
It downloads and installs the WAIK which is about a 1.7 GB download.

But then it only takes 30-60 minutes to restore your drive.

Maybe the FB coders need to perodically check the MD5 sums on the mirror hosts. This is the third time i got a bad FBIDE.
TJF
Posts: 3809
Joined: Dec 06, 2009 22:27
Location: N47°, E15°
Contact:

Re: Bad Mirror

Post by TJF »

albert wrote:I downloaded ... FB 0.24 from the Denmark mirror.
???

Can you post a link, please?
marcov
Posts: 3455
Joined: Jun 16, 2005 9:45
Location: Netherlands
Contact:

Re: Bad Mirror

Post by marcov »

albert wrote:I downloaded FBIDE form SourceForge and FB 0.24 from the Denmark mirror.
One of the two or both had a virus in it.

Microsoft Security essentials warned on the two downloads, that they wern't often downloaded and could harm my computer.
And that they didn't have a valid software signature.
That means essentially nothing, just that it doesn't come from a really big vendor.
I ran them anyways and had to reinstall Windows and go thru the gigabyte plus of updates.
.
So what virus was found?
albert
Posts: 6000
Joined: Sep 28, 2006 2:41
Location: California, USA

Re: Bad Mirror

Post by albert »

I followed this link from Dodicats topic "StichUp" post; located here http://www.freebasic.net/forum/viewtopi ... =3&t=20083

http://www.freebasic-portal.de/download ... uilds.html

It came from either the FB 0.24 or the FBIDE 4.6r4 , I installed them both at the same time.
The sourceforge mirror for FBIDE changes depending on wether you click "direct link" or wait for the auto-download to start.

My AV's couldn't find the virus , but MS Security Essentials warned me it might harm my computer, but didn't list a virus.

The virus does things with the mouse,
Like when you click the start button, it jumps the mouse to some other point on the screen.
The mouse speeds up and slows down and becomes hard to control.
You position the mouse over something an click it and it jumps to some other point on the screen.

At first i thought my touchpad had become to sensitive and adjusted it, so it required a harder press to activate.
After I had adjusted it all the way to max pressure, I figured it must be a virus.

So I had to reinstall Windows from disk and go thru, all the last years worth of MS updates. and get everything reconfigured.
MOD
Posts: 555
Joined: Jun 11, 2009 20:15

Re: Bad Mirror

Post by MOD »

This is a german side and I'm pretty sure, there's no virus in our packages, but we'll have a look.
Sebastian
Posts: 131
Joined: Jun 18, 2005 14:01
Location: Europe / Germany
Contact:

Re: Bad Mirror

Post by Sebastian »

from the Denmark mirror.
FreeBASIC-Portal.de does not provide any services (web hosting / mirroring, ...) to SourceForge. If you reached the site via the SourceForge mirror selection, it was definitely not FreeBASIC-Portal.de. Moreover, FreeBASIC-Portal.de is a German web site. Denmark is a different country (top level domain .dk) with a different language. ;-)

Are you sure there is a problem with FBIDE? Maybe VonGodric and Mysoft can investigate the issue?
MOD
Posts: 555
Joined: Jun 11, 2009 20:15

Re: Bad Mirror

Post by MOD »

FBIDE contains a patch file by Mysoft which is some kind of a hack. Here's the scan for it:
virustotal for FbIdeFix.dll

Our daily build got also some hits:
virustotal for FreeBASIC-win32-git-20120723.zip

Further testing brings up this:
virustotal for GoRC.exe

These are all false positives.
albert
Posts: 6000
Joined: Sep 28, 2006 2:41
Location: California, USA

Re: Bad Mirror

Post by albert »

@Marcov

You asked "So what virus was found?"

Microsoft Security Essentials couldn't find a virus in either download.
Comodo AV couldn't find a virus in either download.
AVG AV couldn't find a virus in either download.

But its known, that when your mouse or other hardware, starts doing funny things,
you've either got an intermitent hardware problem, or a virus of some sort. (After reinstalling windows the problem went away.)

