1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Peneluta Trojan

Discussion in 'Tomato Firmware' started by GeeTek, Oct 20, 2007.

  1. GeeTek

    GeeTek Guest

    Never take it seriously until it happens to you ! I have been running eset's new beta security suite for a couple of days. When I open the official Tomato link (the sticky at the top of the Tomato forum page), the html temporary file on the computer gets quarantined and the page will not display. The security program says it is probably a variant of "VBS\Peneluta.a Trojan". Does not sound good. I understand the occasional false positive, but my stupid question is why does it detect the trojan only on that one single thread while all the rest of the threads in the forum open fine with no trojan detected ? Even RoadKill's VPN thread is clean. Only the official Tomato thread triggers. Something smells fishy.
     
  2. GeeTek

    GeeTek Guest

    I submitted the htm file to Jotti. Only NOD found this probable variant. Hopefully nothing nasty, but what could be different about that thread than all the other threads ? Beating dead horses is a worthy fettish....

    Does not seem to be taken very seriously. Here is what Jotti said ;

    File: showthread[1].htm
    Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
    MD5: e35f99c66816b156f321e155bad6a37b
     
  3. Toxic

    Toxic Administrator Staff Member

    is this thread residing on my site? what is the URL to the actual thread, and what is the thread post that seems to be triggering it??

    since the file in question is an htm file no doubt residing in your temporary internet files, have you tried deleting ALL Temp files, restart you browser to see if the error occurs again?
     
  4. kspare

    kspare Computer Guy Staff Member Member

    can you post the actual link so we can look into this?
     
  5. GeeTek

    GeeTek Guest


    Here on your site, in this Tomato forum we are in. At the top of the list of threads there is a sticky thread labelled "Official Tomato v1.10.1188 Released (123...last page). When I click on that thread to read it, the anti-virus blocks access to the page with the trojan warning. If I disable the HTTP scan protection the page loads to the temporary interent files in my PC as an htm file and is immediately quarantined by the file scanner portion of the software, still preventing access to the thread. I restored the file from quarantine to c:\virus and disabled the antivirus so I could submit the htm file to http://virusscan.jotti.org/ which scans the file with numerous antivirus engines. NOD32 (The creator of my beta security suite) identifies it as possibly infected with the same trojan that my PC triggers on when trying to open that thread. That is why I was curious to know what could be different about that one thread when all others open fine with no warning. Here is a full sized screen shot. (Click on the picture for expanded view).
    http://www.dslreports.com/forum/r19294894-Eset-is-on-the-ball

    Edit - For extra clarification here is an actual link to the thread that currently is blocked from opening on my computer. http://www.linksysinfo.org/forums/showthread.php?t=54928
     
  6. Mastec

    Mastec Network Guru Member

    I have NOD32, the page opened just fine for me.
     
  7. Toxic

    Toxic Administrator Staff Member

    i think the problem is the link that danix71 gave http://www.linksysinfo.org/forums/showthread.php?t=54930 which discusses Tomato firmware having a trojan virus.

    here is his original post on its own

    http://www.linksysinfo.org/forums/showpost.php?p=310972&postcount=4

    does it block that?

    the post he is referring to says:

    FALSE ALARM !!! Trojan detected in Tomato v1.10.1188 thread
    Nod32 detected a virus in the tomato release thread.
    a VBS variant of Peneluta.A Trojan.


    so much for web based virus scanning software. more like Paranoid Software.
     
  8. Mastec

    Mastec Network Guru Member

    Blocks nothing

    The link you posted opened and his link Then...? opened without incident.

    Must have been a false positive
     
  9. Toxic

    Toxic Administrator Staff Member

    problem is false positives get noticed no matter what. especially when my site is said to have a virus on a separate website (dslreports forums) and then we find it does not have a virus.
     
