Trojan Found in Setup.exe on Build 16385 x86 ISO Image!

rck01 · 22 Jul 2009

Well, maybe that LeBlanc fellow had a point about bogus ISO images. I just fired up setup.exe from an image of the x86 Build 7600.16385 leak under my current build 7264 installation and look what Microsoft Security Essentials found (see attached image).

Note: The ISO in question has the following Filename and Hash Info:

7600.16385.090713-1255_x86fre_client_en-us_Retail_Ultimate-GRMCULFRER_EN_DVD.iso
SHA1: 2ebdb1f65fbf5aaf38d4fb39ea4e658389a25ea3
MD5: b49d1c065de9be078abe5bbafc5a304d
CRC32: 65b9f574

So, I guess we all still need to be careful after all. Needless to say, stay FAR AWAY from this image.

RCK

andych · 22 Jul 2009

rck01 said:

Well, maybe that LeBlanc fellow had a point about bogus ISO images. I just fired up setup.exe from an image of the x86 Build 7600.16385 leak under my current build 7264 installation and look what Microsoft Security Essentials found (see attached image).

Note: The ISO in question has the following Filename and Hash Info:

7600.16385.090713-1255_x86fre_client_en-us_Retail_Ultimate-GRMCULFRER_EN_DVD.iso
SHA1: 2ebdb1f65fbf5aaf38d4fb39ea4e658389a25ea3
MD5: b49d1c065de9be078abe5bbafc5a304d
CRC32: 65b9f574

So, I guess we all still need to be careful after all. Needless to say, stay FAR AWAY from this image.

RCK

Did you check that the hash values match what was quoted....do those hash values match others that are easilly found out there?

The good thing is that Microsoft Security Essentials found it I guess.
As with all the leaks up till now....it is always best to check them thoroughly before installing...as you have found.

Zidane24 · 22 Jul 2009

This is strange...When I thorughly tested this build MSE popped up with nothing...where did you get the build from...there are alot of fakes flying around...

rck01 · 22 Jul 2009

...about this sort of thing. In fact, I checked the hash values for the x64 build I installed on my Lenovo W700ds and they matched up fine. I guess I just got lazy with this build - the x86 version was so hard to find, and there were so many different permutations (assembled from either the Chinese dude or Wzor), that when I finally did get a working torrent I assumed any hash mismatches were the result of too many copies from too many sources. That, and it runs just fine under VMware Workstation - version stamps on explorer.exe and others looked good (7600.16385). No real reason to doubt it was a working build...until now!

Oh well, lesson learned!

RCK

Zidane24 · 22 Jul 2009

rck01 said:

...about this sort of thing. In fact, I checked the hash values for the x64 build I installed on my Lenovo W700ds and they matched up fine. I guess I just got lazy with this build - the x86 version was so hard to find, and there were so many different permutations (assembled from either the Chinese dude or Wzor), that when I finally did get a working torrent I assumed any hash mismatches were the result of too many copies from too many sources. That, and it runs just fine under VMware Workstation - version stamps on explorer.exe and others looked good (7600.16385). No real reason to doubt it was a working build...until now!

Oh well, lesson learned!

RCK

Hey no big deal...The fact you posted your results and you tried to warn people overshadows the mistake...well done for spending the time to post

Orbital Shark · 22 Jul 2009

The main issue is that because there was never an actual ISO released the hash values can change all over the gaff so tracing it is like trying to find a needle in a hay stack (so to say).

Unfortunately, as you say

lesson learned!

Tews · 22 Jul 2009

I guess the moral of the story is ..... The price of freedom is vigilance...

rck01 · 22 Jul 2009

@Zidane24,

Well, I just re-scanned setup.exe directly on my x64 system and, again, it got a hit on the Trojan. You're saying you've used this same build without incident? Very odd, indeed! I'm going to fire-up that VM I tested it in originally (prior to launching it directly on its intended upgrade target, my HP Mini 2140) and see if installed MSE into the "infected" VM triggers another hit.

RCK

droalex · 22 Jul 2009

If I installed it, Will a antivirus search find it still?

Hedrush · 22 Jul 2009

People need to be careful and get there builds from a reputable source. If you just grab any old iso from the internet with a build number your gonna get grief.

Trojan Found in Setup.exe on Build 16385 x86 ISO Image!

Trojan Found in Setup.exe on Build 16385 x86 ISO Image!

I'm normally pretty careful...

Very weird!