The AV companies only have signatures of found and examined viruses,
If its a totaly NEW virus, it won't get picked up by any AV, until someone isolates it and reports its code signature.
Then the AV companies can add that signature into their databases.

If no one else reported the problem, its possible that i picked it up just surfing the internet, but AVG scans every page and links before it allows it to display.
Gonzo
Posts: 722
Joined: Dec 11, 2005 22:46

Re: Bad Mirror

Post by Gonzo »

whyever did you bother formatting? google: how to remove any virus/trojan

whoever bothers to hack sourceforge, and replace software on it with trojans that moves peoples mouse (which btw is completely pointless, since even my grandmother will know somethings up) should get get free of charge stay in looney bin

in closing, wether or not you had a "virus" (which are almost extinct now) or a trojan, it definitely didnt come from the sourceforge file
im disappointed you didnt investigate further and provide any details.. pasting a heuristic match is completely pointless (god i hate AVs...)
instead you formatted and posted a complaint on the forums after the evidence is completely gone (if there was any)
*sigh*
albert
Posts: 6000
Joined: Sep 28, 2006 2:41
Location: California, USA

Re: Bad Mirror

Post by albert »

I don't know , Microsoft Security Essentials,
Scans every file I download, and reports if its safe or not.

In all my downloads only sourceforge FB and FBIDE ever posted anykind of warning.

Lately I'm getting message boxes that FBIDETEMP.EXE is trying to connect to the internet to address 92.242.144.10
When i did a whois on the number, i got the following.


Search













IP Information for 92.242.144.10




IP Location:

United Kingdom Belfast Barefruit Ltd.



ASN:

AS45028



IP Address:

92.242.144.10



Reverse IP:

1 website uses this address. (example: jweb.eu)








NetRange: 92.0.0.0 - 92.255.255.255
CIDR: 92.0.0.0/8
OriginAS:
NetName: 92-RIPE
NetHandle: NET-92-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2007-03-27
Updated: 2009-05-18
Ref: http://whois.arin.net/rest/net/NET-92-0-0-0-1

OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2011-09-24
Ref: http://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net:43

OrgAbuseHandle: RNO29-ARIN
OrgAbuseName: RIPE NCC Operations
OrgAbusePhone: +31 20 535 4444
OrgAbuseEmail:
OrgAbuseRef: http://whois.arin.net/rest/poc/RNO29-ARIN

OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail:
OrgTechRef: http://whois.arin.net/rest/poc/RNO29-ARIN

== Additional Information From whois://whois.ripe.net:43 ==

inetnum: 92.242.128.0 - 92.242.159.255
netname: UK-BAREFRUIT-20071227
descr: Barefruit Ltd.
country: GB
org: ORG-BL53-RIPE
admin-c: PR42-RIPE
tech-c: PR42-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: CATALYST2-MNT
mnt-domains: CATALYST2-MNT
mnt-routes: CATALYST2-MNT
source: RIPE # Filtered

organisation: ORG-BL53-RIPE
org-name: Barefruit Ltd.
org-type: LIR
address: Barefruit Ltd.
Lindsay Dean
43 - 45 Charlotte Street
London W1T 1RS
United Kingdom
phone: +44 207 717 8675
fax-no: +44 207 717 8759
admin-c: PR42-RIPE
mnt-ref: CATALYST2-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

person: Paul Redpath
remarks: Catalyst2 Services Ltd
org: ORG-csl3-RIPE
address: Centre House
address: 79 Chichester Street
address: Belfast
address: BT1 4JE
phone: +44 800 107 7979
fax-no: +44 845 280 4993
abuse-mailbox:
mnt-by: CATALYST2-MNT
source: RIPE # Filtered
nic-hdl: PR42-RIPE
marcov
Posts: 3455
Joined: Jun 16, 2005 9:45
Location: Netherlands
Contact:

Re: Bad Mirror

Post by marcov »

albert wrote:@Marcov
You asked "So what virus was found?"

