[vlc] Trojan in new release of VLC
David Martin
cvk1812 at hotmail.com
Thu Jul 22 10:16:13 CEST 2010
This is critical to VLC users, but the problem has not been addressed although it has been mentioned on the VLC forums at:
http://forum.videolan.org/viewtopic.php?f=14&t=79856
The problem is that certain virus scanners show a trojan in the newest VLC Windows installer, the file vlc-1.1.1-win32.exe which is available by clicking the download link at the main VLC page here:
http://www.videolan.org/vlc/
After downloading the file, several users have received warnings from Kaspersky Anti Virus that the file contains the trojan "Trojan.Win32.TDSS.bjam".
I have submitted the file to two different online file scanners. These sites use a variety of anti-virus engines to scan the submitted file, and report the results. Here are the results:
1. http://virscan.org/report/40d28a66fb5994fe994a38062c2313b6.html
This site scans the file with 36 different engines, one of which reports the presence of a trojan:
The Hacker 6.5.2.1 v00322 Trojan/TDSS.binb
2. https://www.virustotal.com/analisis/9d5add2413b963232efda5107582fbae9993e25f95f40669fa145799d709ee49-1279775019
Antiy-AVL 2.0.3.7 Trojan/Win32.TDSS.genKaspersky 7.0.0.125 Trojan.Win32.TDSS.bjamTheHacker 6.5.2.1.322 Trojan/TDSS.binb
Additionally, the Symantec File Insight service flags the file as "suspicious" though it does not report a virus or trojan.
Note that all scanners which detect the trojan report it as a version of TDSS. This makes me think that it's not just random heuristic scan errors. Either the trojan is actually present, or else something in the file is very similar to this trojan, and therefore the file is flagged. Since it's being flagged by 3 separate engines (and marked as suspicious by a 4th), I think this problem should be taken seriously by the developers.
I looked up the TDSS trojan on Google, and apparently it is some sort of rootkit, which makes detection by the usual virus scanners even more difficult. So that might explain why more virus scanners don't detect it.
I'd like the VLC people to seriously address this issue. Spreading infected files to millions of users is very irresponsible behavior. If these are false flags and the file is not infected, then they need to explicitly say so.
Also, I am wondering why the main download page contains no information about the MD5 or SHA1 hashes. I think this is useful information in tracking the file and should be mentioned on both the VLC link and the actual download page on SourceForge.
Thanks.
-DM
_________________________________________________________________
Hotmail is redefining busy with tools for the New Busy. Get more from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2
More information about the vlc
mailing list