Tue, 25 May 2010

liveusb-creator trojan in the wild

I've been noticing many different copies of my Windows liveusb-creator popping up on various sketchy-looking download sites. The majority of these copies contain a variant of the Vundo Trojan.

"Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook."

So, if you downloaded a copy of the Windows liveusb-creator from anywhere other than https://fedorahosted.org/liveusb-creator -- you could be infected. Apparently the latest variation of this trojan is undetectable by most antivirus (although, clamav was able to recognize the one that I found), so you may need to look around for some of the common symptoms. There is apparently a tool that will remove this trojan which can be found here, however I have not tested it and cannot vouch for its validity.

If anyone was actually hit by this, I'd be interested to hear about it.

Also, to state the blatantly obvious: only download the liveusb-creator from the homepage!

posted at: 21:11 | link | Tags: , , , | 4 comments

Posted by Canada at Wed May 26 06:41:42 2010

Maybe you should post the software's MD5 checksum so users can compare and confirm?

Posted by Canada at Wed May 26 06:44:36 2010

all infirmation is on the official page.

Warning: There are virus-infected copies of the Windows liveusb-creator floating around various download sites on the internet. Only download the Windows liveusb-creator from this page!


Windows installer: liveusb-creator-3.9.1-setup.exe (7.9M) (ChangeLog).
SHA1: 7e20f6937e93e048d65b461a3cd6feba54662464

Great work.

Posted by Doc Atomic at Wed May 26 14:35:14 2010

But a SHA1 is not an MD5, though... and information is not "infirmation" either, unless your intent is to cripple the thing and hospitalise it!  Are you certain it's a virus?  How can you write bug-free code, if you can't spell?  :-p

In any case, my issue with liveUSB booting of any kind is that while that technique is okay for either running live constantly or installing to only a single hard drive, it fails miserably whenever anyone tries to perform an install into a system that has more than one hard drive because booting from a liveUSB stick in the first place always screws up the drive detection and so when you go to reboot after a multi-drive installation, the reboot fails because /dev/sdc (or whatever) then becomes /dev/sdb (or whatever) instead, as soon as the stick is removed.  So, you're stuck with rebooting live yet again and then manually patching-up the newly-installed fstab, just to get the hard disk boot to work properly.  Certainly a stupid annoyance, in my opinion.

Posted by Dinooz at Tue Nov 23 15:29:36 2010

Any idea when an update to the LiveUSB Creator will be issued ?

From: http://forums.fedoraforum.org/showthread.php?t=253636

This will update the bootloader on the specified drive, so make sure to get it right.

Another option is to replace the syslinux.exe file LiveUSB Creator uses with the new one and run LiveUSB Creator again. The file goes into the "tools" directory. So, if LiveUSB Creator was installed to C:\Program Files\LiveUSB Creator, it needs to go in C:\Program Files\LiveUSB Creator\tools.