Trojan deteced in hMailServer-5.3-B1617.exe file

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
dl77
New user
New user
Posts: 2
Joined: 2009-10-19 21:41

Trojan deteced in hMailServer-5.3-B1617.exe file

Post by dl77 » 2009-10-19 21:46

I downloaded hMailServer last Friday to try it out and everything seemed to be fine. Today however the PSW.Banker5.ZOY trojan was detected by an AVG virus scan on in the .exe file that was still on my computer. After googling this trojan and updating my AVG virus scanner it no longer detected the trojan. Anyone else see this and have any idea what it means? I'm hoping it was a problem with the virus scanner and not an actual trojan in the file.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by ^DooM^ » 2009-10-19 22:05

Sounds like a false positive to me. Upload it to virustotal.com and see what they say.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by ^DooM^ » 2009-10-19 22:12

Seems Mcafee and Panda have issues with it. I still think it's a false positive though.

Code: Select all

Antivirus	     Version	Last Update	Result
McAfee+Artemis	5776	   2009.10.19	 Artemis!43263F696E05
Panda	         10.0.2.2  2009.10.19	 Suspicious file
http://www.virustotal.com/analisis/ccf0 ... 1255982889
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

dl77
New user
New user
Posts: 2
Joined: 2009-10-19 21:41

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by dl77 » 2009-10-19 22:46

I got the same results as you from virustotal.com. Seems like a false positive but we'll have to use it at our own risk.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by ^DooM^ » 2009-10-20 00:42

It's "reported" that there are over 5000 new and modified viruses released every single day. The odds that you will get a virus are quite high unless you protect yourself. I take security of my servers and my home machines very seriously and while this "threat" does seem to exist because 2 AV scanners say so then you should take it seriously however, If hMail does contain an actual virus i'll eat my keyboard ;)

Best to wait for the official word regardless :)
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

roi
Normal user
Normal user
Posts: 153
Joined: 2009-09-20 12:56
Location: Chiba, Japan

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by roi » 2009-10-20 09:39

I was googling for PSW.Banker5.ZOY trojan but could not find anything meaningful on it. What kind of trojan is it? What does it do? What ports does it use? If anybody has a meaningful link to information on this trojan, it would be much appreciated. Thank you.
hMS: 5.2.1-B361 | DB: Internal MySQL from hMS 4.4 | OS: W2K3 1Gb VM

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by sheffters » 2009-10-20 10:34

downloads page is offline as well ... so guess martins doing a fix :)

S.

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by martin » 2009-10-20 17:43

The download page is down until I've sorted it out.

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by martin » 2009-10-20 17:48

AVG reported all software generated by InnoSetup as viruses yesterday. This seems to have stopped now. According to other people, AVG fixed the issue in their scanner sometime late yesterday.

The McAfee Artemis still seems to report InnoSetup programs as viruses. The "normal" McAfee scanner doesn't seem to but the Artemis solution does. Artemis seems to be based on hashes of files, rather than the actual content. So maybe Artemis is just lagging behind. I've contacted McAfee but since I haven't received any feedback I'll run some tests here.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by ^DooM^ » 2009-10-20 17:54

I tell you i am getting really annoyed with AVG lately. This is the second time in as many months they have screwed up.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by martin » 2009-10-20 17:55

I just uploaded it to VirusTotal again and asked for a rescan. Panda no longer complains over it.

To be fair; we can't be 100% sure yet. McAfee still reports it as a problem...
Also, AVG wasn't the only one who at this point says it was a false positive...

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by martin » 2009-10-20 18:01

If you replace a single byte of the setup executable content, the McAfee+Artemis scanner will no longer consider it to be a virus. I'm not sure, but I'm guessing McAfee+Artemis works by generating a short hash of the file content. Then it sends this hash to a central server, which checks whether the file is listed as problematic. When a single bit is flipped in the file, the hash becomes completely different and it won't match the file in the McAfee central database. So it doesn't look like McAfee actually scans the file for viruses but just checks whether it has been repoted as a virus before. And since the hash was reported as a virus yesterday (but not any more), it could be that the hash just needs to be removed from the central database. (I'm far from sure about this, but reading their marketing blabber looks like it).

naveedm1
New user
New user
Posts: 6
Joined: 2009-10-22 20:13

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by naveedm1 » 2009-10-22 21:14

Hi I am not sure if there is a virus or not but I have to reinstall the software again and again to get it to work. My server was working all fine until I upgraded to hMailServer-5.2.1-B361 . it is older version . Now computers cannot connect to the mail server until I reinstall the software every other day.

Now intresting part is users can log into their accounts via squirrelmail but access to the server via outlook is not possible until I reinstall the software. Any advise on this ?

Can you please provide me the older version so I can remove this one till you resolve the virus issues.
Please note my server was working fine for a year until I upgraded to this version.

Martin thanks for your email I am going to take a chance and update it to 5.3-B1617
Thanks for your help.
Last edited by naveedm1 on 2009-10-22 21:21, edited 1 time in total.

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by martin » 2009-10-22 21:17

That problem isn't caused by any virus. If your users can connect when using SquirrelMail but not when using Outlook, it sounds more like a firewall or configuration problem than anything else. If you enable IMAP logging, try to connect and see if anything appears in the log, that may be a good place to start.

You can access the older versions here:
http://www.hmailserver.com/?page=download_archive

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by martin » 2009-10-22 22:24

The download page is up again now. McAfee came back to me a short while ago and confirmed that it was a mistake on their side.

None of the scanners at http://www.virustotal.com/ or http://virscan.org/ says there's a problem now.

Analysis results:
http://www.virustotal.com/sv/analisis/c ... 1256242752
http://virscan.org/report/069ef3f11c0f6 ... 01b68.html

(not sure how permanent they are, the links may stop work at any time)

Fun stuff to spend time on... :roll:

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by ^DooM^ » 2009-10-22 23:08

Seee told ya ;)
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

roi
Normal user
Normal user
Posts: 153
Joined: 2009-09-20 12:56
Location: Chiba, Japan

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by roi » 2009-10-23 02:07

Congratulations... and many thank you's for all your hard work to sort this out.
hMS: 5.2.1-B361 | DB: Internal MySQL from hMS 4.4 | OS: W2K3 1Gb VM

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by Slug » 2009-10-23 10:28

I found the "time taken" on the right hand side interesting ... I wonder if you can draw any conclusions from this ?

Some scanners seem to have taken a rather long time to scan the file.
Missing Hmailserver ... Now running Debian servers

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by ^DooM^ » 2009-10-23 12:07

Probably busy servers.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by martin » 2009-10-23 18:07

Aside from busy servers, maybe they have good integrations with some scanners and bad with others. Compare it to hMailServers integration with Clam. There's ten different ways to do it, and each give different performance.

westdam
Senior user
Senior user
Posts: 728
Joined: 2006-08-01 21:24
Location: Padova, Italy
Contact:

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by westdam » 2009-10-26 12:36

damn it's true!! :D

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by martin » 2009-10-26 18:49

What is true?!

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by Slug » 2009-10-28 17:15

westdam is ... :wink:
Missing Hmailserver ... Now running Debian servers

westdam
Senior user
Senior user
Posts: 728
Joined: 2006-08-01 21:24
Location: Padova, Italy
Contact:

Re: Trojan deteced in hMailServer-5.3-B1617.exe file

Post by westdam » 2009-10-28 17:25

:lol:
hehe sorry for the mess!

Post Reply