AVG found trojan horse in open office files

[cnebrandt]

AVG has found the following infection on my vista computer.

THREAT DETECTED

File Name: C:Program Files\OpenOffice.org 2.4\program\msi-pkgchk.exe
Threat Name: Trojan horse Downloader Generic8.BCQ
Detected on open

When I follow their directions to "more information about this threat" I find nothing. If I try to HEAL it I get a warning about crashing the system.
So far Mcafee hasn't warned me, I will run their scan next.

THere are lots of sites found on google promising to help me but I don't know if I trust them.

Has anyone else seen this?

Any help out there?
CB

[Villeroy]

Where did you download OpenOffice.org?

[cnebrandt]

I have had it on this computer since I bought it last March. I have no idea where I downloaded it from.
I have never had a problem before.

[rahmank]

Hi
AVG found the same file on mine too. I was careful in downloading the suite from openoffice.org, so pretty certain the suite was not corrupted when I installed it. Also I ran AVG previous times and this msi-pkgchk.exe file was not picked up as a virus. AVG reports it as "trojan horse downloader.generic8.BCQ". Cannot get any further info on the file on the web.
Is the prog part of the Ooo suite? If so what doeas it do (is it necessary)?

Is it a fault in AVG?

If anyone can help, I'd be very grateful.
Thanks

[Villeroy]

If there is some kind of malware on your computer, I can't help since I use Linux since many years and I don't know anything about current virus scanners, personal firewalls and stuff.
Regarding OpenOffice.org, there is a new version 3.0 availlable at http://download.openoffice.org
Download that one.
Check the integrity of the downloaded file: http://download.openoffice.org/3.0.0/md5sums.html
Uninstall 2.4
Go offline, turn off your virus scanner.
Install the new version. Do not choose to take over settings from your old version.
http://download.openoffice.org/common/instructions.html

[cnebrandt]

I will download the new version but I am only 44% through the mcafee scan. I want to see if it finds anything before I download something new. If there is a problem it might be too late to just stop it by downloading a new version.

By the way, I probably also downloaded it from the openoffice.org website. I just can't remember.

[robo45h]

I had exactly the same problem. I just downloaded OOo 3.0 from the OOo website directly. When I try to install it, AVG indicates a "Threat Detected!"

Code: Select all

File name: C:\Program Files\OpenOffice.org 2.4\programs\msi-pkgchk.exe
Threat name: Trojan horse Downloader.Generic8.BCQ
Detected on open.

Also as described, the "More information about this Threat..." link from AVG takes you to a generic page with no useful information. Searching for the Threat name also gives nothing useful.

[avibp]

My XP box using AVG has just found the same bug. I think it is an AVG false positive.

I tried to "heal" it and AVG threw It into the vault. So, when I find out it is an AVG issue, I will restore it from the vault.

[lgusaas]

You should have done a search on Google. You would have found that msi-pkgchk.exe is a legitimate part of OO.o.

[owilky]

Also posted under......Trojan downloaded with OO software

Sorry if posted on two threads but maybe they should be merged.

I too have a trojan picked up by AVG Anti-Virus Pro... "Trojan horse Downloader. Generic8.BCQ"

Found here......C:\Documents and Settings\Peter\My Documents\Office\openoffice.org-core02.cab


OpenOffice version 3.0.9357.500


I tried the MD5sum link but it is not compatible with firefox3 so cannot check it that way.

Also my connection is dropped when using that page.

I jave just edited this post to say "explorer.exe" also crashed after visiting the MD5sum page when i closed firefox after the download failed due to compatability issue with firefox.

it seems open office is a few yrs behind the rest of the world when it comes to browsers.

[cnebrandt]

Mcafee found no threats so I downloaded openoffice 3 and now even AVG does not find any threat, at least not yet.

But I do not understand why I wasn't informed about the update even though
I probably had installed "check for updates automatically". ANd when I went through "check for updates" within the program I was only offered openoffice 2.4.1 not 3.

[Hagar Delest]

Because the 3.0 is a major branch change. Rather different from 2.#. And 3.0 is not compatible with old Windows versions like 95, 98, ME. So this would lead the users running those versions to a wrong install.

