Trojan Found in Setup.exe on Build 16385 x86 ISO Image!

[rck01]

Well, maybe that LeBlanc fellow had a point about bogus ISO images. I just fired up setup.exe from an image of the x86 Build 7600.16385 leak under my current build 7264 installation and look what Microsoft Security Essentials found (see attached image).

Note: The ISO in question has the following Filename and Hash Info:

7600.16385.090713-1255_x86fre_client_en-us_Retail_Ultimate-GRMCULFRER_EN_DVD.iso
SHA1: 2ebdb1f65fbf5aaf38d4fb39ea4e658389a25ea3
MD5: b49d1c065de9be078abe5bbafc5a304d
CRC32: 65b9f574

So, I guess we all still need to be careful after all. Needless to say, stay FAR AWAY from this image.

RCK

 

[andych]

Well, maybe that LeBlanc fellow had a point about bogus ISO images. I just fired up setup.exe from an image of the x86 Build 7600.16385 leak under my current build 7264 installation and look what Microsoft Security Essentials found (see attached image).

Note: The ISO in question has the following Filename and Hash Info:

7600.16385.090713-1255_x86fre_client_en-us_Retail_Ultimate-GRMCULFRER_EN_DVD.iso
SHA1: 2ebdb1f65fbf5aaf38d4fb39ea4e658389a25ea3
MD5: b49d1c065de9be078abe5bbafc5a304d
CRC32: 65b9f574

So, I guess we all still need to be careful after all. Needless to say, stay FAR AWAY from this image.

RCK

Did you check that the hash values match what was quoted....do those hash values match others that are easilly found out there?

The good thing is that Microsoft Security Essentials found it I guess.
As with all the leaks up till now....it is always best to check them thoroughly before installing...as you have found.

 

[Zidane24]

This is strange...When I thorughly tested this build MSE popped up with nothing...where did you get the build from...there are alot of fakes flying around...

 

[rck01]

I'm normally pretty careful...

...about this sort of thing. In fact, I checked the hash values for the x64 build I installed on my Lenovo W700ds and they matched up fine. I guess I just got lazy with this build - the x86 version was so hard to find, and there were so many different permutations (assembled from either the Chinese dude or Wzor), that when I finally did get a working torrent I assumed any hash mismatches were the result of too many copies from too many sources. That, and it runs just fine under VMware Workstation - version stamps on explorer.exe and others looked good (7600.16385). No real reason to doubt it was a working build...until now!

Oh well, lesson learned!

RCK

 

[Zidane24]

...about this sort of thing. In fact, I checked the hash values for the x64 build I installed on my Lenovo W700ds and they matched up fine. I guess I just got lazy with this build - the x86 version was so hard to find, and there were so many different permutations (assembled from either the Chinese dude or Wzor), that when I finally did get a working torrent I assumed any hash mismatches were the result of too many copies from too many sources. That, and it runs just fine under VMware Workstation - version stamps on explorer.exe and others looked good (7600.16385). No real reason to doubt it was a working build...until now!

Oh well, lesson learned!

RCK

Hey no big deal...The fact you posted your results and you tried to warn people overshadows the mistake...well done for spending the time to post

 

[Orbital Shark]

The main issue is that because there was never an actual ISO released the hash values can change all over the gaff so tracing it is like trying to find a needle in a hay stack (so to say).

Unfortunately, as you say

lesson learned!

 

[Tews]

I guess the moral of the story is ..... The price of freedom is vigilance...

 

[rck01]

Very weird!

@Zidane24,

Well, I just re-scanned setup.exe directly on my x64 system and, again, it got a hit on the Trojan. You're saying you've used this same build without incident? Very odd, indeed! I'm going to fire-up that VM I tested it in originally (prior to launching it directly on its intended upgrade target, my HP Mini 2140) and see if installed MSE into the "infected" VM triggers another hit.

RCK

 

[droalex]

If I installed it, Will a antivirus search find it still?

 

[Hedrush]

People need to be careful and get there builds from a reputable source. If you just grab any old iso from the internet with a build number your gonna get grief.

 

[masterB]

Does not look like a good hash.
According to our russian friends this is the good hash:

SIZE: 2,501,892,096 byte
SHA1: 4fb88ed0e763a0cd82d388e7fdaabd10fc0846d1
MD5: c7102805815abb3b6b4796a8cc3fb008

 

[dan7777]

these are mine from wzor can anyone confirm these are good ?SHA1: 29d32ad89b7eb05033974c99f8fc41d06f36a58c
MD5: 4171999e05724d309a62104d83485d69

 

[droalex]

If someone knows if this is clean I'll appreciate it
CRC32: 61AD5BB2
MD5: 351712FB063012113D86AB061DCA1E5B
SHA-1: 32DA9836D1C2BD48553AADCDBD4CD4EB19AC860B

Edit:Just Scanned them this one is clean.

 

[masterB]

these are mine from wzor can anyone confirm these are good ?SHA1: 29d32ad89b7eb05033974c99f8fc41d06f36a58c
MD5: 4171999e05724d309a62104d83485d69

Dan lol yours are good but for x64!

He is talking about x86!

 

[Zidane24]

Hm...well this might not matter much anymore...Windows 7 has been Officially announced RTM

 

[masterB]

Hm...well this might not matter much anymore...Windows 7 has been Officially announced RTM

NO WAY! Where??

 

[Zidane24]

Windows 7 Has Been Released to Manufacturing - Windows 7 Team Blog - The Windows Blog

 

[rck01]

Curiouser and Curiouser

Well, now when I run MSE from within a VM that was installed via this ISO I get no hits - unless I scan the ISO itself, in which case setup.exe is again flagged. Looks like whatever payload it carries, it doesn't impact the ultimate contents of the main WIM file. However, it could infect any system attempting to run it directly as part of an attempted upgrade, etc.

Regardless, I'm nuking this contaminated version and grabbing the real deal as soon as the just announced RTM images leak...

RCK

 

[pparks1]

Well, thanks for posting this. I have been concerned about this type of thing since day 1 and I always catch grief from people saying this sort of stuff doesn't happen and that I have bought into the MS FUD.....well it does happen.....even to the good people who take the necessary steps, precautions and "usually" get their stuff from a reputable source.