* [Qemu-devel] virus in colibriOS QEMU iso? @ 2016-12-22 17:37 vilcadam 2016-12-23 8:30 ` Thomas Huth 0 siblings, 1 reply; 5+ messages in thread From: vilcadam @ 2016-12-22 17:37 UTC (permalink / raw) To: qemu-devel [-- Attachment #1: Type: text/plain, Size: 303 bytes --] Hi, just letting you know that Avira found some crypto-locker virus in ColibriOS iso that you featured in QEMU Advent Calendar 2016. Maybe you should look into that. I am not sure if it’s a false positive or not.. You can check the attachment for a screenshot of the result. Have a nice day! [-- Attachment #2: 6CDE2142E16A484D94C64BF1A1C2185F.png --] [-- Type: image/png, Size: 114526 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] virus in colibriOS QEMU iso? 2016-12-22 17:37 [Qemu-devel] virus in colibriOS QEMU iso? vilcadam @ 2016-12-23 8:30 ` Thomas Huth 2016-12-23 9:20 ` Kashyap Chamarthy 0 siblings, 1 reply; 5+ messages in thread From: Thomas Huth @ 2016-12-23 8:30 UTC (permalink / raw) To: vilcadam, qemu-devel, Kashyap Chamarthy On 22.12.2016 18:37, vilcadam@gmail.com wrote: > Hi, just letting you know that Avira found some crypto-locker virus in ColibriOS iso that you featured in QEMU Advent Calendar 2016. Maybe you should look into that. I am not sure if it’s a false positive or not.. You can check the attachment for a screenshot of the result. That sounds ugly ... I think we just packaged the .iso from the official KolibriOS website here (Kashyap, can you confirm?), so if this is not just a false positive, the problem very likely comes from there. If you've got some spare minutes, could you maybe check the download from http://kolibrios.org/en/download , too? As far as I can see, there should not be any real danger here unless you put the .iso file onto a real CD-ROM or USB stick and start the .exe files in there (which is of course not necessary for starting a VM with the .iso file). But anyway, this needs some closer investigation, to see whether it's a false positive or not, so I've disabled that download for now. We'll let you know when we know more ... Thanks for reporting the issue! Thomas ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] virus in colibriOS QEMU iso? 2016-12-23 8:30 ` Thomas Huth @ 2016-12-23 9:20 ` Kashyap Chamarthy 2016-12-23 10:25 ` Thomas Huth 0 siblings, 1 reply; 5+ messages in thread From: Kashyap Chamarthy @ 2016-12-23 9:20 UTC (permalink / raw) To: Thomas Huth; +Cc: vilcadam, qemu-devel, Kashyap Chamarthy [...] > On 22.12.2016 18:37, vilcadam@gmail.com wrote: > > Hi, just letting you know that Avira found some crypto-locker virus in > > ColibriOS iso that you featured in QEMU Advent Calendar 2016. Maybe you > > should look into that. I am not sure if it’s a false positive or not.. You > > can check the attachment for a screenshot of the result. > > That sounds ugly ... That sounds super ugly indeed :-( > I think we just packaged the .iso from the official > KolibriOS website here (Kashyap, can you confirm?), Yes, I can confirm that I have downloaded the ISO from the official website -- it's a nightly build of their SVN revision 6766. These are local notes on preparing sources from the day I made the image (where the SVN revision was at 6766): ============ $ svn checkout svn://kolibrios.org -r 6766 $ svn log | head -5 ------------------------------------------------------------------------ r6766 | IgorA | 2016-11-26 23:57:24 +0100 (Sat, 26 Nov 2016) | 1 line fix bugs $ du -sh ../sources-kolibrios/ 1.4G ../sources-kolibrios/ $ du -sh .svn/ 662M .svn/ $ rm -rf .svn $ du -sh ../sources-kolibrios-rev-6766/ 691M ../sources-kolibrios-rev-6766/ $ tar -cJf sources-kolibrios-rev-6766.tar.xz sources-kolibrios-rev-6766/ $ du -sh sources-kolibrios-rev-6766.tar.xz 93M sources-kolibrios-rev-6766.tar.xz ============ > so if this is not > just a false positive, the problem very likely comes from there. Indeed. > If you've got some spare minutes, could you maybe check the download > from http://kolibrios.org/en/download , too? > > As far as I can see, there should not be any real danger here unless you > put the .iso file onto a real CD-ROM or USB stick and start the .exe > files in there (which is of course not necessary for starting a VM with > the .iso file). Yes, exactly, but still this incident is not nice to hear. > But anyway, this needs some closer investigation, to see > whether it's a false positive or not, so I've disabled that download for > now. We'll let you know when we know