[rahmank]

I did do the md5sum when I installed Ooo, so I am guessing this is an avg fault - i'll report it to avg and see what they do. In the meantime I'll upgrade to Ooo 3

thanks for all the help

[DJ-Leith]

I think this might be a false positive.

On 05/11/2008 (November 5th, 2008) AVG (v8) did a
Scheduled scan of whole Computer at 02:05.

AVG found
C:\Program Files\OpenOffice.org 2.4\program\msi-pkgchk.exe
D:\OpenOffice2-4-1-DL\openoffice.org-core02.cab
D:\OpenOffice2-4-1-DL\openoffice.org-core02.cab:\msi_pkgchk.exe
('underbar' and not 'dash' in the 3rd line).

All 3 found as "Trojan horse Downloader.Generic8.BCQ"
All 3 moved to Virus Vault.

Comment:
On 04/10/2008 (October 4th, 2008)
I downloaded OO from the OO website to
D:\OpenOffice2-4-1-DL\ prior to upgrading my OO.
I would NOT expect any 'change in the download area'.

AVG has being doing the 'Scheduled scan' every
day at 02:05 and these files were OK / passed / not detected
until 05/11/2008. This makes me think that the 'detection'
is likely to be a false positive. So far there is no
confirmation from AVG.

At 17:17 on 05/11/2008 Updated AVG to
Virus DB: 270.8.6/1769
AVG version: 8.0.198
At that time there was also an AVG Program Update available
but I wanted to check the scan results before making changes.

The previous update to AVG was done at 21:39 on 04/11/2008.
I don't know the Virus DB version that was released on
04/11/2008 but I suspect that this is the one that is
now causing the false positive.
--
Edit, on 09/11/2008, to correct path to "msi-pkgchk.exe"

[Zoandar]

Which version of AVG are you guys using when it finds this? I am currently running the FREE AVG 7.5 on my notebook, and 8.0 on my PC.

Both of them are in the middle of their daily scheduled scans. I am running OO 2.3 on both machines, installed from the same download.

The notebook's AVG 7.5 is reporting this trojan horse downloader.generic8.bcq

But the PC's AVG 8, which is deep into the last few of my many drive letters, is not reporting it at all. Maybe the problem of a possible false positive hit has been fixed in AVG 8?

OK, AVG 7.5 is done on the notebook, and is reporting the issue as "healed". It deleted 2 instances of the msi_pkgchk.exe files, and then archived the openoffice.org-core02.cab file in the vault. Since reading this thread was the first I had seen of an OO version 3 being offered, I will upgrade to that version soon. Sooner if the notebook's version 2.3 no longer runs.

The AVG 8 on the PC is still checking. But it has yet to report anything.

[DJ-Leith]

Hi Zoander,

I am using AVG Version 8.
Since I posted I've done another update.
Currently
AVG Version: 8.0.199 and
Virus DB: 270.9.0/1770

I sent AVG the 'file from my vault' for them
to test to see if it was a false positive.

The file I selected was the 'vault file that was'
C:\Program Files\OpenOffice.org 2.4\program\msi-pkgchk.exe
as I suspected the CAB file would be large.

I heard nothing so I sent AVG an E-Mail via
their Support site pasting in my post (above).

I have had an automated reply.
If I don't get a 'human response' I will try, in a few days,
to put the 'files back from the vault' and rescan with
the latest AVG.

DJ-Leith
--
Edit, on 09/11/2008, to correct path to "msi-pkgchk.exe"

[Zoandar]

Hi DJ-Leith

My PC 's full AVG version number is 8.0.175, so it looks like it still needs to check for updates today. But it never reported anything at all regarding to this issue. I'll check back to see if AVG tells you anything.

[owilky]

Mine was found by AVG Pro 8.0.199.

I have sent the cab file to AVG as someone else has sent the other file.

I will post any reply from AVG if i get one, although I should using the pro version.

[TheGurkha]

Perhaps unrelated, but my latest AVG at home (not at home right now so can't check the version) has recently thrown a few other false-positives on different non-OOo software.

[owilky]

AVG Support report that it is an infection not a false positive..........

