Discussion:
[tor-talk] Tor v4.5.3 infected??
oric
2015-07-05 13:30:15 UTC
Permalink
Hi guys,
I want to report a virus infection when upgrading to Tor v4.5.3. Maybe it
is due to DNS, I don't know. I am not such an expert.
Please look at my comment below which I sent for publication on the
Torporject website. Contact me at this email address if necessary.

Oric.

===================================
ATTENTION:
***************
Hello,
using Tor v4.5.1, I was requested to update with v4.5.3. I accepted and
while the update was performed, my GData antivirus reported an infection,
with keylogger tools trying to be installed (see log details below).
Hmmm, it can be that the DNS-name was re-routed to a fake, I am not quite
sure. Well, I disconnected from internet, performed several scans, it seems
the infection could be stopped. I re-installed v4.5.1 and will not perform
any more updates!!
I just want to let the community know.

The log is in French, so what it says in substance is (part "actions"):
This program (updater.exe) executed actions in the name of another program
The program executes a connection to the network
The program records all keyboard inputs
An unknown process has been consulted
The program started another program in order to deactivate himself
==============================
Log details here below (in French sorry):
==============================
*** Processus ***

Processus: 5212
Nom de fichier: updater.exe
Chemin d'accès:
c:\users\olivier\appdata\local\temp\mozupdater\bgupdate\updater.exe

Éditeur: Editeur inconnu

Démarrage à partir de: firefox.exe
Éditeur: Editeur inconnu

*** Actions ***

Ce programme a exécuté des actions au nom d'un autre programme.
Le programme génère une connexion à travers un réseau.
Le programme enregistre toutes les entrées clavier.
Un processus inconnu a été consulté.
Le programme a créé ou manipulé un fichier exécutable.
Le programme a lancé un autre programme de manière à se désactiver.

*** Quarantaine ***

Les fichiers suivants ont été envoyés en quarantaine:
C:\Users\olivier\AppData\Local\Temp\MozUpdater\bgupdate\updater.exe
c:\users\olivier\appdata\local\microsoft\windows\appsfolder.itemdata-ms
c:\users\olivier\appdata\local\microsoft\windows\appsfolder.itemdata-ms.bak
c:\users\olivier\appdata\local\microsoft\windows\appsfolder.itemdata-ms.new
c:\users\olivier\appdata\local\microsoft\windows\appsfolder.itemdata-ms~rfc396ba7.tmp
c:\users\olivier\appdata\local\microsoft\windows\explorer\iconcache_idx.db
d:\logiciels\tor
browser\browser\browser\components\browsercomps.dll.moz-backup
d:\logiciels\tor browser\browser\firefox.exe.moz-backup
d:\logiciels\tor browser\browser\freebl3.dll.moz-backup
d:\logiciels\tor browser\browser\gkmedias.dll.moz-backup
d:\logiciels\tor browser\browser\libegl.dll.moz-backup
d:\logiciels\tor browser\browser\libglesv2.dll.moz-backup
d:\logiciels\tor browser\browser\mozalloc.dll.moz-backup
d:\logiciels\tor browser\browser\mozglue.dll.moz-backup
d:\logiciels\tor browser\browser\mozjs.dll.moz-backup
d:\logiciels\tor browser\browser\nss3.dll.moz-backup
d:\logiciels\tor browser\browser\nssdbm3.dll.moz-backup
d:\logiciels\tor browser\browser\nssutil3.dll.moz-backup
d:\logiciels\tor browser\browser\plugin-container.exe.moz-backup
d:\logiciels\tor browser\browser\plugin-hang-ui.exe.moz-backup
d:\logiciels\tor browser\browser\smime3.dll.moz-backup
d:\logiciels\tor browser\browser\softokn3.dll.moz-backup
d:\logiciels\tor browser\browser\ssl3.dll.moz-backup
d:\logiciels\tor
browser\browser\torbrowser\data\browser\caches\firefox\updates\0\updater.exe
d:\logiciels\tor
browser\browser\torbrowser\data\browser\profile.default\extensions\***@lastpass.com\platform\winnt_x86_64-msvc\components\lpxpcom_x86_64.dll
d:\logiciels\tor
browser\browser\torbrowser\data\browser\profile.default\extensions\trash\***@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
d:\logiciels\tor
browser\browser\torbrowser\data\browser\profile.default\extensions\trash\***@lastpass.com\platform\winnt_x86_64-msvc\components\lpxpcom_x86_64.dll
d:\logiciels\tor
browser\browser\torbrowser\data\browser\profile.default\telemetry.failedprofilelocks.txt
d:\logiciels\tor browser\browser\torbrowser\docs\changelog.txt
d:\logiciels\tor browser\browser\torbrowser\tor\tor.exe.moz-backup
d:\logiciels\tor browser\browser\updater.exe.moz-backup
d:\logiciels\tor browser\browser\xul.dll.moz-backup
f:\mes_docs\_appdata_windows\roaming\stardock\fences\troubleshootinglog\fences_debug_info.txt

