Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Information about ComboFix being infected and what you should do


  • Please log in to reply
63 replies to this topic

#1 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,235 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:02 AM

Posted 29 January 2013 - 11:34 AM

Please note that ComboFix is no longer infected and is safe to use.

Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.

The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th, but it may have been earlier. If this timeframe changes, I will update this topic to let you know. If you have used ComboFix in the last day or so, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.

SHA256 Hashes of known affected versions are:


4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8

In the meantime, it is important for those who may have used ComboFix recently and are concerned they are infected to get the help they need. As the Sality infection has been around for a while, almost all antivirus vendors will have detected it and blocked it when you ran ComboFix. Unfortunately, not everyone has up-to-date virus definitions or uses an AV program, so it is important to examine your system if you have used CF since 2am EST.

The steps we suggest you take to make sure your computer is not infected are:

All of these tools should be able to detect and remove Sality from your computer. Sality is also able to spread through mapped network drives and shares. If you share any folders on your network, you should perform the above steps on those computers as well.

If you need help with any of these steps, or would like us to check your computer, please feel free to ask us in the forums. You can either post in the Am I infected? forum or create a virus removal assistance topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum using steps.

We are here to help you, so please do not hesitate to ask.

I sincerely apologize for any issues this may have caused and assure you that we will do our utmost to help anyone who may have been affected by this situation.

Lawrence Abrams
BleepingComputer.com



Edited by Grinler, 11 February 2013 - 02:17 PM.
Added Hashes


BC AdBot (Login to Remove)

 


#2 Union_Thug

Union_Thug

    Brooklyn Born Bleep


  • Members
  • 1,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:09:02 AM

Posted 29 January 2013 - 12:39 PM

Got me, XP Virtual machine. :angry: Burning Kaspersky disc now, ESET blocked.

#3 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,235 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:02 AM

Posted 29 January 2013 - 01:07 PM

Added hashes of the known affected version to first post. Hashes can be found below as well:

SHA256: 4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
MD5: c71b0515ef1200755ae61a5c4c9e8a86

#4 oldpapa49

oldpapa49

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lehi, Utah (close to)
  • Local time:07:02 AM

Posted 29 January 2013 - 01:25 PM

And I was just going to get it for someone here at work.. Thanks for the heads up, I will wait.. Good work BTW..

#5 lerr

lerr

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 29 January 2013 - 01:59 PM

This one is infected as well:

https://www.virustotal.com/file/e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d/analysis/

#6 john.doe

john.doe

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 29 January 2013 - 02:08 PM

https://www.virustotal.com/file/4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333/analysis/
https://www.virustotal.com/file/e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8/analysis/

bye, andreas

#7 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,235 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:02 AM

Posted 29 January 2013 - 02:18 PM

Thanks for the additional hashes. I have added them to the first post.

#8 john.doe

john.doe

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 29 January 2013 - 02:51 PM

Found this (clean) one at www.infospyware.net/antimalware/combofix/
https://www.virustotal.com/file/3965def066c781c02c20010c5b8c3e196a60e1451db39ea869849b9d645067e0/analysis/1359488639/

bye, andreas

#9 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,235 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:02 AM

Posted 29 January 2013 - 02:59 PM

That one does not look right. Shows as corrupt when I download it.

#10 1972vet

1972vet

  • Malware Response Team
  • 1,684 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:02 AM

Posted 29 January 2013 - 03:57 PM

Since it's come up, I checked on a download from BC on the 19th:
https://www.virustotal.com/file/24c2352c64aeaa416d283c4724704b253133016381cfe25909eb31e178a8aefc/analysis/1359492318/

...I still have this file if sUBs wants to look at it.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#11 Firefoxthebomb

Firefoxthebomb

  • Malware Study Hall Junior
  • 319 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA -- Texas
  • Local time:07:02 AM

Posted 29 January 2013 - 04:14 PM

I have a copy that I downloaded on 1-9-2013 @ 3:23PM its hash is:

a646e1dc28eb83122202c414ec1edd5971a2774c1d34a31861791091e81eedc1

Virustotal results HERE
shows 2/43

If you want a copy of the file let me know.

firefoxsig.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE


#12 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,235 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:02 AM

Posted 29 January 2013 - 04:19 PM

That's ok. I am only concerned with files from the last 24 hours or so. Anything prior to that we know was clean.

CF will always have a 1 or 2 hits on VT. Its the nature of the programs that are used.

This time is different though.

#13 AdvancedSetup

AdvancedSetup

  • Security Colleague
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 AM

Posted 29 January 2013 - 07:20 PM

Most of the larger sites like Filehippo and MajorGeeks appear to reference BC to obtain the file.
Cnet though appears to host their own but it does not appear to be the one infected with Sality


b461b82d59cbc6625aa79376e033e1505e23d1020a66b89ee878a28b228b4405

3/46 VT results: Combofix from Cnet scan

Cnet download link

Edited by AdvancedSetup, 29 January 2013 - 07:51 PM.


#14 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,235 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:02 AM

Posted 29 January 2013 - 07:30 PM

Thanks advanced. Not sure what version it is, but that does not appear to be infected.

#15 1972vet

1972vet

  • Malware Response Team
  • 1,684 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:02 AM

Posted 29 January 2013 - 07:50 PM

CNET seems to have issues of their own...I've had users complain more than once about that place. I steer folks away from there when they ask.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users