[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#726393: general: Possible malware infections in source packages



Package: general
Severity: normal

Some of the source packages were caught on a gateway anti-virus scanner while
downloading.

These are the exact downloads:

http://ftp.fi.debian.org/debian/pool/main/libm/libmime-explode-perl/libmime-
explode-perl_0.39.orig.tar.gz
http://ftp.fi.debian.org/debian/pool/main/p/pymilter/pymilter_0.9.5.orig.tar.gz
http://ftp.fi.debian.org/debian/pool/main/libm/libmail-deliverystatus-
bounceparser-perl/libmail-deliverystatus-bounceparser-perl_1.531.orig.tar.gz
http://ftp.fi.debian.org/debian/pool/main/l/linkchecker/linkchecker_7.9.orig.tar.bz2

I also uploaded the archives to virustotal.com for scanning with multiple
vendors:
https://www.virustotal.com/en/file/2403530b352c591464b96b37173031749c993967ed6e1375b6d295ef84576ac9/analysis/
https://www.virustotal.com/en/file/2edb67ca8b8831991d7ba24092829e775355e5a35aeae61cac52de0dc82b2fd5/analysis/
https://www.virustotal.com/en/file/af45514ed8ad5491c8dd1d682a5061c79f624e1789abef3f27e92bcd3653c052/analysis/
https://www.virustotal.com/en/file/7bb478a4f9512e1dfe77c658f0410d62d9af91cedc35ee7aaaff6bc9a56d7f85/analysis/

I looked into one of these, libmail-deliverystatus-bounceparser-
perl_1.531.orig.tar.gz, and found multipart email file containing zip
attachment. Inside this archive is a .pif file (PE32 executable for MS Windows)
which is detected as Win32.Worm.Mytob.EF.

This doesn't look like a false positive. I hope that the source packages would
be sanitized from any actual malware samples.



-- System Information:
Debian Release: 7.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


Reply to: