malware found during installation

Thomas_Kochmann · ‎05-30-2011

I have just recently upgraded to Intel C++ Studio for windows, and downloaded the file for 64/32 bit.

During installation, my Anti Vir virus scan detected several malwares.

One of them was "HTML/Malicious.ActiveX.Gen". What can I do now. I don't want to use

the system with this trojan(s).

Have you already some experiences with viruses? Or is there another place to download?

Hubert_H_Intel · ‎05-30-2011

Thomas,
Can you provide me the exact URL where you downloaded the package or describe how you came to this download page.
Hubert.

Hubert_H_Intel · ‎05-30-2011

Thomas,
I found the location you downloaded the Intel C++ Studio XE 2011 for Windows* today from. Let me investigate.
Hubert.

Thomas_Kochmann · ‎05-30-2011

Hi Hubert,

Yes, it is the Windows version, the normal way, where I had to key in the licence number.

Thomas_Kochmann · ‎05-30-2011

Furthermore, it is interesting to note that this error only seems to occur on a 64 bit System (Windows 7 Ultimate). Parallely, I downloaded from the link which was provided by the intel welcoming message

and installed the same thing on a Windows XP 32-Bit environment (having installed the same antivirus software, i.e. "Avira Antivir"), no error message occured.

Thomas_Kochmann · ‎05-31-2011

Now, a virus scan on the 64 bit system revealed the following malware: "TR/Rootkit.Gen" in the installation file.

Hubert_H_Intel · ‎05-31-2011

Thomas,
I couldn't find a problem so far. The checksum and filesize of the downloaded file should be:
>cksum.exe c_studio_xe_2011_update2_setup.exe
3383553630 933972144
Could you please compare with yours? If they match exactly it's definitely no malware problem since it's unpossible that a malware graps into the fileset without changing the checkum. Filesets posted on the Intel Registration Center are being checked diligently against any malware intrusion.
Could you please tell me the link that's included in the welcome message? Can you recall which the other download link was where you downloaded the c_studio_xe_2011_update2_setup.exe and where you found the virus alert druing installation?
Do you remember when esactly the virus alert popped up? Was it during file extraction or later?
Hubert.

Hubert_H_Intel · ‎05-31-2011

Thomas,
Alternatively, until the investigation about the malware intrusion is clarified, you can download and install the 32-bit or 64-bit only packages:
checksum/filesize/filename:

1192786758	580989600	c_studio_xe_2011_update2_ia32_setup.exe
1729450580	673391840	c_studio_xe_2011_update2_intel64_setup.exe

Hubert.

Thomas_Kochmann · ‎05-31-2011

Filesize and checksum are the same.

I checked now also the filec_studio_xe_2011_update2_setup.exe directly

also under the mentioned 32bit XP system with Avira Antivir

http://www.chip.de/downloads/c1_downloads_hs_getfile_v1_16086556.html?t=1306832352&v=3600&s=75302f6b2ada98d996258c9ba2daa13b

(unfortunately it's in German) directly

(right mouse button and then "check chosen file with Antivir").

In both cases (64 bit system *and* 32 bit system) I obtained

the same malware, i.e. "TR/Rootkit.gen".

So, it seems, that you would obtain the same problem if you used another virus scanner,

e.g. the above mentioned German Avira Antivir.

Thomas_Kochmann · ‎05-31-2011

What is the difference between the 64bit-only/32bit-only-version and the combi 64/32-bit version.

Does it refer to the system where it is running, or does it refer to the

products I want to develop.

I want to develop 32-bit/64-bit applications parallely. That is to say. I need for instance the VTuner

for both types of application.

But the system I am working with is 64 bit from where I want to develop and investigate 64-bit and 32-bit applications.

Hubert_H_Intel · ‎05-31-2011

Thomas,
The full package includes both 32- and 64-bit products. The ia32 and intel64 packages contain the 32-bit and the 64-bit respecively only. It's just a matter of "overhead". If someone needs the 32- OR 64-bit only he can download and install the ia32 or intel64 package..
So for you the full package is the right one. But due to the possible malware problem in the full package you could alternatively download and install the 32- and the 64-bit packages.
I'm just testing Avira (and will run also other scanners).
Do you have a German Windows system?
Hubert.

