Jeff Duntemann's Contrapositive Diary Rotating Header Image

November 8th, 2008:

Malware from SourceForge?

I've been chasing something very odd here recently. For about a year nowI have used a FOSS utility called MozBackup to both archive and move my 1.7 GB mailbase around. It has always worked beautifully, but when I used it to restore my mailbase onto my new quad-core machine last week, the mailbase did not come back intact. I was getting weird error messages about the inbox not truncating when messages were moved into the junk folder, etc. which made me wonder what was going on.

Ok. This is a quad-core machine running XP SP3. I deliberately set it up so that AVG 8 runs during the day and not at 2 ayem, because I want to observe what effect multiple tasks in multiple cores has on overall system response. So every day at 1 PM, AVG 8 runs a full scan. It ran a full scan on all drives yesterday, and came up with nothing except warnings about a couple of revenant tracking cookies.

Late yesterday afternoon, I copied the current MozBackup installer file from my installers archive on D: to my “installed installers” folder (where I put installers for software installed on the machine) on C:. Instantly, AVG 8 set up a howl that it had found a trojan in MozBackup-1.4.8-EN.exe, the installer for the instance of MozBackup that I have had installed on the quad-core since June. The trojan was called Generic12.HTC.

That's odd in itself: On all the bazillion-squared pages that Google indexes, there was not a single mention of “Generic12.HTC” yesterday . Nor is there any entry by that name in AVG's virus encyclopedia. This morning, however, I suddenly see five or six mentions indexed during the night. It looks like a false positive, but I'm still a little nervous.

As a test, I went back to SourceForge and downloaded another copy of the file. As soon as it was complete in a temp folder, wham! AVG's “resident shield” utility called it out as Generic12.HTC. Now, I'm not used to thinking that SourceForge downloads can be malware sources, though there's no reason that it's impossible. However, the MozBackup-1.4.8-EN.exe file has been on my hard drive since June, and has passed muster every afternoon that the machine has been powered up. The file's time stamp has not changed. I can only assume that during yesterday's daily update, AVG brought down a signature that matched something inside the fileā€”and that would be a mighty freaky coincidence if true.

The other freaky thing is that after I deleted MozBackup 1.4.8 and installed the previous version 1.4.7 (which is in use on three of my other machines, including my X41 tablet) the mailbase restore worked perfectly. So are there two problems here or one?

The handul of reports surfacing this morning seem to indicate that it's a false positive, which would make sense, given that it's been on this system since June without AVG making noise. So maybe I don't need to warn you against the 1.4.8 version. However, it does look like 1.4.8 doesn't necessarily import an archive created with 1.4.7. Yes, a coincidence, and a weird one.