Trojan deteced in hMailServer-5.3-B1617.exe file

[dl77]

I downloaded hMailServer last Friday to try it out and everything seemed to be fine. Today however the PSW.Banker5.ZOY trojan was detected by an AVG virus scan on in the .exe file that was still on my computer. After googling this trojan and updating my AVG virus scanner it no longer detected the trojan. Anyone else see this and have any idea what it means? I'm hoping it was a problem with the virus scanner and not an actual trojan in the file.

[^DooM^]

Sounds like a false positive to me. Upload it to virustotal.com and see what they say.

[^DooM^]

Seems Mcafee and Panda have issues with it. I still think it's a false positive though.

Code: Select all

Antivirus	     Version	Last Update	Result
McAfee+Artemis	5776	   2009.10.19	 Artemis!43263F696E05
Panda	         10.0.2.2  2009.10.19	 Suspicious file

http://www.virustotal.com/analisis/ccf0 ... 1255982889

[dl77]

I got the same results as you from virustotal.com. Seems like a false positive but we'll have to use it at our own risk.

[^DooM^]

It's "reported" that there are over 5000 new and modified viruses released every single day. The odds that you will get a virus are quite high unless you protect yourself. I take security of my servers and my home machines very seriously and while this "threat" does seem to exist because 2 AV scanners say so then you should take it seriously however, If hMail does contain an actual virus i'll eat my keyboard

Best to wait for the official word regardless

[roi]

I was googling for PSW.Banker5.ZOY trojan but could not find anything meaningful on it. What kind of trojan is it? What does it do? What ports does it use? If anybody has a meaningful link to information on this trojan, it would be much appreciated. Thank you.

[sheffters]

downloads page is offline as well ... so guess martins doing a fix

S.

[martin]

The download page is down until I've sorted it out.

[martin]

AVG reported all software generated by InnoSetup as viruses yesterday. This seems to have stopped now. According to other people, AVG fixed the issue in their scanner sometime late yesterday.

The McAfee Artemis still seems to report InnoSetup programs as viruses. The "normal" McAfee scanner doesn't seem to but the Artemis solution does. Artemis seems to be based on hashes of files, rather than the actual content. So maybe Artemis is just lagging behind. I've contacted McAfee but since I haven't received any feedback I'll run some tests here.

[^DooM^]

I tell you i am getting really annoyed with AVG lately. This is the second time in as many months they have screwed up.

[martin]

I just uploaded it to VirusTotal again and asked for a rescan. Panda no longer complains over it.

To be fair; we can't be 100% sure yet. McAfee still reports it as a problem...
Also, AVG wasn't the only one who at this point says it was a false positive...

[martin]

If you replace a single byte of the setup executable content, the McAfee+Artemis scanner will no longer consider it to be a virus. I'm not sure, but I'm guessing McAfee+Artemis works by generating a short hash of the file content. Then it sends this hash to a central server, which checks whether the file is listed as problematic. When a single bit is flipped in the file, the hash becomes completely different and it won't match the file in the McAfee central database. So it doesn't look like McAfee actually scans the file for viruses but just checks whether it has been repoted as a virus before. And since the hash was reported as a virus yesterday (but not any more), it could be that the hash just needs to be removed from the central database. (I'm far from sure about this, but reading their marketing blabber looks like it).

[naveedm1]

Hi I am not sure if there is a virus or not but I have to reinstall the software again and again to get it to work. My server was working all fine until I upgraded to hMailServer-5.2.1-B361 . it is older version . Now computers cannot connect to the mail server until I reinstall the software every other day.

Now intresting part is users can log into their accounts via squirrelmail but access to the server via outlook is not possible until I reinstall the software. Any advise on this ?

Can you please provide me the older version so I can remove this one till you resolve the virus issues.
Please note my server was working fine for a year until I upgraded to this version.

Martin thanks for your email I am going to take a chance and update it to 5.3-B1617
Thanks for your help.

[martin]

That problem isn't caused by any virus. If your users can connect when using SquirrelMail but not when using Outlook, it sounds more like a firewall or configuration problem than anything else. If you enable IMAP logging, try to connect and see if anything appears in the log, that may be a good place to start.

You can access the older versions here:
http://www.hmailserver.com/?page=download_archive

[martin]

The download page is up again now. McAfee came back to me a short while ago and confirmed that it was a mistake on their side.

None of the scanners at http://www.virustotal.com/ or http://virscan.org/ says there's a problem now.

Analysis results:
http://www.virustotal.com/sv/analisis/c ... 1256242752
http://virscan.org/report/069ef3f11c0f6 ... 01b68.html

(not sure how permanent they are, the links may stop work at any time)

Fun stuff to spend time on...

[^DooM^]

Seee told ya

[roi]

Congratulations... and many thank you's for all your hard work to sort this out.

[Slug]

I found the "time taken" on the right hand side interesting ... I wonder if you can draw any conclusions from this ?

Some scanners seem to have taken a rather long time to scan the file.

[^DooM^]

Probably busy servers.

[martin]

Aside from busy servers, maybe they have good integrations with some scanners and bad with others. Compare it to hMailServers integration with Clam. There's ten different ways to do it, and each give different performance.

[westdam]

damn it's true!!

[martin]

What is true?!

[Slug]

westdam is ...

[westdam]

hehe sorry for the mess!