Trojan virus in application EINSTEIN_S5R3_4.26_GRAPHICS_WINDOWS_INTELX86.EXE
3 Mar 2010 10:19:41 UTC
Topic 194800
(moderation:
Hello,
Following a virus problem on my system, a thorough scan of my computer with several antivirus/anti-malware programs detected a Trojan virus hidden in EINSTEIN_S5R3_4.26_GRAPHICS_WINDOWS_INTELX86.EXE that get downloaded by Boinc as I contribute to the Einstein project.
Could you check and update this Einstein application to clean it out ?
In the meantime, I am forced to suspend the Einstein project in Boinc, to avoid getting contaminated again and again.
Best,
Alex
Appendix: A log of the problem reported
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/03/2010 at 06:13 PM
Application Version : 4.34.1000
Core Rules Database Version : 4634
Trace Rules Database Version: 2446
Scan type : Quick Scan
Total Scan Time : 00:15:44
Memory items scanned : 403
Memory threats detected : 1
Registry items scanned : 492
Registry threats detected : 2
File items scanned : 9543
File threats detected : 7
Trojan.Downloader-SVCHost/Fake
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
Trojan.Agent/Gen-SoftWin[Virut]
[SVCHOST.EXE] C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
[SVCHOST.EXE] C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
Trojan.Agent/Gen-FakeAlert[Local]
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\BOINC\PROJECTS\EINSTEIN.PHYS.UWM.EDU\EINSTEIN_S5R3_4.26_GRAPHICS_WINDOWS_INTELX86.EXE
Trojan virus in application EINSTEIN_S5R3_4.26_GRAPHICS_WINDOWS_
)
This happens with some AV programs at times. When coming from renowned projects such as Einstein, you can easily assume it's a false positive detection, due to the nature of the science application, the way that it calculates the data.
If you truly suspect something wrong, go to http://www.virustotal.com and upload the application there. This will test the application with several AV kits. If the outcome of that scan is that only your AV kit sees it, it's a false positive. When all or most of them see an infection, it's an infection. Not necessarily coming from the Einstein servers, it may become infected on your system.
Aside from that - as far as I know - the applications here for all platforms are made in Linux, which although not impossible, is very unlikely to give out infected applications.
Still, you should take
)
Still, you should take seriously what your AV scanner reports.
In this case, it's at least possible that there is an infection and that the file in question was infected, but not on the project's server but after it had already been downloaded to your PC.
Apps that are still used by Boinc are protected" with a checksum to detect file corruption on the disk or tampering with the files (nothing that could not be manipulated by malicious software of course, but still useful against random corruption). The file in question, EINSTEIN_S5R3_4.26_GRAPHICS_WINDOWS_INTELX86.EXE
is no longer in use by the einstein@Home project and can be removed. I guess resetting the project before removing the file should also clear out any remaining references to this older run in the client_state.xml file.
CU
HB