Smokey's Security Weblog

veritas odium parit

[UPDATED / SOLVED] Be aware: malware removal program ComboFix probably infected with Sality virus

According to Marcos, employee of security solutions vendor ESET, the well-known malware cleaning/removal program ComboFix created by sUBs is infected with the Sality virus. It seems that the current installer ComboFix contains an infected file, namely iexplore.exe

I haven’t checked the issue, however have to assume that ComboFix is indeed infected with the Sality virus, especially because other security vendors have confirmed the infection.

Please don’t download and use ComboFix until the author, sUBs, remedies the issue.

UPDATE 1: Infection is confirmed by a reliable source.

UPDATE 2: To be 100% sure I checked the issue by myself, ComboFix is indeed infected by Sality.

UPDATE 3: Added a temporary Google Drive downloadlink to obtain most recent CLEAN ComboFix.exe

Data of this clean version:

Combofix.exe
Version 13.1.28.1
Copyright sUBs
5.028.179 bytes

MD5 CHECKSUM: 0F6D28A70471051C4C7785335ACBA626

SHA256 CHECKSUM:

hex: 361548f74415a41f00d5345b3e3c489b3282b302c0c51266880eda586db01a12
HEX: 361548F74415A41F00D5345B3E3C489B3282B302C0C51266880EDA586DB01A12
h:e:x: 36:15:48:f7:44:15:a4:1f:00:d5:34:5b:3e:3c:48:9b:32:82:b3:02:c0:c5:12:66:88:0e:da:58:6d:b0:1a:12
base64: NhVI90QVpB8A1TRbPjxImzKCswLAxRJmiA7aWG2wGhI=

Download: removed

UPDATE  4 / FINAL UPDATE / 2013-01-30 22:00: problem infected ComboFix solved, clean ComboFix.exe is now live again, and available to download from its normal Bleeping Computer downloadlink here.

Because the problem is now solved I have removed the temporary downloadlink clean ComboFix.exe

Advertisements

January 29, 2013 - Posted by | Advisories, Alerts, Anti-Virus, Malware, Vulnerabilities | , , , , , ,

4 Comments »

  1. Good day, you are right. ComboFix is infected with the Sality virus. While downloading CFix on one PC last night ( 28Jan13 ), MS Security Essentials warned that the Sality virus was present. I though it was an error or false positive and ran ComboFix anyways. My PC is now infected with WIN32/Sality.AT virus. As a test, I tried to download ComboFix onto a USB drive on another PC and Avast gave me the same warning so I canceled the download. Besides waiting for the author to fix ComboFix, are you aware of any solutions?

    Comment by Paul | January 29, 2013 | Reply

    • Very sorry to hear you are hit by the virus. iI’s a very complex form of malware and in continuous development, that’s making it utmost dangerous and with unpredictable consequences. I have discussed the issue with my malware removal staff, and what they told me doesn’t make me happy at all. Personally I know what to do when my PC would be infected by Sality however I prefer to advise you to ask for help on my malware removal forum: http://www.smokey-services.eu/forums/index.php/board,5.0.html Fully trained/qualified/graduated malware removers will be pleased to give you reliable advise, and will also help you to remove the virus. Anyways, in case they see an serious opportunity to clean your PC..

      In the meanwhile I advise you to disconnect your PC from internet, and if such will deliver serious problems to you, don’t undertake any action on your PC, financial transactions and similar included! Don’t forget to change ALL your login credentials on internet, no matter what site it concerns, do this with help of a non-infected PC.

      Finally I will highly appreciate it when you tell me the source of the ComboFix download because we must try damage control as soon as possible, to avoid that other PC’s become infected too.

      Comment by Smokey | January 29, 2013 | Reply

  2. Hi Smokey,thanks for the quick reply and your suggestions. I downloaded ComboFix from http://www.bleepingcomputer.com/download/combofix/

    MS Security Essentials did alert to corrupted files and indicated that the actions were suspended. However, the virus is still active and my PC is intermittently slow.

    My desktop is used only for email the odd time and have not used it for online banking or payments in years.

    As a precaution, I’m going to change all my passwords right now.

    Other posts on the net say that the only solution is to wipe the drive clean and reinstall the OS. Hopefully, there’s a program out there that remove the virus.

    Comment by Paul | January 29, 2013 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: