AVG found trojan horse in open office files

[cnebrandt]

Mcafee found no threats so I downloaded openoffice 3 and now even AVG does not find any threat, at least not yet.

But I do not understand why I wasn't informed about the update even though
I probably had installed "check for updates automatically". ANd when I went through "check for updates" within the program I was only offered openoffice 2.4.1 not 3.

[Hagar Delest]

Because the 3.0 is a major branch change. Rather different from 2.#. And 3.0 is not compatible with old Windows versions like 95, 98, ME. So this would lead the users running those versions to a wrong install.

[rahmank]

I did do the md5sum when I installed Ooo, so I am guessing this is an avg fault - i'll report it to avg and see what they do. In the meantime I'll upgrade to Ooo 3

thanks for all the help

[DJ-Leith]

I think this might be a false positive.

On 05/11/2008 (November 5th, 2008) AVG (v8) did a
Scheduled scan of whole Computer at 02:05.

AVG found
C:\Program Files\OpenOffice.org 2.4\program\msi-pkgchk.exe
D:\OpenOffice2-4-1-DL\openoffice.org-core02.cab
D:\OpenOffice2-4-1-DL\openoffice.org-core02.cab:\msi_pkgchk.exe
('underbar' and not 'dash' in the 3rd line).

All 3 found as "Trojan horse Downloader.Generic8.BCQ"
All 3 moved to Virus Vault.

Comment:
On 04/10/2008 (October 4th, 2008)
I downloaded OO from the OO website to
D:\OpenOffice2-4-1-DL\ prior to upgrading my OO.
I would NOT expect any 'change in the download area'.

AVG has being doing the 'Scheduled scan' every
day at 02:05 and these files were OK / passed / not detected
until 05/11/2008. This makes me think that the 'detection'
is likely to be a false positive. So far there is no
confirmation from AVG.

At 17:17 on 05/11/2008 Updated AVG to
Virus DB: 270.8.6/1769
AVG version: 8.0.198
At that time there was also an AVG Program Update available
but I wanted to check the scan results before making changes.

The previous update to AVG was done at 21:39 on 04/11/2008.
I don't know the Virus DB version that was released on
04/11/2008 but I suspect that this is the one that is
now causing the false positive.
--
Edit, on 09/11/2008, to correct path to "msi-pkgchk.exe"

[Zoandar]

Which version of AVG are you guys using when it finds this? I am currently running the FREE AVG 7.5 on my notebook, and 8.0 on my PC.

Both of them are in the middle of their daily scheduled scans. I am running OO 2.3 on both machines, installed from the same download.

The notebook's AVG 7.5 is reporting this trojan horse downloader.generic8.bcq

But the PC's AVG 8, which is deep into the last few of my many drive letters, is not reporting it at all. Maybe the problem of a possible false positive hit has been fixed in AVG 8?

OK, AVG 7.5 is done on the notebook, and is reporting the issue as "healed". It deleted 2 instances of the msi_pkgchk.exe files, and then archived the openoffice.org-core02.cab file in the vault. Since reading this thread was the first I had seen of an OO version 3 being offered, I will upgrade to that version soon. Sooner if the notebook's version 2.3 no longer runs.

The AVG 8 on the PC is still checking. But it has yet to report anything.

[DJ-Leith]

Hi Zoander,

I am using AVG Version 8.
Since I posted I've done another update.
Currently
AVG Version: 8.0.199 and
Virus DB: 270.9.0/1770

I sent AVG the 'file from my vault' for them
to test to see if it was a false positive.

The file I selected was the 'vault file that was'
C:\Program Files\OpenOffice.org 2.4\program\msi-pkgchk.exe
as I suspected the CAB file would be large.

I heard nothing so I sent AVG an E-Mail via
their Support site pasting in my post (above).

I have had an automated reply.
If I don't get a 'human response' I will try, in a few days,
to put the 'files back from the vault' and rescan with
the latest AVG.

DJ-Leith
--
Edit, on 09/11/2008, to correct path to "msi-pkgchk.exe"

[Zoandar]

Hi DJ-Leith

My PC 's full AVG version number is 8.0.175, so it looks like it still needs to check for updates today. But it never reported anything at all regarding to this issue. I'll check back to see if AVG tells you anything.

[owilky]

Mine was found by AVG Pro 8.0.199.

I have sent the cab file to AVG as someone else has sent the other file.

I will post any reply from AVG if i get one, although I should using the pro version.

[TheGurkha]

Perhaps unrelated, but my latest AVG at home (not at home right now so can't check the version) has recently thrown a few other false-positives on different non-OOo software.

[owilky]

AVG Support report that it is an infection not a false positive..........

The reply


AVG Anti-virus Research Lab has analyzed the file(s) you have sent from your AVG Virus Vault. Below you can find the results for each file. The final verdict on the file is either a correct detection or a false positive detection.

Further information about the verdicts are available at our website:
http://www.avg.com/faq-1184

all files are detected correctly



Best regards,

AVG Technical Support
website: http://www.avg.com

[TheGurkha]

That's not what I read it as:

The final verdict on the file is either a correct detection or a false positive detection.

We knew that much before hand!

[owilky]

why? It says all files are detected correctly


if they were safe it would say detected as false.

[TheGurkha]

As a test I have downloaded and installed the portable version of OOo which is put together by PortableApps.com. This package also triggers AVG on the same file. The chances of that infection happening in two packages coming from two different sources is pretty remote to say the least. I really think this is a false-positive. Also, our corporate Computer Associates anti-virus at work (which has its signature files updated daily) doesn't flag anything.

[DJ-Leith]

I still think most of us are having/were having a false positive warning form AVG.

I think there are several issues here.
1. False positive.
2. The interpretation of AVGs 'feedback' and their FAQ Pages.
3. There is a known security issue with OOo Version 2.4.1 but not with Version 3.
4. Infected OOo - I speculate that due to the popularity of OOo Version 3 the bad guys may have been offering 'tainted downloads'.

As there have been over one thousand views of this thread I think it is worth making some comments for clarification. I'll now make 4 separate posts.

[DJ-Leith]

1. False positive.
I still think most of us are having/were having a false positive warning form AVG.

A key date is 4th November 2008.

Before 04/11/08 several people were having issues
with a Trojan found in an Open Office (OOo) download.
See "Trojan downloaded with OO software" thread.
In the Getting started, Setup and Troubleshooting.

On 05/11/08 many reports of AVG finding a Trojan.
See this thread "AVG found trojan horse in open office files"
and many other discussion boards.

AVG are calling this Generic8.BCQ
AVG is finding it in "msi-pkgchk.exe".
and the CAB file where, I guess, it was put by the OOo developers
when they 'packeged up the files ready for download'.
The CABinet file is called "openoffice.org-core02.cab".

Several posts refer to AVG having had false positive.
I think this is another 'AVG false positive'.
As far as I can find no other Anti Virus software
is reporting "msi-pkgchk.exe" as 'infected' or 'a Trojan'.

My AVG.
I am using the paid for "AVG Internet Security".
This includes Firewall, Anti-Virus, LinkScanner, Anti-Spyware, Anti-Spam, Anti-Rootkit etc.

Right now it is at
AVG version: 8.0.199
Virus DB: 270.9.0/1777

In my case, see my first post (on Wed Nov 05, 2008 10:51 pm),
my 'OOo Download' D:\OpenOffice2-4-1-DL\openoffice.org-core02.cab
was found to be 'infected'. This file had been 'tested and passed'
every day at 02:05 from 05/10/2008 until 04/11/2008 (a whole month).
Then, on 05/11/2008, using an Virus DB Updated done at 21:39 on 04/11/2008,
my AVG 'detected the Trojan'.

Now, it is much more likely that my 'program file', which is in
an expected place, C:\Program Files\OpenOffice.org 2.4\program\msi-pkgchk.exe
to get infected.

For both the 'program file' and a CAB file that I happened to have,
in a location that was not very predictable,
to both get infected - on the same day - is not nearly so likely.

Anything is possible. As an aside - Malware has been found on the International Space Station!
See
http://www.f-secure.com/weblog/archives/00001489.html and
http://news.bbc.co.uk/1/hi/technology/7583805.stm

My point is
Is it likely that a 'real Trojan' has the following characteristics.

