The Drupal security team receives reports of all sorts all the time.
Some of them are false positives by security scanning software.
Today we got a report about a Trojan being detected in Drupal 6.10 and 6.13 by TrendMicro OfficeScan version 10, in the following files:
modules/color/color.install - BQDR_IRCBOT.BZQ modules/profile/profile-wrapper.tpl.php - TROJ_SWIZZOR.KXV modules/translation/translation.module - TROJ_FRAUDLO.LL
These files are plain text and valid PHP files.
Long time security team member Bart Jansens was able to verify that indeed the same software does generate those false positives.
Other visitors to Drupal.org have also reported the same issue. One of them has notified TrendMicro of the issue.
We hope that TrendMicro soon issues an update that fixes this false positive.
Contents:
Comments
rogerpfaff (not verified)
Trend Micro
Thu, 2009/07/09 - 16:47The scanner reports some more false positives these days. It also reports a Trojan in the latest Adobe Shockwave / Flash player downloads and caused IE7 to crash on our companies website although there is no flashin use.
Heine (not verified)
No one gets it right in one
Thu, 2009/07/09 - 16:56No one gets it right in one try, but Bart's name is Bart Jansens :)
Khalid
Fixed
Thu, 2009/07/09 - 18:03Fixed, thanks.
Tash (not verified)
No false report for color.install in Drupal 5 files
Sat, 2009/07/11 - 22:03Hi, I don't think that all message are false reports.
I've received virus messages as well for all color.install files on my computer. I had a various versions of Drupal installation files stored in my hard drive. Every single color.install returned a virus message.
Here's the thing: the color.install files were NOT plain text anymore, when trying to open them in Dreamweaver they showed just cryptic signs.
At the SAME time that TrendMicro had reported the virus, Spydoctor found 2 trojans in my system that I've been trying hard to get rid of (Backdoor.Ciadoor!sd5 and Delf!ct).
I don't think that this is a false report, but should be taken seriously.
Khalid
I just checked
Sat, 2009/07/11 - 22:16I just downloaded both Drupal 5.19 and 6.13 and checked the color.install. It is a plain text file with valid PHP in it. So, the tarballs that are on drupal.org are clean.
If these files are infected by some other malware on your PC, Drupal has nothing to do with it. Its files are victims, not the source.
Anonymous (not verified)
upload.module now also
Tue, 2009/07/14 - 04:39upload.module now also impacted
Alan Domladovac... (not verified)
Today I receive a new alert.
Tue, 2009/07/14 - 08:07Yesterday I receive an alert on the same files reported in http://drupal.org/node/514448
Today I receive a new alert.
File: modules/book/book.admin.inc
Virus: TROJ_SWIZZOR.KVR
File: modules/poll/poll-results.tpl.php
Virus: TROJ_SWIZZOR.KVC
File: modules/upload/upload.module
Virus: TSPY_MMORPG.NP
Drupal version: 6.13 (latest)
Anonymous (not verified)
Trend Micro
Fri, 2009/07/17 - 04:20I've posted these files to Trend Micro Support a few days Ago
I got a mail from them that with CPR 6.278.02 and above, the problem was fixed I've tested it today and it looks OK for now.
Anonymous (not verified)
Fake alert
Sat, 2009/10/10 - 13:51I received a message in from office scan regarding trojan malware. However performing a scan with "malwarebytes anti-malwares" it says no malware is detected. do you think the message from office scan is a fake alert?
CЛACTEHA (not verified)
Прикольно
Fri, 2009/11/06 - 15:40Без имени и овца баран. :)