  10. GeeTek

    GeeTek Guest

    In reference to that thread, what I had uploaded to Jotti then was the Tomato firmware file. I did not catch the fact that it was the thread itself he was referring to. It is the same virus name that I am seeing. I submitted the htm file to ESET. I'll post back with any results they return. The trojan name is prefixed with "VBS". I wonder if that is an abbreviation for "Visual Basic Script" ?
     
  11. Macskeeball

    Macskeeball LI Guru Member

    Mac and Linux FTW. In over eleven years of computing, I've never had to deal with malware on any of my systems. :p
     
  12. sillydoh

    sillydoh LI Guru Member

    Could it be that you're using beta software?
     
  13. GeeTek

    GeeTek Guest

    Good question, but no. See the Jotti info I posted previously.

    Even if beta security software was to blame, why does it only trigger on one single thread and not any of the others ? Good or Bad, something is different about that thread. Jotti is an online file checker that uses multiple virus detection engines, and they currently flag that thread. This has nothing to do with my computer. Maybe when they finish analyzing the file I submitted they will correct the false positive in their signature database.
     
  14. Toxic

    Toxic Administrator Staff Member

    best to ask the authors of this software if it triggers when it sees links pointing to another thread mentioning vbs and trojans.
     
  15. GeeTek

    GeeTek Guest

    It would be much easier to create a new thread with such a link and let me click on it and see if that is it. If you do, lock it so that there will only be your post with the reference link.
     
  16. Toxic

    Toxic Administrator Staff Member

    i have done in the linksyschat forum, however since you are the only one that has reported any fault with that thread i need you to delete any quarantined viruses, temp files one your system and then test again. I dont want something on your beta firmware waring you about a link that has already been reported. it may just do the same since it has already been there-done that approach.
     
  17. GeeTek

    GeeTek Guest

    Ok, I'll clean temp files and the quarantine and post back shortly.
     
  18. GeeTek

    GeeTek Guest

  19. GeeTek

    GeeTek Guest

    That is an exact copy of the thread is it not ? If so, I'll shut the anti-virus off, save the infected page again and also save a copy of the alternate page. Then compare MD5 on them.
     
  20. Toxic

    Toxic Administrator Staff Member

    i've opened/edited each post on that thread in plain text view, there is only PLAIN TEXT all those posts.

    does NOD32 report links back to a database and remembers them for all time to its users, so if you go there again it will always report a false positive?

    tbh I am certain there is nothing wrong with the thread so i'm not looking anymore into it, unless all NOD users and other Antivirus software that scans web pages report similar problems.

    does the official NOD report anything? or is it just the Beta?
     
  21. danix71

    danix71 LI Guru Member

    I run nod32 (updated) both at home as for office. I never had any problem with web pages of linksysinfo.org/forums.
     
  22. GeeTek

    GeeTek Guest

    Don't give up so quickly. There is something different about the Tomato thread version, it has something in it that the alternate one does not have. I saved each page to the hard drive. To save the infected page I turned off the WEB scanning component. I get the warning that the file has been cleaned by quarantine and the web page displays on my computer. When I click on "File" and "Save" to the hard drive it triggers again and quarantines just the infected component. I have saved 2 copies of the infected version and 2 copies of the clean version. There is never the same number of files or folders in the different saved versions. Of the 2 clean versions one has 68 files and 8 folders, the other has 60 files and 8 folders. Of the 2 infected copies (minus the quarantined component) one version has 66 files with 7 folders and the other has 68 files and 8 folders. The various different file count tells me that it must be the advertizements that piggy back into the page, and that the infected version has an advertizer that the non-infected one does not have. Just my hypothesis. Since the anti-virus is quarantining the infected part, I cannot see what it is on the saved versions on my hard drive.
     
  23. GeeTek

    GeeTek Guest

    The htm file that I restored from quarantine and posted a screen shot of earlier had a size of 69056. The one I restored from quarantine just now has a size of 98516. The software does not specify the dimension but I assume it is in bytes. If anybody thinks I am yanking your chain, I can highly recommend that you install and test this beta firmware. The only thing that has me worried is the fact that I disabled it once to submit the sample to Jotti.

    http://www.eset.com/beta/

    That program and Jotti are still flagging the Tomato version of the thread as possibly trojan infected. That is how new viruses always appear. Subtle at first.
     
