mesa-dist-win icon indicating copy to clipboard operation
mesa-dist-win copied to clipboard

Published 20 hours ago verified publisher icon pal1000

Win32/Wacatac.B!ml Trojan in x86\sanitycheckc.exe

Open keremer opened this issue 4 years ago • 6 comments

Details are in the heading. Might worth a check... Different malware is reported in different versions. i.e. mesa3d-20.3.4-release reports Trojan:Script/Conteban.A!ml.

keremer avatar Feb 28 '21 11:02 keremer

It is curious, isn't it?  BitDefender reports "5 threats" in mesa3d-20.3.4-release-mingw.7z:

Gen:Variant.Bulz.311850 (twice)

Gen:Variant.Fugrafa.99534

Trojan.GenericKD.45765450

Trojan.GenericKD.45765462

and 37 hits in mesa3d-20.3.4-release-msvc.7z.  BitDefender unpacks the archive and examines individual files.

On 2/28/2021 6:41 AM, Kerem ERCOSKUN wrote:

Details are in the heading. Might worth a check... Different malware is reported in different versions. i.e. mesa3d-20.3.4-release reports Trojan:Script/Conteban.A!ml.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/pal1000/mesa-dist-win/issues/51, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABI6HFF7NPNZLR5OBCMPZLTTBITW7ANCNFSM4YK7FUVA.

gbburkhardt avatar Feb 28 '21 12:02 gbburkhardt

I noticed even Malwarebytes reports sanitycheckc.exe and sanitycheckcpp.exe as malware. They are generated Meson build system to check if compiler is usable.

pal1000 avatar Feb 28 '21 15:02 pal1000

Microsoft Windows Defender is blocking various of your releases as containing trojans and Potentially Unwanted Software.

howff avatar May 31 '21 11:05 howff

Picking just one file (graw swizzle) in virustotal reports 13 vendors flag it as dangerous https://www.virustotal.com/gui/file/93c29e283e551a4a37a3d9b2fae03c0eccbe37d98a265318c3826a49291b98c3/detection and the whole release is flagged by 9 vendors https://www.virustotal.com/gui/file/200d2e8c678bf122be671693b2c7ff8e34af8c0556271c603118e4213c99afd6/detection

howff avatar May 31 '21 11:05 howff

Yeah, BitDefender reports 13 threats from the 21.1.1 msvc release, and 1 from the mingw.

The reports are for the .exe files.  Symantec Endpoint also reports malware.

On 5/31/2021 7:42 AM, howff wrote:

Microsoft Windows Defender is blocking various of your releases as containing trojans and Potentially Unwanted Software.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/pal1000/mesa-dist-win/issues/51#issuecomment-851432110, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABI6HFC2XJQSIBV2XXR26FDTQNY35ANCNFSM4YK7FUVA.

gbburkhardt avatar May 31 '21 12:05 gbburkhardt

I noticed many anti-malware products report false positives with 32-bit x86 Meson sanity checks. It's unlikely for them to be malware as they are generated on the fly by Meson build system. A mass false positive reports is in order.

Apparently some unit tests trigger false positives on some anti-malware engines as well.

pal1000 avatar May 31 '21 14:05 pal1000