The reply


AVG Anti-virus Research Lab has analyzed the file(s) you have sent from your AVG Virus Vault. Below you can find the results for each file. The final verdict on the file is either a correct detection or a false positive detection.

Further information about the verdicts are available at our website:
http://www.avg.com/faq-1184

all files are detected correctly



Best regards,

AVG Technical Support
website: http://www.avg.com

[TheGurkha]

That's not what I read it as:

The final verdict on the file is either a correct detection or a false positive detection.

We knew that much before hand!

[owilky]

why? It says all files are detected correctly


if they were safe it would say detected as false.

[TheGurkha]

As a test I have downloaded and installed the portable version of OOo which is put together by PortableApps.com. This package also triggers AVG on the same file. The chances of that infection happening in two packages coming from two different sources is pretty remote to say the least. I really think this is a false-positive. Also, our corporate Computer Associates anti-virus at work (which has its signature files updated daily) doesn't flag anything.

[DJ-Leith]

I still think most of us are having/were having a false positive warning form AVG.

I think there are several issues here.
1. False positive.
2. The interpretation of AVGs 'feedback' and their FAQ Pages.
3. There is a known security issue with OOo Version 2.4.1 but not with Version 3.
4. Infected OOo - I speculate that due to the popularity of OOo Version 3 the bad guys may have been offering 'tainted downloads'.

As there have been over one thousand views of this thread I think it is worth making some comments for clarification. I'll now make 4 separate posts.

[DJ-Leith]

1. False positive.
I still think most of us are having/were having a false positive warning form AVG.

A key date is 4th November 2008.

Before 04/11/08 several people were having issues
with a Trojan found in an Open Office (OOo) download.
See "Trojan downloaded with OO software" thread.
In the Getting started, Setup and Troubleshooting.

On 05/11/08 many reports of AVG finding a Trojan.
See this thread "AVG found trojan horse in open office files"
and many other discussion boards.

AVG are calling this Generic8.BCQ
AVG is finding it in "msi-pkgchk.exe".
and the CAB file where, I guess, it was put by the OOo developers
when they 'packeged up the files ready for download'.
The CABinet file is called "openoffice.org-core02.cab".

Several posts refer to AVG having had false positive.
I think this is another 'AVG false positive'.
As far as I can find no other Anti Virus software
is reporting "msi-pkgchk.exe" as 'infected' or 'a Trojan'.

My AVG.
I am using the paid for "AVG Internet Security".
This includes Firewall, Anti-Virus, LinkScanner, Anti-Spyware, Anti-Spam, Anti-Rootkit etc.

Right now it is at
AVG version: 8.0.199
Virus DB: 270.9.0/1777

In my case, see my first post (on Wed Nov 05, 2008 10:51 pm),
my 'OOo Download' D:\OpenOffice2-4-1-DL\openoffice.org-core02.cab
was found to be 'infected'. This file had been 'tested and passed'
every day at 02:05 from 05/10/2008 until 04/11/2008 (a whole month).
Then, on 05/11/2008, using an Virus DB Updated done at 21:39 on 04/11/2008,
my AVG 'detected the Trojan'.

Now, it is much more likely that my 'program file', which is in
an expected place, C:\Program Files\OpenOffice.org 2.4\program\msi-pkgchk.exe
to get infected.

For both the 'program file' and a CAB file that I happened to have,
in a location that was not very predictable,
to both get infected - on the same day - is not nearly so likely.

Anything is possible. As an aside - Malware has been found on the International Space Station!
See
http://www.f-secure.com/weblog/archives/00001489.html and
http://news.bbc.co.uk/1/hi/technology/7583805.stm

My point is
Is it likely that a 'real Trojan' has the following characteristics.

