X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
From: "Dave Korn" <dave DOT korn AT artimi DOT com>
To: <cygwin AT cygwin DOT com>
References:  <c6ec56fa0808312245l769d3debu4f35484491cfee97 AT mail DOT gmail DOT com> <g9g2ql$36q$1 AT ger DOT gmane DOT org>
Subject: RE: report from virustotal / setup.exe from cygwin.com may be corrupt?
Date: Mon, 1 Sep 2008 08:33:07 +0100
Message-ID: <01a001c90c04$fcbee060$9601a8c0@CAM.ARTIMI.COM>
MIME-Version: 1.0
Content-Type: text/plain; 	charset="iso-8859-1"
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <g9g2ql$36q$1@ger.gmane.org>
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id m817YJDj021785

René Berber wrote on 01 September 2008 07:41:

> Eric Freudenthal wrote:
> 
>> I just downloaded setup.exe from cygwin.com and sent it to virustotal.
>>  A couple of services didn't like it:
>> 
>> the report:
>> http://www.virustotal.com/analisis/ccb64d1f4e157ba250e1649f46868196
>> 
>> details:
>> eSafe 7.0.17.0 2008.08.31 Suspicious File
>> Prevx1 V2 2008.09.01 Suspicious
> 
> That means nothing, if sddt.exe is a known virus it should say so
> clearly.  Notice that none of the big names report anything.

  It's quite likely they're just indiscriminately flagging up all UPX-packed
executables as inherently suspicious.  I can confirm that setup.exe on
cygwin.com still matches the version that I built on my home PC and uploaded
there:

~ $ wget http://cygwin.com/setup.exe
--2008-09-01 08:30:47--  http://cygwin.com/setup.exe
Resolving cygwin.com... 209.132.176.174
Connecting to cygwin.com|209.132.176.174|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 585728 (572K) [application/octet-stream]
Saving to: `setup.exe'

100%[======================================>] 585,728      239K/s   in 2.4s

2008-09-01 08:30:51 (239 KB/s) - `setup.exe' saved [585728/585728]

@_______. .
(       /"\
 ||--||(___)
 '"  '"'---'
~ $ md5sum setup.exe
4f3f250cb9704fda2c241347cb689a8f *setup.exe
@_______. .
(       /"\
 ||--||(___)
 '"  '"'---'
~ $ md5sum /tmp/apps/objmerge/setup-2.573.2.3.exe
4f3f250cb9704fda2c241347cb689a8f */tmp/apps/objmerge/setup-2.573.2.3.exe
@_______. .
(       /"\
 ||--||(___)
 '"  '"'---'
~ $


> but, as Dave Korn's reply said, if it was, the virus must be inside one
> of the packages (and setup.ini had to be forged, and a pre- or
> post-install script changed to run the virus)... I'm not sure if it
> really is possible to spread it like that.

  /Was/ possible.  Isn't now! :)

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/