Windows (64-bit) download - Flagged by Windows Defender as containing a Virus

jbdoucet · August 13, 2016, 3:32pm

Steps I took that resulted in the problem:

After downloading '‘fritzing.0.9.3b.64.pc’, Windows Defender flags the download as containing a virus (Trojan:Win32/Varpes.M!cl):
_
Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.

Items:
containerfile:C:\Users\xxx\Downloads\fritzing.0.9.3b.64.pc.zip
file:C:\Users\xxx\Downloads\fritzing.0.9.3b.64.pc.zip->fritzing.0.9.3b.64.pc/Qt5Core.dll
file:C:\Users\xxx\Downloads\fritzing.0.9.3b.64.pc.zip->fritzing.0.9.3b.64.pc/Qt5SerialPort.dll
_

What I expected should have happened instead:

…

My version of Fritzing and my operating system:

… running Windows 10 (1607, latest version with latest updates)

Please also attach any files that help explaining this problem

StaticDet5 · August 16, 2016, 11:07am

I have pretty much the exact same issue, with the same virus/trojan alert. The file is too big to submit to VirusTotal or Metadefender. It seems to be triggering on Qt5Core.dll and Qt5SerialPort.dll.

I’m working on drilling down to those files with a different PC. I’ll post up here with some results as I get them.

StaticDet5 · August 16, 2016, 12:00pm

Qt5Core.dll comes back as negative on VirusTotal (0/55) and a SHA-256 hash:
8cc2fc821e28e2a6ad26b5fcefc83fa563644e44b9cb636f2bb1d500b3118b37

Qt5SerialPort.dll also comes back as negative on VirusTotal (0/55) and a SHA-256 hash:
7fe0929b50187490ed8b5a91ce587a483ccf1831c8f26da6eb699534129d9766

This leads me to believe that this is probably a false categorization, BUT I didn’t manually analyze or sandbox the files. I poked a little further.

I did not see hash values for the Fritzing downloads, so I can’t compare that. Also, between the time that I saw this on my home computer, and switched to my research computer, the fritzing.org site went down. There could have been an alteration of the files.
Doing an MD5 of the two downloads on two different computers, I have the same file name, but two different hashes.

Breaking down and disabling the AV on my desktop, I ran VirusTotal against the two files. They have different hashes, and in fact, different file sizes.

I’d be real careful here. Something’s not adding up right. This could be operator error (not my first rodeo, but it happens), so I’d appreciate it if someone could confirm my findings.

dwanders · August 17, 2016, 4:47am

Same here. I’m on Windows 10 64-bit. Unzipping produced Malware detected by Windows Defender. Files were removed.
Is the download file hacked???

I downloaded the previous version fritzing.0.9.2b.64.pc and had no issues running it.

StaticDet5 · August 18, 2016, 1:23pm

EDITED: Fritzing only allows 3 replies for “new” users. So I’m editing this last one. Look for the textual line break for the new stuff.
I haven’t seen any other movement on this one, so I’ll try to run with it. Work is kind of rough right now, but I’ll try to work this in.

Ways that can help.
First and foremost, the scope of this examination is for Windows 64-bit version, 0.9.2b.64.pc

What I’m looking for, and ANYONE can contribute to this, whether you are having an issue or not, is the MD5 has of the zip file you pull down from this website, and whether Windows Defender (or any other antivirus tool) is flagging it as potentially malicious. Instructions for determining the hash of a file are available here:
https://support.microsoft.com/en-us/kb/889768
Windows doesn’t ship (by default) with an MD5 checksum tool. You can download it here (there are some directions there as well, but not the short-and-sweet version that just gets the job done):
https://support.microsoft.com/en-us/kb/889768

I’m looking at MD5’s because it looks like my two different computers downloaded two different versions of what should be the same file. I need to verify that this is taking place. A dynamically generated zip file from a website would make me very curious and slightly suspect.

Honestly, there is a fair probability that the files in question are a false positive. I’m concerned that there are two files, but that could be a simple case of the same writer writing two DLL files and using a line in the code that Windows Defender thinks is an indicator of a malicious file. Windows does have a file submission service, but the way the website is set up, it looks like Microsoft wants vendors to submit. I’m posting here, in hopes that someone from the Fritzing project will either give permission or say “Wait! Don’t do that yet!”.

Raw file analysis isn’t going to happen. It takes more time than I’ve got, and I’m not betting all of your systems on my skills. Anyone else wants to tackle that, go for it.

So, why the interest in MD5’s? MD5’s are cryptographic hashes, and they have this pretty cool feature. You can actually test it out yourself. Take a file, and run it through the hashing algorithm, and you’ll get something that looks like this: 8cc2fc821e28e2a6ad26b5fcefc83fa563644e44b9cb636f2bb1d500b3118b37

Now, go in and change one thing. Just one tiny thing. Turn a 1 into a 2. The file is the same size, has the same name, etc. To a casual glance (even an indepth glance), the files are identical. Run it through the same hashing algorithm, you’ll get something like this: 7fe0929b50187490ed8b5a91ce587a483ccf1831c8f26da6eb699534129d9766

At a glance, it’s dramatically different. But if you run the first file through an MD5 hashing algorithm on any computer, or any website, you’ll always get the same hash.
Hashes are relatively unique. It is possible to generate the same hash for a functionally different file, but is statistically unlikely to happen by chance.

So, if folks start posting up numerous different hashes for the same file, there’s something interesting going on (not necessarily malicious).

If someone else tackles parts of this, let me know what you find. Also, Fritzing team, I’m not looking to ruffle any feathers. I’ve worked on some projects like this, and I know that when I did it, there were insane numbers of people pointing out problems and never enough resources to do anything about it. I’m just looking to help out here. If that’s not a good idea, please let me know.

#######################################################################################

OK, I uploaded the files to the windows submission portal, with them marked as “Probably not malicious”. I can’t explain the differing MD5 hashes but identical version numbers unless a) someone messed up, or b) more likely an error occurred during the file download.

I can’t zip and upload the files here (Tried, sorry), but the files I sent were from fresh downloads this morning (and had matching MD5’s from the other day). Also, I did download the files on my “regular” computer and it still flagged the two dll’s as malicious, and munched them (delicious).

If anyone else has any thoughts, let me know.

caleidocane · August 19, 2016, 12:34pm

Hello i have found the same Trojan warning on windows 10! I’ve also tried to download older version but until the 8, all with the same trojan

rotaryboots · August 19, 2016, 9:24pm

Same issue here. Windows flags Win32/Varpes.M!cl as a trojan.

-Chris

frank12 · August 21, 2016, 3:04pm

Windows 10 is also flagging Win32/Varpes.M!cl as a trojan for me. The MD5 I got from fritzing.0.9.3b.64.pc.zip is eb812be8548279608a919ccfe193423a.

StaticDet5 · August 29, 2016, 9:46am

OK, I guess I’m past the new user stage.

I submitted the questionable files to Microsoft, and waited a week. I updated the virus definitions on Windows Defender. Upon pulling the new 0.9.3b.pc.zip file down, I scanned the zip file. I then extracted the zip file and scanned the directory. I then scanned Qt5Core and Qt5SerialPort. None of these resulted in alerts.

It is highly unlikely that there is a risk here.