VLC Win32 binary is infected with Troj/Momma-B virus

Sam Hart hart at physics.arizona.edu
Thu Jun 6 17:15:58 CEST 2002


On Thu, 6 Jun 2002, Samuel Hocevar wrote:

> On Thu, Jun 06, 2002, Sam Hart wrote:
> > I've been a long time user of the Linux VLC, but I just downloaded the 
> > Win32 client to try it out on a machine here at my work, and I discovered 
> > tha the Win32 VLC binary installation package (current release:
> > http://www.videolan.org/pub/videolan/vlc/0.4.1/win32/vlc-0.4.1-win32.exe ) 
> > is infected with the Troj/Momma-B Trojan type Win32 virus.
> 
>    I have a serious doubt about this claim. The installation package is
> built under Linux using Wine, configured to not use any Windows DLL,
> which draws the risk of infecting command.exe or anything.dll to almost
> zero. Windows isn't even installed on the build box.
> 
>    To make sure I traced all system calls of a fresh installation
> of vlc 0.4.1 and checked all file creation attempts and registry
> entry insertions, and I found nothing like specified on sophos.com or
> mcafee.com. Xav also checked with a Windows antivirus, and found nothing
> either.
> 
>    Could you please double check that nothing could have possibly
> altered the vlc binary you downloaded?

I just checked on a different machine, and get the same warning:
Virus:  'Troj/Momma-B' detected in C:\temp\delme\vlc-0.4.1-win32.exe
        No action taken 

This machine was a virgin install of Win2k (I just did the install 
yesterday) and has a fresh, untainted (to the best of my knowledge as it 
comes fresh from Sophos) Sophos AV installed.

Note that this isn't the VLC binary itself, just the Installer (which is 
the Nullsoft NSIS installer, if I'm not mistaken) that's infected with the 
Trojan. I'm assuming where-ever it's ultimately packaged is a Win32 
machine, and that's where the virus is coming from.

Also note that this is a fairly new Trojan. Sophos announced an IDE for it 
on May 21st (so, less than two weeks ago).

-- 
Sam Hart
University/Work addr. <hart at physics.arizona.edu>
Personal addr. <criswell at geekcomix.com>




-- 
This is the vlc-devel mailing-list, see http://www.videolan.org/vlc/
To unsubscribe, please read http://www.videolan.org/lists.html
If you are in trouble, please contact <postmaster at videolan.org>



More information about the vlc-devel mailing list