Bug Hunting Session
Bug 103348 - Trojan reportet in soffice.bin
Summary: Trojan reportet in soffice.bin
Status: VERIFIED DUPLICATE of bug 103356
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
5.1.5.2 release
Hardware: x86-64 (AMD64) Windows (All)
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-20 10:40 UTC by Friederich Prinz
Modified: 2016-10-20 18:44 UTC (History)
0 users

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Friederich Prinz 2016-10-20 10:40:40 UTC
Description:
Microsoft Defender today reported a Trojan Rand32/cerber in soffice.bin. Defender killed soffice.bin. LibreOffice could'nt be started again.

Is it a fals true reported from Defender or did I take the Trojan from LibreOffice's home?

Actual Results:  
LibreOffice is dead

Expected Results:
LibreOffice is dead


Reproducible: Always

User Profile Reset: No

Additional Info:


User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Comment 1 edwardstavin 2016-10-20 15:13:07 UTC
Windows Defender this morning reported Libreoffice 5.1.5.2 as having the Cerber Trojan virus which it quarantined.  This makes Libreoffice inoperable.  I also have the 5.1 help pack installed.  After having Defender remove the virus I chose to use the windows 10 app repair feature for Libreoffice which reinstalled the app.  on the first run Defender again reports a new instance of the ransom:win32/cerber Trojan and again deactivates it.  It shows the Trojan as contained in file:C:\Program Files (x86)\LibreOffice 5\program\soffice.bin

the link to more information about this Trojan is provided by Defender as https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Ransom%3aWin32%2fCerber&threatid=2147709928&enterprise=0 

The virus and spyware definitions used by Defender are 1.231.39.0 created on 10-20-2016 at 432am.
Comment 2 edwardstavin 2016-10-20 15:14:07 UTC Comment hidden (obsolete)
Comment 3 Raphr 2016-10-20 16:29:45 UTC
I can confirm this.
soffice.bin is move in quanrantine by Windows Defender.

I have checked my downloaded msi hash wich is the same as official site.

Workaround is to restore and add it in Windows defender's exclusion list.

Regards.
Comment 4 Friederich Prinz 2016-10-20 17:34:33 UTC
I uninstalled LibreOffice 5.1.1.1 and installed 5.2.2.2. soffice.bin
seems to be the same because of the amount of bytes. But soffice.bin of
version 5.2.2.2 is not killed by Defender.

An older Version of LibreOffice, somewhat like 4.x.x.x also gets not
attacked by the Defender!

So it seems be a specific problem of Version 5.1.1.1

Regards
Comment 5 Maxim Monastirsky 2016-10-20 17:58:52 UTC

*** This bug has been marked as a duplicate of bug 103356 ***
Comment 6 edwardstavin 2016-10-20 18:40:09 UTC
I too replaced Libreoffice 5.1.5.2 with 5.2.2.2 and rescanned with the same version of windows defender and did not get a positive.  I also updated defender to the next virus definition 1.231.50 and did not get any more positives either.

At this point I think the only thing that can be concluded for sure is that either 5.1.5.2 has a time delayed virus (my install has been on the computer for about 2.5 weeks) which defender is correctly identifying or windows defender is falsely reporting a positive. 

Too bad Microsoft does not allow us to update and then downgrade our virus definitions.  if they did we could tell whether Libreoffice or Defender is the cause.

A this point its all up to the developers at Libreoffice to test their 5.1.5.2 STILL installer and find out if there is something hiding in their or not.  It would be a first if there is as I have been using this stuff for 5+ years with no virus issues.
Comment 7 edwardstavin 2016-10-20 18:44:18 UTC
I think it premature to label this resolved as no one has tested the STILL installer at Libreoffice or taken this version of STILL off the download page.  So I will move the status down to verified.