Les entrées de registre suivantes ont été supprimées:

YGLRebIJKycoJiYnCC0nu2JicrILLie5LCfYcpL4cCp0gmJiQicIt3KCYmJygpArFp0nuZAuJygmJicIynKCYmJygqAtJycmJicHa3KiYmJyorApJyomJicKrHLCYmJywsAvJ+hiYnKCDpcmJygmJicIlycnKCYmJwinKxnpNWYrKRldY7ZykpFeY7aCcHtyonJycpJw23JyYmJycnD7cqJiYnKicOxygmJicoJw/HKCYmJygnCOcnIK9ycnKiYmJwr3LCcpJiYnCfcvJykmJicJaCknCAA
Version des règles: 5.0.57
OS: Windows 6.2 Service Pack 0.0 Build: 9200 - Workstation 64bit OS
Version de la bibliothèque de liens dynamiques : 51504

C:\Users\olivier\AppData\Local\Temp\MozUpdater\bgupdate\updater.exe
"D:\Logiciels\Tor
Browser\Browser\TorBrowser\Data\Browser\Caches\firefox\updates\0"
"D:\Logiciels\Tor Browser\Browser\updated" 7016/replace "d:\Logiciels\Tor
Browser\Browser" "D:\Logiciels\Tor Browser\Browser\firefox.exe"
MD5:
"D:\Logiciels\Tor Browser\Browser\firefox.exe"
MD5:
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torprojec
Roger Dingledine
2015-07-05 17:55:11 UTC
Permalink
Post by oric
I want to report a virus infection when upgrading to Tor v4.5.3.
It sounds likely to be a false positive:
https://www.torproject.org/docs/faq#VirusFalsePositives
Post by oric
I re-installed v4.5.1 and will not perform
any more updates!!
That is a very bad idea. Then you'll be running an old browser with
known old problems.

Good luck,
--Roger
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
oric
2015-07-05 19:12:59 UTC
Permalink
Hmm, I actually did not know false positives could exist, probably due to
the antivirus-heuristic algorithm.
Thanks for your reply!

Oric
Post by Roger Dingledine
Post by oric
I want to report a virus infection when upgrading to Tor v4.5.3.
https://www.torproject.org/docs/faq#VirusFalsePositives
Post by oric
I re-installed v4.5.1 and will not perform
any more updates!!
That is a very bad idea. Then you'll be running an old browser with
known old problems.
Good luck,
--Roger
--
To unsubscribe or change other settings go
tohttps://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cg
Moritz Bartl
2015-07-05 21:31:55 UTC
Permalink
Post by oric
I want to report a virus infection when upgrading to Tor v4.5.3.
This is highly unlikely to be a "virus infection". Based on the report,
Post by oric
This program (updater.exe) executed actions in the name of another program
The program executes a connection to the network
The program records all keyboard inputs
An unknown process has been consulted
The program started another program in order to deactivate himself
These actions can well serve as a warning, but can also be legitimate,
as in this case.
--
Moritz Bartl
https://www.torservers.net/
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
oric
2015-07-05 22:05:13 UTC
Permalink
ok, thanks for all the help :).
I upgraded again to v4.5.3 and no warning message anymore. In between my
antivirus downloaded a new set of signatures, which can explain it.
ciao
Oric
Post by Moritz Bartl
Post by oric
I want to report a virus infection when upgrading to Tor v4.5.3.
This is highly unlikely to be a "virus infection". Based on the report,
Post by oric
This program (updater.exe) executed actions in the name of another program
The program executes a connection to the network
The program records all keyboard inputs
An unknown process has been consulted
The program started another program in order to deactivate himself
These actions can well serve as a warning, but can also be legitimate,
as in this case.
--
Moritz Bartl
https://www.torservers.net/
--
To unsubscribe or change other settings go
tohttps://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Continue reading on narkive:
Loading...