Thomas_Kochmann · ‎05-31-2011

Quoting Hubert Haberstock (Intel)

I'm just testing Avira (and will run also other scanners).

Do you have a German Windows system?

Fine. Thanks.

Yes, I have a German 64 bit Windows 7 ultimate system.

P.S:

Hubert_H_Intel · ‎05-31-2011

Thomas,
I found the TR/Rootkit.Gen now too in the file c_studio_xe_2011_update2_setup.exe with an Avira scan. We'll investigate.
I'll check also the ia32 and intel64 subpackages.
I'm sorry for any inconvenience this may cause you.
Hubert.

Thomas_Kochmann · ‎05-31-2011

Hubert said:

"I'm just testing Avira (and will run also other scanners)."

Fine. Thanks.

Hubert said:

"Do you have a German Windows system?"

Yes, I do.

Thomas_Kochmann · ‎05-31-2011

Quoting Hubert Haberstock (Intel)

Thomas,
I found the TR/Rootkit.Gen now too in the file c_studio_xe_2011_update2_setup.exe with an Avira scan. We'll investigate.
I'll check also the ia32 and intel64 subpackages.
I'm sorry for any inconvenience this may cause you.
Hubert.

It's ok. Unfortunately, I cannot work with the ia32 and intel64 subsystems.

Maybe a recompilation of the whole thing could be a solution.

Thomas_Kochmann · ‎05-31-2011

More information about the malware during installation:

Here is the error message (unfortunately it's in German):

"

In der Datei 'C:\Program Files (x86)\Intel\VTune Amplifier XE 2011\bin32\sepdrv\vtss.sys'

wurde ein Virus oder unerwnschtes Programm 'TR/Rootkit.Gen' [trojan] gefunden.

Ausgefhrte Aktion: Zugriff erlauben

"

This means: The involved file is "vtss.sys" from the program part "VTune Amplifier XE 2011".

What is this file (i.e.C:\Program Files (x86)\Intel\VTune Amplifier XE 2011\bin32\sepdrv\vtss.sys)necessary for?

Is it ok, when I just delete it?

Which function of the VTune Amplifier would be disrupted then?

Hubert_H_Intel · ‎06-01-2011

Thomas,
I did a lot of investigations and involved also our product engineering team and our finding is the following:
It's a false malware alert from Avira Antivirthat is being issued only when the malvare scan is done from a higher level of either the installation fileset or the installation of C++ Sutio XE. When you scan the file vtss.sys directly from within (default) c:\Program Files (x86)\Intel\VTune Amplifier XE 2011\bin64\sepdrv\Avira Antivir doesn'treportany virus findings. Pls. have a try.
My colleagues reported similar issues in the past with the VTune driver with Avira, but all of them turned out being false alerts.

I personally didn't try out other scanners than McAfee and Avira Antivir since I've spent already a lot of time in investigation. But my colleagues confirmed that the postings on the Intel Registration Center are malware-free. As long as the checksums of the downloaded files on your side match the list posted at http://software.intel.com/en-us/articles/intel-parallel-c-studio-xe-checksums/you can be sure to have a malware-free installation fileset.

So I'd suggest to install the full package c_studio_xe_2011_update2_setup.exe and ignore the malware alert. Would this be an acceptable solution for you?
Regards,
Hubert.

Thomas_Kochmann · ‎06-01-2011

Hubert H. said:

"

When you scan the file vtss.sys directly from within (default) c:\Program Files (x86)\Intel\VTune Amplifier XE 2011\bin64\sepdrv\Avira Antivir doesn'treportany virus findings.
"

Well, that's true. But when you check the other vtss.sys from the bin32 directory, my Anti-Vir virus scan

*always* alerts the reported malware.

