WinSCP v5.13.3 Setup Contained a Virus

Advertisement

tpmoore56
Joined:
Posts:
1
Location:
Arizona

WinSCP v5.13.3 Setup Contained a Virus

I'm running WinSCP v5.13.2 and when I launched it today I received a pop-up asking if I wanted to update to v5.13.3 so I clicked yes to upgrade. I downloaded the exe and my McAfee Anti-virus popped the message "WinSCP-5.13.3-Setup.exe contained a virus and was deleted." (see attachment) Please advise.
  • WinSCP 5.13.3 Setup.exe contains virus message.docx (239.68 KB, Private file)

Reply with quote

Advertisement

AlinaBP
Guest

VirusTotal detection

VirusTotal shows one detection as W32.HfsIemusi. What is it? Hybrid analysis mentions "is-I5CV6.tmp" file as malicious. Why is this?

Reply with quote

sparx
Joined:
Posts:
2
Location:
United States

Re: VirusTotal detection

AlinaBP wrote:

VirusTotal shows one detection as W32.HfsIemusi. What is it? Hybrid analysis mentions "is-I5CV6.tmp" file as malicious. Why is this?

I see variable malicious indicators from 32-bit and 64-bit hybrid-analysis runs, including indicators for Occamy and Sality Trojans. The primary malicious hits are for what looks like partial executables from multiple sources, which are getting reassembled. The analysis is full of real-world red flags for suspect behavior as well. It looks like some sort of delivery optimization may be pulling in malicious components. The executable itself appears almost clean except that one detection, but once the installer runs, things go off the rails with AV hits from multiple vendors.

https://www.hybrid-analysis.com/sample/58eeeb8454b8a7d194e3b58a1d6f2fb501906b8f1c3f2716a4a6d15e16164b86

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

Re: VirusTotal detection

AlinaBP wrote:

VirusTotal shows one detection as W32.HfsIemusi. What is it? Hybrid analysis mentions "is-I5CV6.tmp" file as malicious. Why is this?
sorry, but we cannot answer why one particular antivirus software decided to mark WinSCP as a virus. But you can see yourself, that it just 1 AV out of 67. It happens from time to time, as you can see above and at:
https://winscp.net/tracker/530

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

Re: VirusTotal detection

sparx wrote:

I see variable malicious indicators from 32-bit and 64-bit hybrid-analysis runs, including indicators for Occamy and Sality Trojans. The primary malicious hits are for what looks like partial executables from multiple sources, which are getting reassembled. The analysis is full of real-world red flags for suspect behavior as well. It looks like some sort of delivery optimization may be pulling in malicious components. The executable itself appears almost clean except that one detection, but once the installer runs, things go off the rails with AV hits from multiple vendors.

https://www.hybrid-analysis.com/sample/58eeeb8454b8a7d194e3b58a1d6f2fb501906b8f1c3f2716a4a6d15e16164b86
Thanks for your post.
What "real-world red flags" are you referring to?
Out of that report, only "Writes data to a remote process" is something, I do not have an explanation for. And only because that flag is too vague to me.
The rest is just a common behavior of an installer.

Reply with quote

sparx
Joined:
Posts:
2
Location:
United States

Re: VirusTotal detection

Yes you are quite right, and I apologize for making too much of this.
The malicious indicators are much less relevant in the context of an installer, and the specifics details mostly are clear enough to show nothing odd is going on within that context. Remote

I was just plain mistaken about multiple AV hits. The extra hits are for the history of the teamforge.net server, which of course has hosted other code by many people.

The sum of many installation techniques that are individually no problem, combined with the server hit, is what appears to have caused the 100% confidence level of the automated analysis.

Shallow automated analysis is still an important first line of defense for those of us who need to manage thousands of packages. It would be helpful to have a FAQ explaining behavioral hits that are likely from third-party scanners. I’d be willing to contribute to that, with better vetting of my own statements before bugging you.

Reply with quote

Sam94105
Guest

VirusTotal BKAV reported latest version WinSCP-5.13.4-Setup.exe to have W32.HfsIemusi maleware!

Are these false positives or are there actually malware in your software?

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

Re: VirusTotal BKAV reported latest version WinSCP-5.13.4-Setup.exe to have W32.HfsIemusi maleware!

Sam94105 wrote:

Are these false positives or are there actually malware in your software?
It's only one (and minor one) AV out of 67 that claims a problem:
https://www.virustotal.com/gui/file/e0f90a21dbdf8a01b7e954ac93c4ef8e0d43c5b1adc36b386b422e3f38d8d14a
That's not even worthy consideration, imo.

Reply with quote

evanit
Joined:
Posts:
1

Domains?

Just curious...the Joe Sandbox Analysis test lists a bunch of domains (Facebook, Walmart, Doubleclick.net, etc.).

Is the installer actually reaching out to those?

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

Re: Domains?

evanit wrote:

Just curious...the Joe Sandbox Analysis test lists a bunch of domains (Facebook, Walmart, Doubleclick.net, etc.).

Is the installer actually reaching out to those?
No idea where they took that from. WinSCP nor its installer do not refer any of those. Maybe they mean that winscp.net site links those. It does for sure link Facebook. Sites like Walmart can possibly be linked in advertisement.

Reply with quote

Advertisement

You can post new topics in this forum