1. It is present in several OOo Downloads, in the CAB Files, of several versions of OOo.
- Several 2.4.x
- In "OpenOffice version 3.0.9357.500" reported by owilky.
- the Post by TheGurkha on Fri Nov 07, 2008 11:21 am reports
"... portable version of OOo which is put together by PortableApps.com."
AND
2. It is not detected by any Anti Virus product for a month.
In cnebrandt's case for several months.
See his post on Wed Nov 05, 2008 12:54 am
AND
3. It is then widely detected by one AV Vendor's products
AND
4. Several days later it is still not being reported as being detected by any other vendor.
AND
5. There is no information on AVG's site as to what
"Trojan horse Downloader.Generic8.BCQ" is, how it works etc.
AND
6. There is no 'patch from OOo' to say somthing along the lines
of 'Security Issue - Trojan in CAB files / Trojan in download files...'.

I could go on...

Given all of this I just waited for AVG to get back to me
and I left the 'files in the AVG vault'.

Apart from the automated reply I have still not heard back from AVG
(see my post of Thu Nov 06, 2008 12:54 am).

This afternoon I have 'retrieved the files from the vault' and have tested them with.
AVG version: 8.0.199
Virus DB: 270.9.0/1777

Both files ("msi-pkgchk.exe" and "openoffice.org-core02.cab") now Pass.
So, AVG seem to have corrected their 'false positive'.
I don't know when - I've not had any feedback from AVG.
See my next post.

[DJ-Leith]

2. The interpretation of AVGs 'feedback' and their FAQ Pages.

See Post by owilky on Thu Nov 06, 2008 11:06 am and the discussion that followed.

I think AVG's E-Mail to owilky is ambiguous.
One could easily read it, as owilky and I did, as meaning 'the file you submitted as a possible false positive is not a false positive - it is correctly
detected'. However, TheGurkha is quite correct in saying that it is ambiguous.

When I went to
http://www.avg.com/faq-1184 it became
http://www.avg.com/90823
In this FAQ AVG describe three possible situations:
1. Correct detection
2. False detection
3. Sent for deep manual analysis
For each there is guidance as to what do do next.

Section two has
"2. False detection

If the analysis shows that the detection of the file was incorrect, the next Definitions update will contain fix of this detection. Please update your AVG
and if a new Definitions update was downloaded, please check whether the file is still detected. There are again two possible scenarios: ... ..."

This is why I waited for AVG to 'correct their false positive'.
It is a pity that they have not replied to all the folk who submitted 'possible files for false positive testing'.

[DJ-Leith]

3. There is a known security issue with OOo Version 2.4.1 but not with Version 3.
While researching this issue I have discovered that there are two Security issues with OOo 2.4.1 (the Version I have).

http://www.openoffice.org/security/cves ... -2237.html
CVE-2008-2237
Manipulated WMF files can lead to heap overflows and arbitrary code execution

http://www.openoffice.org/security/cves ... -2238.html
CVE-2008-2238
Manipulated EMF files can lead to heap overflows and arbitrary code execution

Resolution, for both of these is
"5. Resolution

This issue is addressed in the following release:

OpenOffice.org 2.4.2

Note: OpenOffice.org 3.0 is not affected by this vulnerability."

So if we are on OOo V2.4.1 we should upgrade to v2.4.2
and if we are on 3.0 no need to change.

I will be upgrading shortly.

[DJ-Leith]

4. It is possible for the bad guys to offer tainted software for download.
This well known. 'Unofficial sources' are common source of Malware.
I am no expert but I think the official download site for OOo
is via the links on http://www.openoffice.org/index.html

For OOo V2.4.2 http://download.openoffice.org/2.4.2/index.html

If you had a warning about 'an infection' BEFORE 04/11/2008
then all of my 'speculation and argument about a false positive',
in this thread, does NOT apply because I think 'this false positive warning'
only appeared after 04/11/2008.

See, as an example,
http://forum.worldstart.com/showthread. ... ost1342201
My guess is there was a problem
BEFORE 04/11/2008.
Then, on 05/11/2008, there WAS ALSO 'the AVG false positive'.

I am not suggesting that anybody went to a bad site.
I am suggesting that 'these issues are potentially very confusing'
and one has to be very careful when drawing conclusions.