Microsoft Security Essentials couldn't find a virus in either download.
Comodo AV couldn't find a virus in either download.
AVG AV couldn't find a virus in either download.
That was my point yes. What evidence that there really was a virus involved do you have?
But its known, that when your mouse or other hardware, starts doing funny things,
you've either got an intermitent hardware problem, or a virus of some sort. (After reinstalling windows the problem went away.)
You forget the biggest category, software.
The AV companies only have signatures of found and examined viruses,
If its a totaly NEW virus, it won't get picked up by any AV, until someone isolates it and reports its code signature.
Then the AV companies can add that signature into their databases.
Sure. But chances on that are very rare. I also doubt they would try to break a new virus by cracking a FB mirror and repacking archives.

So all you really have is a very meagre heuristic warning, false positives of which are very common for 3rd party development tools (just search the forum).
albert
Posts: 6000
Joined: Sep 28, 2006 2:41
Location: California, USA

Re: Bad Mirror

Post by albert »

@Marcov

Okay!!

But they also accessed my Linux drive through Windows and wiped out my list of mafia names I downloaded frmo the internet.

http://www.americanmafia2.com/crimeboard/index.php
http://www.lowchensaustralia.com/names/underground.htm
http://www.gangsterbb.net/threads/ubbth ... ber=616947

It may be Yahoo workers since i use Yahoo Messenger.
But the problem started after i installed the FB 0.24 from the .de site and FBIDE 4.6.r4 ????

Sinve i got them off the internet and THEY ARE STILL THERE, why would someone bother hacking my computer to erase them???
marcov
Posts: 3455
Joined: Jun 16, 2005 9:45
Location: Netherlands
Contact:

Re: Bad Mirror

Post by marcov »

albert wrote:@Marcov
Going from unprobable to downright esoteric paranoid schemes isn't going to help :-)

If you are in over your head, get help from some computer shop to clean up an infection, don't try to string random factoids together in a paranoid scheme.
dodicat
Posts: 7976
Joined: Jan 10, 2006 20:30
Location: Scotland

Re: Bad Mirror

Post by dodicat »

Hi Albert.
A couple of years ago I dual booted Win 2000 with XP (which I was using)
Back then AVG could be installed by a single file which you could download.
i.e. you didn't have to go back on line to complete an installation
I had this AVG file on a pen drive, I installed Win 2000 and then AVG on to it.
I installed my modem by a driver file.
I then went on line directly to Microsoft update and brought Win 2000 up to date.
During the 15 minute or so updating, a virus called VIRUT got me.
When I re-booted, AVG told me so.
Then AVG got anhialated along with many more .exe and .com files by VIRUT.
It also crossed into My XP installation and Wreaked havoc there.
I've never installed Win 2000 again.

Another thing which I believe causes problems is code like:

dim as string s="Hello"
for z as integer=0 to 500
print s[z]
next z

I blame this for another catastrophe I had when working with bignumbers.
I ended up with files and folders named like FreeBasic code.
E.G.
INPU*@$.bas
OR
FOR&$@CASE for a folder.
Some of these files were several GBytes in size.
Sebastian
Posts: 131
Joined: Jun 18, 2005 14:01
Location: Europe / Germany
Contact:

Re: Bad Mirror

Post by Sebastian »

There were a lot of problems with remote-caused Windows malware infections back in the days when home computers were directly attached to the Internet. Nowadays, it's common to use a NAT router (DSL, HFC, ...). This means that your LAN computers aren't accessable from the Internet unless you set up a port forwarding manually. Moreover, many ISPs block NetBIOS ports etc. on the Internet which were used for massive attacks.
But back in the days of dial-up connections (and DSL connections directly established using a modem plus a NIC / network interface card), it happend quite often that PCs were "naked" on the Internet without any effective firewall, thereby exposing all open ports and security holes to the net. So infected other machines on the net could use remote code execution exploits to attack your computer as soon as it dialed in to the Internet.
If you took an unpatched Windows 2000/XP system (without any service packs / updates installed and without a working firewall) and attached it directly to the Internet, you just had to wait a few seconds or at most a few minutes to have it infected by several worms...
Striking examples of this kind of malware are Opasoft, Sasser or Blaster.
Post Reply