Help! Possible malware in Apophysis installer!

[Collin237]

I downloaded the Apophysis Screen Saver from Source Forge, and I got a warning from Eset Nod32 that it may contain "W32.Statik". This wasn't listed in the Eset encyclopedia, so I contacted the Eset technicians and they analyzed the file. They said there actually is something suspicious in the file.

Does anyone have any advice on this?

[taurus]

Don't know really, but if you mean the electric sheep, I would assume it builds up a remote connection, because it uses your free cpu power for crowdsourced fractal calculations.
One can interpret this as malware behaviour.

http://en.wikipedia.org/wiki/Electric_Sheep
http://www.electricsheep.org/

[Apophyster]

I'm sure he means the Apophysis Screen Saver which can be downloaded from Sourceforge.
AFAIK, Electric Sheep Screen Saver is not available at Sourceforge.

That program is very old though, and perhaps Collin237 is looking for a normal version of Apophysis which would be a different download at the same "Apophysis" Sourceforge site.

Over the years, I might add, people have, on various lists, and at various forums -- and even in the comments on the Sourceforge Apophysis page -- reported that some AV program detected a virus in an Apophysis download.
In the not too distant future I suspect people will have to be worrying about whether their coffee makers, thermostats, and/or vacuum cleaners have contacted a virus. :-//

Collin237, you may want to write a note to Sourceforge support, or whomever, and let them know about the virus report.  I would expect Sourceforge would do its best to prevent programs with malware from becoming available as downloads from the site.
Just a thought.

Fred E

[PhotoComix]

I still receive any week complains about viruses found inside programs hosted in my Sourceforge page ,
(not talking of apophisys but of gimp but the problem is identical)..obviously there is not any virus or malware there, simply one of the gazilllions of virus and malware has a structure vaguely similar to a component used to allow portability in the programs i host and that is sufficient to trigger the alarm

As far i know is a serious problem for all developers  not working for big companies ( as Adobe ) and providing software for Windows :
and there are no possible solution from the developers sides since the errors are from the antivirus , and only who produce the antivirus could fix the issues (but they seldom do , and in case they do it is with much delay )

more exactly is the "heuristic" detection method  that very often fails and produce false positives, and can't be avoided since the point of "heuristic" detection is detect new malware that is not in the database,  and that may be done only by similarity ... and  that very often lead to  false positives

I believe that only a international law , forcing the antivirus companies to generously refund all developers damaged by the false positives, could in a future minimize the problem

Because not only is hard to fix but is not commercially convenient fix it : more alerts a antivirus give more it seems good and so more will expand is market, less alerts give more seems crappy  
and since only very little minority of users will take the risk to check how much of the alerts are false positives , it is totally against the commercial interest of all antivirus company solve the problem

[Apophyster]

Photocomix,
Thanks for adding the details.  And I see now other problems associated with false positives that did not occur to me earlier.  Simpler explanations were given for Apophysis downloads when some AV identified problems and that was good enough for me.
However, I had to deal with the *common* fear that arises in people when they're trapped in a kind of fractal recurrence, in varying shades, of the sentiment: "you don't know who to trust anymore."

It's bound to be an immensely complicated problem in its entirety when so many myriad angles and "takes" of the virus bugaboo are considered from the many different perspectives from which that impetuous hazard is seen.

Fredsme

[Collin237]

Nod32 detected it as a "possible" threat, with a help message that briefly explained false positives, and there is an option to ignore the warning. I sent the Nod32 staff the installer file for analysis, and a technician said he personally examined it and confirmed that it's suspicious, and he was forwarding it to the lab where it might be listed as a known threat in a further update.

So this isn't just an overactive heuristic. And it isn't a case of inaction either; the technician responded in only a day or two.

So I'm assuming the problem is with Source Forge.

[blob]

I have uploaded this file to Virus Total and only one of 46 antivirs, Symantec, flagged it as "WS.Reputation.1". I googled WS.Reputation.1 and the Symantec page discussing it is well worth reading to understand how insane "malware" detection has become with some companies...

https://www.virustotal.com/en/file/b33c066a254d0f99535a2e97518f9628166fe705adeb6abbf325afe9ecf7356f/analysis/

http://community.norton.com/t5/Norton-Internet-Security-Norton/Clarification-on-WS-Reputation-1-detection/td-p/232155

[Apophyster]

Ok, then I don't question the report so much.
If it means anything a file *by the name*,  Apophysis Screen Saver has been available at Sourceforge since I can remember.  That would go back at least to 2006.
Earlier I remember an Apophysis Screen Saver available somewhere else on the web.  I don't remember where, but I was not aware of the program Apophysis at the time.
The first version of Apophysis I knew about was by the original author Mark Townsend.
I have always seen that the author of the Apophysis Screen Saver is Ronald Hordijk, and that name has always appeared in any of the versions of Apophysis I've used, in the "About" pane of information.

S'pose none of that means so very much.
Or answers the question "who put the virus in the download package?".
;-//
Fred