Bug Hunting Session
Bug 36679 - Virus detected on installation
Summary: Virus detected on installation
Status: RESOLVED NOTABUG
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Installation (show other bugs)
Version:
(earliest affected)
3.4.0 Beta3
Hardware: x86-64 (AMD64) Windows (All)
: high major
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: mab3.4
  Show dependency treegraph
 
Reported: 2011-04-29 08:35 UTC by anon
Modified: 2013-08-08 14:46 UTC (History)
5 users (show)

See Also:
Crash report or crash signature:


Attachments
G Data virus LO 3.4 beta 3 (231.54 KB, image/jpeg)
2011-05-01 19:12 UTC, Fator
Details
confirmation (37.61 KB, image/png)
2011-05-11 05:00 UTC, Jesper Laugesen
Details

Note You need to log in before you can comment on or make changes to this bug.
Description anon 2011-04-29 08:35:28 UTC
XPPro SP3 32bit
Event Viewer
On installation message from F-Secure:
Malicious code found in D:\LibreOffice\program\rebasegui.exe
Infection:  General VariantKazy.7514
File deleted

Program then went on to install.  Noted that Extension update check causes LibO to close with no error message.  Don't know if due to same file being deleted on installation.
Comment 1 Fator 2011-05-01 19:12:24 UTC
Created attachment 46233 [details]
G Data virus LO 3.4 beta 3

Virus. GEN.Varianti.Kazy
Comment 2 Zack 2011-05-06 12:03:18 UTC
Correct me if I'm wrong, but this seems more like a virus software problem than a LO problem.
Comment 3 Noel Power 2011-05-09 02:09:47 UTC
tor, not sure if this is the same false positive that you checked before or not
Comment 4 anon 2011-05-09 05:38:57 UTC
Still getting same result with Beta4 so have not opened a new bug report. Submitted file to F-Secure and initial screening seems to confirm the file is as identified by their retail security software. I accept that there is always a chance of a false positive but even if it is then anyone with around 3 or 4 different security suites will not be able to fully use LibO which would be regretable. So either the security firms must change their detection parameters or if it does turn out to be a problem then it may need fixing in LibO. It does seem that this file is not unknown for giving problems - is it one of the hangovers from the MSDOS days?
One point does trouble me a bit: The rebasegui.exe file in question is around 40KB (in Beta4). I tried to see if it could be substituted with the same named file from the 3.3 stable Release version. Extension update check no longer closes LibO but does generate an error message. 
The 3.3 Release file is 31KB but Windows appears to identify it as file version 1.1.1.0 which is exactly the same version as is shown for the 40KB 3.4 Beta4.
Comment 5 Don't use this account, use tml@iki.fi 2011-05-09 06:04:32 UTC
I suggest we simply stop including this rebasegui.exe in the installer. It hardly is useful for end-users anyway, I have no idea in what use case it is supposed to be used.

And no, I don't have any reason to believe rebasegui.exe would actually contain a virus. Presumably the virus scanner in question is mislead by the fact that the very purpose of rebasegui is to inspect a field in the header of executable files (DLLs in particular), see http://opengrok.libreoffice.org/xref/libs-core/desktop/win32/source/rebase/rebasegui.cxx , which then presumably matches what some malware does. But note that rebasegui.exe opens the DLLs that it opens *read-only*...

If somebody tried to spread malware through LibreOffice, why would they put it in an executable that no normal user is ever going to run? Wouldn't it be much useful (from their point of view) to infect some of the EXEs or DLLs actually run when using LibreOffice normally?
Comment 6 Jesper Laugesen 2011-05-11 05:00:13 UTC
Created attachment 46602 [details]
confirmation

Avira also reports a trojan in the file.

(win7, 64bit, beta downloaded as torrent: LibO_3.4.0beta4_Win_x86_install_multi.exe)
Comment 7 Don't use this account, use tml@iki.fi 2011-05-11 05:07:57 UTC
Feel free to leave out the rebasegui.exe then, if yuo believe it has a trojan. You won't need it.
Comment 8 Volker Merschmann 2011-05-11 12:40:01 UTC
Still true for beta5 with Avira Antivirus.

Not delivering the file is no solution until we know for what it is used. Anitvirus is nagging several times during the installation, so I think it is not just copied by the installer.
Comment 9 Don't use this account, use tml@iki.fi 2011-05-11 20:50:29 UTC
For a writeup on the rebasing crack, see http://lists.freedesktop.org/archives/libreoffice/2011-May/011865.html
Comment 10 Rainer Bielefeld Retired 2011-05-11 23:46:51 UTC
I saw exactly the same with Bit Defender and with "LibreOffice 3.4Beta4  – WIN7  Home Premium  (64bit) German UI [DEV300m103 (Build:4)]", but only at the second installation on my Laptop. No virus detected during first installation on my Desktop.

I agree with Volker, we should check that file, may be someone can contact one of the Antivirus providers?
Comment 11 Don't use this account, use tml@iki.fi 2011-05-12 03:40:20 UTC
rebasegui.exe will not be included any longer (and not rebaseoo.exe either) in the installer.
Comment 12 Rod Muth 2013-06-19 22:50:29 UTC
I am not sure that this is a bug, but Norton identified unicodedate.pyd as a supicious file and deleted it from program . . . lib. I had Norton restore it because in my non-Norton machine (McAfee) no red flags were raised. The files downloaded in both place appeared to be the same (e.g., dates, size). I suspect that Norton was being overzealous, but thought that you ought to know.

Thanks!
Comment 13 Joel Madero 2013-06-21 16:16:50 UTC
@Rod - what version is that being spit out for? 

I removed security from the keywords as it's anti virus' being overzealous, not an issue with our product but maybe there is something we can do about it to get them to stop complaining.
Comment 14 Joel Madero 2013-06-21 17:30:41 UTC
Marking as NEEDINFO - let us know what version of LibreOffice you're still getting warnings about and then mark as UNCONFIRMED - we'll see if it's our bug or not


Thanks!
Comment 15 bfoman (inactive) 2013-06-26 12:01:55 UTC
I would close this old original issue as RESOLVED NOTABUG. 
False positives will happen once in a while.