  24. GeeTek

    GeeTek Guest

    No Simon, there is 1.5 Megabytes of stuff. This includes .jpg, .gif, .js and numerous htm files that organize the page into several folders. Create a folder on your hard drive. When you are looking at the page, click "file" and then "save". Point to the target of your new folder and save. During the save process something within that meg and a half of stuff gets quarantined. The same save process on the clean thread produces a similar 1.5 megs of stuff, but is never infected.
     
  25. Toxic

    Toxic Administrator Staff Member

    I have saved as using MSIE but fail to see what will be different. text should remain the same, any advert banners or text are forwarded from there advertising sites (ie amazon and google) they are also on rotation.

    what browser are you using?

    I have saved the results to an archive. http://www.linksysinfo.org/test.rar see if you find any virus within the saved as page content.
     
  26. GeeTek

    GeeTek Guest

    The rar with the 88 files shows clean. I'm using I.E. 6

    From your standpoint are the 2 threads identical ? Do they have the same exact advertizing streams and the same exact internal content ? Is there anything you know of that is different about them ? If they are identical to the best of your determination then it would be the logical conclusion that this is not a false positive.
     
  27. Toxic

    Toxic Administrator Staff Member

    the content of the posts will be identical, it is impossible though, that the pages show the exact same adverts these are show at random.

    the fact you are using beta software, but others are not also shows it could be a false positive.

    I would think but now that others using other Antivirus/trojan web scanning software would have found some link to a trojan by now since it the thread started.

    does your software not point which file script is dubious? (not just a thread)
     
  28. GeeTek

    GeeTek Guest

    I don't think it is a beta problem. I just uploaded the sample to Virus total and the NOD32 engine there also said it was a probable variant just like Jotti did. Virus total and Jotti are not Beta software. Like you say, since the majority of forum users report no problems or alerts, this is probably nothing for most folks to worry about. The fact that one of the threads alerts and the other does not, and you don't know why, is a real red flag for me. If you are interested in testing it further there is more than enough info in this thread to duplicate my findings. I feel I have taken more than my share of the risk already, seeing that I am a donating and contributing user of your website. I am thinking I should probably re-image back to a previous date and excersise a bit more caution in the future . As far as I am concerned, there is something very wrong here.
     
  29. Toxic

    Toxic Administrator Staff Member

  30. GeeTek

    GeeTek Guest

    It works perfectly fine. The trojan alert is gone and the page opens normally.
     
  31. Mastec

    Mastec Network Guru Member

  32. MiseryQ

    MiseryQ Network Guru Member

    There was a couple of other threads about that too.
    I started one of them. He wasn't the only one having that thread show as containing a virus.
    I'm also using Security Suite Beta. Now I can view the page.
     
  33. Toxic

    Toxic Administrator Staff Member

    seems like security suite beta is the only thing tripping up. strange no other antivirus package any user on this site uses has had any type of malicious coding.

    btw was it a virus? Geektek sadi a VBS Script/Trojan, now we have a virus. lol.
     
  34. lwf-

    lwf- Network Guru Member

    Actually NOD32 did the same thing for me and I’m running the stable version 2.7 and Firefox 2.0.0.8. Probably a false positive.
     
  35. MiseryQ

    MiseryQ Network Guru Member

    Sorry I use "virus" as a cover-all, trojans and worms are virus' too :)
    In my original link I copied from NOD32s log. It did indeed mention the already mentioned trojan.

    As a side not I'm using Firefox and a butt-load of AddOns, Perhaps AdBlock or something reconfigured the page in a way that tripped the heuristics in NOD32. But like I already said besides curiosity it doesn't matter in the least.
     
  36. Macskeeball

    Macskeeball LI Guru Member

    Use the word malware for that. Malware means malicious software in general.
     

Share This Page