1. It is present in several OOo Downloads, in the CAB Files, of several versions of OOo.
- Several 2.4.x
- In "OpenOffice version 3.0.9357.500" reported by owilky.
- the Post by TheGurkha on Fri Nov 07, 2008 11:21 am reports
"... portable version of OOo which is put together by PortableApps.com."
AND
2. It is not detected by any Anti Virus product for a month.
In cnebrandt's case for several months.
See his post on Wed Nov 05, 2008 12:54 am
AND
3. It is then widely detected by one AV Vendor's products
AND
4. Several days later it is still not being reported as being detected by any other vendor.
AND
5. There is no information on AVG's site as to what
"Trojan horse Downloader.Generic8.BCQ" is, how it works etc.
AND
6. There is no 'patch from OOo' to say somthing along the lines
of 'Security Issue - Trojan in CAB files / Trojan in download files...'.

I could go on...

Given all of this I just waited for AVG to get back to me
and I left the 'files in the AVG vault'.

Apart from the automated reply I have still not heard back from AVG
(see my post of Thu Nov 06, 2008 12:54 am).

This afternoon I have 'retrieved the files from the vault' and have tested them with.
AVG version: 8.0.199
Virus DB: 270.9.0/1777

Both files ("msi-pkgchk.exe" and "openoffice.org-core02.cab") now Pass.
So, AVG seem to have corrected their 'false positive'.
I don't know when - I've not had any feedback from AVG.
See my next post.

[DJ-Leith]

2. The interpretation of AVGs 'feedback' and their FAQ Pages.

See Post by owilky on Thu Nov 06, 2008 11:06 am and the discussion that followed.

I think AVG's E-Mail to owilky is ambiguous.
One could easily read it, as owilky and I did, as meaning 'the file you submitted as a possible false positive is not a false positive - it is correctly
detected'. However, TheGurkha is quite correct in saying that it is ambiguous.

When I went to
http://www.avg.com/faq-1184 it became
http://www.avg.com/90823
In this FAQ AVG describe three possible situations:
1. Correct detection
2. False detection
3. Sent for deep manual analysis
For each there is guidance as to what do do next.

Section two has
"2. False detection

If the analysis shows that the detection of the file was incorrect, the next Definitions update will contain fix of this detection. Please update your AVG
and if a new Definitions update was downloaded, please check whether the file is still detected. There are again two possible scenarios: ... ..."

This is why I waited for AVG to 'correct their false positive'.
It is a pity that they have not replied to all the folk who submitted 'possible files for false positive testing'.

[DJ-Leith]

3. There is a known security issue with OOo Version 2.4.1 but not with Version 3.
While researching this issue I have discovered that there are two Security issues with OOo 2.4.1 (the Version I have).

http://www.openoffice.org/security/cves ... -2237.html
CVE-2008-2237
Manipulated WMF files can lead to heap overflows and arbitrary code execution

http://www.openoffice.org/security/cves ... -2238.html
CVE-2008-2238
Manipulated EMF files can lead to heap overflows and arbitrary code execution

Resolution, for both of these is
"5. Resolution

This issue is addressed in the following release:

OpenOffice.org 2.4.2

Note: OpenOffice.org 3.0 is not affected by this vulnerability."

So if we are on OOo V2.4.1 we should upgrade to v2.4.2
and if we are on 3.0 no need to change.

I will be upgrading shortly.

[DJ-Leith]

4. It is possible for the bad guys to offer tainted software for download.
This well known. 'Unofficial sources' are common source of Malware.
I am no expert but I think the official download site for OOo
is via the links on http://www.openoffice.org/index.html

For OOo V2.4.2 http://download.openoffice.org/2.4.2/index.html

If you had a warning about 'an infection' BEFORE 04/11/2008
then all of my 'speculation and argument about a false positive',
in this thread, does NOT apply because I think 'this false positive warning'
only appeared after 04/11/2008.

See, as an example,
http://forum.worldstart.com/showthread. ... ost1342201
My guess is there was a problem
BEFORE 04/11/2008.
Then, on 05/11/2008, there WAS ALSO 'the AVG false positive'.

I am not suggesting that anybody went to a bad site.
I am suggesting that 'these issues are potentially very confusing'
and one has to be very careful when drawing conclusions.

[TheGurkha]

My money's still on false positive.

[owilky]

after disabling the office option of it loading with windows for quicker access, i no longer get the warnings when running avg pro.

Could it be that that is triggering something?

I am also leaning towards the Ghurka's opinion of a false positive.