more ... Thanks for reporting the > issue! Yes, thanks for bringing it up. I'm afraid, I'm a little short on time, but will try to investigate later today. Regards, Kashyap ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] virus in colibriOS QEMU iso? 2016-12-23 9:20 ` Kashyap Chamarthy @ 2016-12-23 10:25 ` Thomas Huth 2016-12-23 12:43 ` [Qemu-devel] [Resolved -- false positive] " Kashyap Chamarthy 0 siblings, 1 reply; 5+ messages in thread From: Thomas Huth @ 2016-12-23 10:25 UTC (permalink / raw) To: vilcadam; +Cc: Kashyap Chamarthy, qemu-devel On 23.12.2016 10:20, Kashyap Chamarthy wrote: > [...] > >> On 22.12.2016 18:37, vilcadam@gmail.com wrote: >>> Hi, just letting you know that Avira found some crypto-locker virus in >>> ColibriOS iso that you featured in QEMU Advent Calendar 2016. Maybe you >>> should look into that. I am not sure if it’s a false positive or not.. You >>> can check the attachment for a screenshot of the result. >> >> That sounds ugly ... > > That sounds super ugly indeed :-( > >> I think we just packaged the .iso from the official >> KolibriOS website here (Kashyap, can you confirm?), > > Yes, I can confirm that I have downloaded the ISO from the > official website -- it's a nightly build of their > SVN revision 6766. OK, as far as I can see, the issue comes from the setmbr.exe that is contained in the iso for writing the KolibriOS to an USB stick. According to http://board.kolibrios.org/viewtopic.php?t=2295 the report from Avira is a false positive (likely caused because the program tries to write to the MBR - which is also what some viruses / trojans are doing). Anyway, since these Windows tools are not required for running KolibriOS in a VM, I've now removed them from the iso image and uploaded a new version to avoid future confusion: http://www.qemu-advent-calendar.org/2016/download/day09-v2.tar.xz If you've got some spare minutes, it would be great if you could give that new version another try to see whether the warning from Avira is now properly gone (I don't have a Windows here to test this on my own). Thanks, Thomas ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [Resolved -- false positive] Re: virus in colibriOS QEMU iso? 2016-12-23 10:25 ` Thomas Huth @ 2016-12-23 12:43 ` Kashyap Chamarthy 0 siblings, 0 replies; 5+ messages in thread From: Kashyap Chamarthy @ 2016-12-23 12:43 UTC (permalink / raw) To: Thomas Huth; +Cc: vilcadam, qemu-devel On Fri, Dec 23, 2016 at 11:25:18AM +0100, Thomas Huth wrote: > On 23.12.2016 10:20, Kashyap Chamarthy wrote: [...] > > Yes, I can confirm that I have downloaded the ISO from the > > official website -- it's a nightly build of their > > SVN revision 6766. > > OK, as far as I can see, the issue comes from the setmbr.exe that is > contained in the iso for writing the KolibriOS to an USB stick. > According to http://board.kolibrios.org/viewtopic.php?t=2295 the report > from Avira is a false positive (likely caused because the program tries > to write to the MBR - which is also what some viruses / trojans are doing). Phew, indeed it's a false positive. To quote verbatim from the above thread, for the record: "The program setmbr.exe modifies MBR of USB flash drives or (optionally) hard disks, to allow them load KolibriOS. Usually programs that modify MBR are viruses - that's why your [Avast] antivirus reported it." > Anyway, since these Windows tools are not required for running > KolibriOS in a VM, I've now removed them from the iso image and > uploaded a new version to avoid future confusion: > > http://www.qemu-advent-calendar.org/2016/download/day09-v2.tar.xz Thanks, Thomas, for the swift response while I was AFK. Glad that we're two people coordinating this. > If you've got some spare minutes, it would be great if you could give > that new version another try to see whether the warning from Avira is > now properly gone (I don't have a Windows here to test this on my own). Yeah, I don't have Windows either to test. But good that this is just a false positive from an overly-paranoid tool. -- /kashyap ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-12-23 12:43 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-12-22 17:37 [Qemu-devel] virus in colibriOS QEMU iso? vilcadam 2016-12-23 8:30 ` Thomas Huth 2016-12-23 9:20 ` Kashyap Chamarthy 2016-12-23 10:25 ` Thomas Huth 2016-12-23 12:43 ` [Qemu-devel] [Resolved -- false positive] " Kashyap Chamarthy
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.