[TheGurkha]

My money's still on false positive.

[owilky]

after disabling the office option of it loading with windows for quicker access, i no longer get the warnings when running avg pro.

Could it be that that is triggering something?

I am also leaning towards the Ghurka's opinion of a false positive.

[DJ-Leith]

Finally - confirmation from AVG.

The specific question that started this thread, on Tue Nov 04, 2008 10:50 pm,

AVG has found the following infection on my vista computer.

THREAT DETECTED

File Name: C:Program Files\OpenOffice.org 2.4\program\msi-pkgchk.exe
Threat Name: Trojan horse Downloader Generic8.BCQ
Detected on open ...
...
Any help out there?
CB

I have had an answer from AVG.

This specific case is now confirmed as a False Positive - by AVG.
Here is an edited version of their reply to me

--
Time: Wed, 12 Nov 2008 11:31:04 +0100 (CET)
From: AVG Technical Support
To: DJ-Leith
Subject: Re: G#0803268009 - Technical Support Form

Dear Sir/Madam,

thank you for your email.

Unfortunately, the previous virus database might have detected the
Trojan horse Downloader.Generic8.BCQ on some legitimate applications.
We can confirm that it was a false alarm. We have immediately released
a new virus update that removes the false positive detection on this
file. Please update your AVG and check your files again.

If you need to restore deleted files from AVG Virus Vault you can do
it this way:
- Open AVG user interface.
- Choose "Virus Vault" option from the "History" menu.
- Locate the file that was incorrectly removed and select it (one
click).
- Click on the "Restore" button.

We are sorry for the inconvenience.

If you restore your files from the Virus Vault and with the latest
Virus Definitions they are still detected as threats, please send us
those files for analysis again.

...
** DJ-Leith adds in here, I did this on Sunday 09 November 2008.
When AVG 'tested the files taken out of the vault' they all passed.
See my post of Sun Nov 09, 2008 5:17 pm (above).
Since then my daily (at 02:05) scan has also been OK.
Now, continuing to quote my communication with AVG.
**

...
In case you need any further information, please do not hesitate to
contact us again.

Best regards,

Ivaylo Simeonov
AVG Technical Support

website: http://www.avg.com
mail: support AT avg.com

Answers to the most common questions can be found here as well:
http://www.avg.com/faq

On Thu Nov 06 00:55:51 CET 2008, DJ-Leith wrote:

...
> OS: Vista
> Service pack: sp1
> Program version: 8.0
> Build version: 8.0
> Virus DB version: 270.9.0/1770
> Area: Virus Vault
> Issue: False detection
>
> Issue description:
> Dear AVG,
>
> I tried to send you a sample by
> 1. Selecting the file in the Virus Vault.
> 2. Adding an E-Mail Address (this one).
...
...
> Please can you reply to confirm whether this is a
> false positive or not. If it is a false positive
> can I restore the files from the vault?
>
> If this is a false positive please can you put some
> information on your web site.
...
...
> See also
>
> http://user.services.openoffice.org/en/forum/viewtopic.php?f=49&t=11718&st=0&sk=t&sd=a
>
> --
> I think this might be a false positive.
>
> On 05/11/2008 (November 5th, 2008) AVG (v8) did a
> Scheduled scan of whole Computer at 02:05.
...

--
End of my communication with AVG.
--

As I said in my first post on Wed Nov 05, 2008 8:51 pm
"I think this might be a false positive..."

It is reassuring to have this confirmation from AVG.

[DJ-Leith]

Q. Why did it take so long for AVG to respond to me?
A. If you do a Google search for

Code: Select all

"false positive" avg november 2008

you will see lots of hits.

Including:-

http://securityandthe.net/2008/11/10/av ... dows-file/
http://www.theregister.co.uk/2008/11/11 ... _positive/
http://blogs.zdnet.com/security/?p=2158

A different, and much more serious, False Positive was fixed on 10 November 2008.
It looks as if their Support staff have been very busy.

So, some of us were very fortunate!

[TheGurkha]

@cnebrandt : If this has answered your question please go to your first post and use the Edit button, and add [Solved] to the start of the title. You can also use the green tick icon.