vlc-1.1.1-win32.exe trojan warning?

[DaveMt19]

I downloaded VLC 1.1.1 (Win 32 installer) from the link to sourceforge. The file is flagged by Kaspersky as containing the trojan Trojan.Win32.TDSS.bjam.

I have tested with Norton AV and Malwarebytes, both of which say the file is clean. I uploaded the file to Vircan.Org, which uses a bunch of scanners to analyze the file. It was flagged by one scanner as containing a trojan. Here are the results:

http://virscan.org/report/40d28a66fb599 ... 313b6.html

So, is this file infected or not?

[DaveMt19]

Also, I used another file uploading/scanning service to check the file - virustotal.net and 3 engines there report trojans in the file: Kaspersky, Antiy-AVL and The Hacker. Here are the results:

https://www.virustotal.com/analisis/9d5 ... 1279775019

Anyone have any comments?

[flibble]

I also receive this same warning (Trojan.Win32.TDSS.bjam) in the installer file (vlc-1.1.1-win32.exe) which has been downloaded by the VLC auto update.
When downloading and installing VLC 1.1.1 yesterday (2010-07-21), I didn't receive a warning. This is probably due to a signature update issued today (2010-07-22) which contains the new signature: http://www.securelist.com/en/descriptio ... .TDSS.bjam (Kaspersky's Malware Info Site).

However, I'm not sure whether this is just a false-positive or new malware which has recently started to spread which might have infected the VLC 1.1.1 installer (on some download locations?).

[flibble]

I'm using Kaspersky Internet Security 2010 (9.0.0.736) by the way.

[DaveMt19]

I also receive this same warning (Trojan.Win32.TDSS.bjam) in the installer file (vlc-1.1.1-win32.exe) which has been downloaded by the VLC auto update.
When downloading and installing VLC 1.1.1 yesterday (2010-07-21), I didn't receive a warning. This is probably due to a signature update issued today (2010-07-22) which contains the new signature: http://www.securelist.com/en/descriptio ... .TDSS.bjam (Kaspersky's Malware Info Site).

However, I'm not sure whether this is just a false-positive or new malware which has recently started to spread which might have infected the VLC 1.1.1 installer (on some download locations?).

Thanks for your reply. Yes, it does seem that Kaspersky only added the signature for Trojan.Win32.TDSS.bjam yesterday, which would explain why the file wasn't flagged when you downloaded it yesterday, but was flagged when you downloaded it today.

I am wondering if other virus scanners will also start producing warnings as more of them add signatures for Trojan.Win32.TDSS.bjam over the coming few days. As you can see from the results I posted earlier, 3 virus scanners already report the file as infected, and a 4th (Symantec File Insight) flags it as "suspicious" without actually claiming a virus.

I looked up Trojan.Win32.TDSS.bjam on Google, and apparently it is a rootkit. This might explain why it's so hard to detect and is being missed by other virus scanners.

I think this is a critical issue that needs to be addressed by the VideoLAN people as soon as possible. Spreading a nasty rootkit like that to millions of people is extremely irresponsible behavior. And if these are false flags and the file is not infected, then we need to hear from them on the issue. They should explicitly state that the file is free of malware and that the warnings from various antivirus software are all wrong.

[DaveMt19]

Here's an update.

I reported this problem on the VLC mailing list, and one of the developers says he contacted Kaspersky. He says Kaspersky has since then updated their virus definitions, and the VLC installer is no longer flagged as having a trojan.

Could someone who uses Kaspersky please confirm this? If you have Kaspersky, download the latest virus definitions, then do a scan of the Windows VLC installer - the file vlc-1.1.1-win32.exe which is available from SourceForge. See if you get a trojan warning and report it here.

Also, since according to the list I posted earlier, other virus scanners (besides Kaspersky) also report a trojan, it'd be nice if we could get official word from the VideoLAN people that they've examined the file and guarantee it to be safe.

Thanks.

[motorhue]

I am using F-Secure, and got trojan warnings as you did. However I checked for updated virus definitions just now, and still it reports the trojan when trying to download vlc v1.1.1. However this may be due to delay over at the F-secure guys?

Edit: F-secure now flags vlc v1.1.1 as safe.

[debunk]

Could someone who uses Kaspersky please confirm this? If you have Kaspersky, download the latest virus definitions, then do a scan of the Windows VLC installer - the file vlc-1.1.1-win32.exe which is available from SourceForge. See if you get a trojan warning and report it here.

As of today Kaspersky no longer gives a trojan warning.

[thresh]

Nothing to worry about, folks, VLC is definitely not a trojan if downloaded from videolan.org!

Here's a reply from Kaspersky Labs virus analyst I've just received:

Date: Thu, 22 Jul 2010 17:40:26 +0400
From: newvirus@kaspersky.com
Subject: RE: False positive in vlc 1.1.1 release.


Hello,

Sorry, it was a false detection. It will be fixed in the next update.
Thank you for your help.

-------------------------------------------
Best wishes, Pavel Firsov.
Virus analyst , Kaspersky Lab.
_____________________________
Ph.: +7(095)797-8700
Fax.: +7 (495) 948-43-31
newvirus@kaspersky.com
http://www.kaspersky.com http://www.viruslist.com
--------------------------------------------
http://www.kaspersky.ru/virusscanner - online scan
http://www.kaspersky.com/helpdesk.html - technical support

[Jean-Baptiste Kempf]

Guys, VLC for Windows is compiled on LINUX, on a box, where there are NO windows installed...

Very unlikely to be infected...

[VLC_help]

This seems to happen with EVERY VLC release. Maybe we should do source code only releases...

[ekear]

And it happend again:
Kaspersky Internet Security 2010 (9.0.0.726.a.b.c) detects "vlc-1.1.2-win32.exe" this time as "Trojan.Win32.TDSS.bjem".
As you can see here on securelist the signature is quite new.

Here you got the Virustotal-Report: *Click*

I requested to Kaspersky via HelpDesk. Waiting for an answer.

[Jean-Baptiste Kempf]

Use a better antivirus.

[Ludrax]

Kaspersky Anti-Virus 2010 receives top marks from AV-Comparatives
that might be a problem

[ekear]

Hello,

Sorry, it was a false detection. It will be fixed in the next update.
Thank you for your help.

Please quote all when answering.
-----------------
Regards, Baranov Artiom
Virus Analyst, Kaspersky Lab.