By manic hook on

Just downloaded Drupal 6.13

When I extracted the files from the tar.gz file, my Trend Micro anti-virus alerted that 3 files are infected.

modules/color/color.install - BKDR_IRCBOT.BZQ
modules/profile/profile-wrapper.tpl.php - TROJ_SWIZZOR.KXV
modules/translation/translation.module - TROJ_FRAUDLO.LL

Is it a false positive or there's something wrong with the download?

FALSE POSITIVE. Locked thread too. chx.

Categories: Drupal 6.x

Comments

hass’s picture

hass commented

Same here..., but I've only seen the color.install and profile wrapper. Must be a false detection.

cyaneo’s picture

cyaneo commented

already send this to trendmicro support.

vitoabrusci’s picture

vitoabrusci commented

We've got the same.
Disabling trendimicro.

ailgm’s picture

ailgm commented

I'm running into this too. My site hosting company's anti-virus is now deleting these files on our sites, and preventing their upload, causing errors on live sites.

ailgm’s picture

ailgm commented

I have found that the file translation.module is also being flagged on Drupal 6.12 sites.

michelle’s picture

michelle
she/her
Primary language English
Location Wisconsin, USA
commented

http://baheyeldin.com/technology/drupal/trendmicro-officescan-reports-fa...

Michelle

asmdec’s picture

asmdec commented

Is it really a false positive???

michelle’s picture

michelle
she/her
Primary language English
Location Wisconsin, USA
commented

It is.

Michelle

asmdec’s picture

asmdec commented

Thank you! :)

drumming_cat’s picture

drumming_cat commented

Hi, I've received virus messages for every single color.install file that I've got on my hard drive (all various Drupal 5 versions).
The color.install files are NOT plain text anymore, I tried to open one in Dreamweaver, it returned cryptic signs.
At the same time that TrendMicro reported the viruses, Spyware Doctor reported 2 trojans, Backdoor.Ciadoor!sd5 and Backdoor.Delf!ct.
I don't believe that these are false reports at all. I've been working hard on getting rid of fthe viruses and trojans since then.

vm’s picture

vm commented

drupal.org and/or drupal core downloads are not packaged with virus's. Either you already had a virus or there is some other issue at hand that has nothing to do with drupal.

Avast isn't reporting anything with regards to drupal 6.13 nor is Nortons, or Symantec. Thus the common denominator in this thread is TrendMicro

nevets’s picture

nevets commented

I just downloaded a fresh copy of 6.13 and color.install is a text file as expected.

bestknight’s picture

bestknight commented

Has anyone from the drupal team (maybe someoane form the security team?) officially contacted Trend Micro / protested for this false alarm?

vm’s picture

vm commented

I'd be curious if downloading other php scripts produces the same issue before anyone from drupal became involved. If it's php across the board, these users machines could already be infected with something that is wreaking havoc on php files of some sort.

yt2s’s picture

yt2s commented

I've had the same issues as described above. Additionally, I keep previous versions archived. Today Trend Micro ran a scan and removed ALL of the .tar.gz's from my hard drive. I think I had every version of 6, but I know I had 6.5-6.13 stored locally, and they're all gone.

On the suggestion of VeryMisunderstood above, I downloaded some other OS/CMS scripts, as well as Drupal again:

  • cmsmadesimple
  • joomla
  • mediawiki
  • modx
  • pixelpost
  • textpattern
  • typo3
  • wordpress
  • ...and...
  • drupal-5.19
  • drupal-6.13

I ran Trend Micro on every one of them. The Drupal's were the only one's that TM flagged and quarantined. The results were as follows:

  File: color.install (drupal-5-19.tar.gz)
  Threat name: BKDR_IRCBOT.BZQ

  File: color.install (drupal-6.13.tar.gz)
  Threat name: BKDR_IRCBOT.BZQ

  File: profile-wrapper.tpl.php (drupal-6.13.tar.gz)
  Threat name: TROJ_SWIZZOR.KXV

  File: translation.module (drupal-6.13.tar.gz)
  Threat name: TROJ_FRAUDLO.LL

The three names (BKDR_IRCBOT.BZQ, TROJ_SWIZZOR.KXV, TROJ_FRAUDLO.LL) are in TM's July 08, 2009 Pattern Release. They do not appear to be in the Feb 09 pattern release. I am bamboozled as to why TM is snagging only Drupal files. I would be very curious to know if any other AV software brands are snagging Drupal files as well. Since this TM pattern release is only a few days old, would it make sence that other AV's may soon be rolling out new pattern releases which would affect drupal as well?

Oh yeah, I almost forgot the part that made me get that "not so good feeling in my stomach": , TM quarantined the files out of my testing server as well as ALL drupal sites backup zips on the drive.

Could this be a drupal problem or do you think it is indeed a trend micro problem?

Thoughts?

vm’s picture

vm commented

for example: profile wrapper only contains XHTML. Why it would be picked up as a virus doesn't make sense.