Thus, please check also the vtss.sys from thec:\Program Files (x86)\Intel\VTune Amplifier XE 2011\bin32\sepdrv\.

Hubert H. said:

"

So I'd suggest to install the full package c_studio_xe_2011_update2_setup.exe and ignore the malware alert.

"

Currently, in my personal situation, I can live without the 32 bit version of vtss.sys, because even though

I compile in 32 and 64 bit, I currently only use the VTuner in the 64 bit modus. (So I could live without

the 32 bit version of vtss.sys for some foreseeable time.)

Thank you very much for investigating all the time in it. But it's not only my personal interest to work

with a virus-free environment, but also for many other intel customers in the world.

So I think it was really worth to spend sufficient time on it, even though it could ultimately be in fact a false alarm. But this situation is simular to a Doctor tracking down suspicious clinical symptoms of his/her patients.In order to really exclude a malignant disease he/she sometimes must have performed many (partly very expensive) investigations (such as MRT etc.).

The worst thing which could happen to a programmer would be a spyware spying out

his valuable work. :-)

Hubert H. said:
"

But my colleagues confirmed that the postings on the Intel Registration Center are malware-free.

"

Avira might be too sensitive here, but we still cannot exclude the situation that a trojan-programmer has successfully circumvented the security systems of of Avira's colleagues such as McAffee & Co.

So my recommendation is (in especially your interest, i.e. the interest of Intel's reputation and worldwide customers) to keep track on this matter. This might mean a lot of additional work especially for your technical colleages. But it's worth it. The next update should be without any Avira malware alarm.

(Once, just to tell you an anectode, my own programming code led to an Avira Antivir alert (on my own system during programming). I was sure that

everything must have been ok, since compiling it with a special compiler (I don't want to tell its name, it was *not* Intel's one!) *reproductively* led to a binary sequence with an "malware alarm" by Avira on different windows machines. Finally I had to change some lines of code slightly in order to avoid this false alarm,

because it is almost impossible to tell the customers that the virus alarm is a false one.)

I know that keeping track takes time. But meanwhile it might be better for someone dependent on the bin32-vtss.sys to maybe use the update 1 file(where Avira "says" that everything is ok) than using the questionable 32-bit version of vtss.sys.

Anyway, what is vtss.sys useful for? Do we really need it.

Just to give some further help for your colleagues.Here are the checksums of my two versions of vtss.sys:

bin32\

1872444319 78200 vtss.sys (this file locking virus alarm also occurs just when I only use cksum here,

so I had to temporarily inactive Avira to use cksum here)

bin64\

1341978827 75640 vtss.sys

Hubert_H_Intel · ‎06-01-2011

Thomas,
Thank you very much for your follow up. Yes, I found the alert on the 32-bit vtss.sys too. The Avira AntiVir Guard popped up after I've installed the package saying that there is a possible malware in vtss.sys. So we will investigate further.
Hubert.

Thomas_Kochmann · ‎06-01-2011

Hubert,

there is also some good news. I've just tested VTune on a 32-bit system after having deleted

the 32-bit vtss.sys. At least the valuable hotspot analysis works as well as under 64 bit.

(Amusing and not too serious: I've just googled for "vtss.sys" and found this here:

" Vehicle Theft Security System ". sys,

http://www.usabilforum.se/forumuppladdning/chrysler-voyager-larm.pdf

Maybe that's the reason that my Vtune doesn't complain, because I haven't installed

it on my car thief security system. So unless I don't want to connect my car to VTune Amplifier

I wouldn't need it. :-) )

Thomas

Hubert_H_Intel · ‎06-01-2011

Thomas,
vtss.sys isn't really required to operate the VTune Amplifier XE. It's useful for stability puposes under certain operation modes. Since the 32-bit vtss.sys is affected only you can delete that file from (default) c:\Program Files (x86)\Intel\VTune Amplifier XE 2011\bin32\sepdrv\ or let Avira Antivir repair the system.
So I think this will help you for now. We will follow up on investigation of the issue and I'll keep you advised.
Regards,
Hubert.