VMware Communities
Darkwoof
Contributor
Contributor
‎10-02-2009 11:30 AM

Possible worm in Workstation 6.5.3 download?

Hi, anyone downloaded VMWare Workstation 6.5.3 recently? I wrote in to security@vmware.com several days ago and has so far not received a reply, nor saw any changes to the download file made available.Since my 30-day complimentary support has expired I can't create a support request. Was wondering if anyone downloaded the file and encountered the same issue. This is the email I sent:

-

Hi,

I just re-downloaded VMWare Workstation 6.5.3 for Windows 32-bit and

64-bit via the Download link in my account. From the download link at

I received a 507MB file which I tried to run. My Comodo Internet Security notified me that it detected a worm

"VBS.LoveLetter.Y@5512" in the "Codec.cab" file that was generated by

the installer.

Could you check?

Thanks.

0 Kudos
5 Replies
joe1600
Enthusiast
Enthusiast
‎10-02-2009 07:50 PM

hiii

but i think there would this worm in ur systemfrom sources other than vmware download source,cause i downlaoded the trail and installed on my xp pro x64 with sp2,running commodo int sec version 3.5

i didn't get such an error,it could be that when u ran the installer for wks somehow this worm was detected by commodo nad it would have got attached to .cab file,maybe

anyways try again

regards

Joe

Joe Joseph,Thanks in Advance If you find my reply useful, feel free to mark it as Helpful or Correct.
0 Kudos
Darkwoof
Contributor
Contributor
‎10-02-2009 11:59 PM

Hmm... I'll try to run a system-wide scan and see how it goes. I'm using Comodo IS 3.12 with the latest definitions. After I quarantined the infected files, the installation ran for a while before failing when it couldn't find the required file. I ran the installer again,and again the same codec.cab file was reported to be infected.

0 Kudos
Darkwoof
Contributor
Contributor
‎10-03-2009 12:41 AM

Nope, I found where the installer unpacks its files, deleted everything in the directory and did a scan. No other worms found. Ran the installer, it created a directory C:\Documents and Settings\MyUserName\Local Settings\Temp\{A3FF5CB2-FB35-4658-8751-9EDE1D65B3AA}~setup and Comodo pops up the Worm detection warning again. I checked the directory and the codec.cab file was just created. I click on Quarantine inside Comodo, and the file disappears from the directory. I really do suspect the worm (if there is one) is inside the packed codec.cab file. The other possibility is that it is a false positive. Is there anyway to get VMWare to check? 'Cause it's not too viable to try to upload the 507MB file to Comodo to verify on my upstream.

For those of you who downloaded the trial, is it the same 507MB file? The filename is VMware-workstation-6.5.3-185404.exe.

EDIT: I just downloaded the previous version, 6.5.2 and gave it a go. While this also unpacks a codec.cab file, Comodo did not detect any anomaly. I believe the infected file lies in the 6.5.3 download which was released on 31st Aug 2009.

0 Kudos
Joe1948
Enthusiast
Enthusiast
‎10-03-2009 08:41 PM

Take the quartined file and use Virus Total to see if it is a false posative. Jotti another place to double check.

Joe

0 Kudos
Darkwoof
Contributor
Contributor
‎10-04-2009 06:19 AM

Hm... both sites appears to indicate that it is a false positive. Strangely, if I un-quarantine the file and do a manual scan on it, it's flagged as 'clean' by Comodo as well. Odd indeed.

Thanks for the help!

0 Kudos