TC damages zip archives with 'rar' extension

kdv · Post by *kdv » 2009-09-26, 21:17 UTC

I have some zip archives with 'rar' extension on HDD. They're called '*.rar' not because they're packed by RAR archiver, but because they're the java Resource Adapter aRchives ( forum doesn't allow me to insert link do describing doc at java-dot-sun-dot-com ).

When TC is idle for a long period of time(~15min), it initiates a file system scan throudh all hard drives(use Process Monitor to catch it scanning files). During this, it accesses these 'rar'-s and appends the '00 7A 7A 30 30 31 65 00' byte sequence to them. After that TC itself is still able to unpack them, but java fails. If a java application server supporting hot deployment is running, it fails in couple of seconds the files was damaged. And it's necessary to repair the application server installation.

I've renamed the 'Plugins' subfolders so TC doesn't see them, disabled all plugins and thumbnail caching in TC. Nothing of these helped. After system reboot and being idle for about 15 min TC damages restored files again.

It may happen, that not TC itself, but, let's say, unrar.dll(distributed together) damages these files. Anyway, what is the need to scan file system? The scanning itself is done weirdly. TC opens tons of file handles. They remain open untill the end, slow down Process Explorer and it takes one minute to close TC with all these handles on 4-core Phenom 9550 with 8gb ram. I wounder, what does TC do with my file system, when i've never asked it about anything. It should not even try.

WinXP-64 SP2.

Post by *petermad » 2009-09-26, 22:21 UTC

It sounds like you got a virus.

karlchen · Post by *karlchen » 2009-09-27, 00:40 UTC

Agreed. Have not noticed Total Commander performing any job unless explicitly told to do so. kdv, your report suggests some kind of malware is at work on your system, and the name of this malware is not Total Commander.

Karl

Balderstrom · Post by *Balderstrom » 2009-09-27, 03:21 UTC

Indeed, the only time TC does HD scans is if you initiate CD Tree (ALT+F10).

Post by *ghisler(Author) » 2009-09-27, 10:08 UTC

I can confirm that TC doesn't perform any harddisk scans. I recommend that you upload totalcmd.exe to www.virustotal.com to verify whether it is infected or not, and also make a complete scan of your system (preferably from a clean boot CD).

MVV · Post by *MVV » 2009-09-27, 13:53 UTC

ghisler(Author) wrote:I can confirm that TC doesn't perform any harddisk scans. I recommend that you upload totalcmd.exe to www.virustotal.com to verify whether it is infected or not, and also make a complete scan of your system (preferably from a clean boot CD).

But your CRC check should detect file changes, isn't it?

If virus uses some kind of DLL injection, TC executable file will left untouched, and virus will operate in TC's process environment.

Post by *ghisler(Author) » 2009-09-27, 19:37 UTC

Well, it could be a cracked version which was infected, they normally disable the EXE check. But the DLL injection is also possible. One more reason to scan from a clean boot CD.

kdv · Post by *kdv » 2009-09-27, 20:19 UTC

ghisler(Author) wrote:Well, it could be a cracked version which was infected, they normally disable the EXE check. But the DLL injection is also possible. One more reason to scan from a clean boot CD.

You're right, the EXE is fine(it's the default 1-2-3 button variant), but one of plugins(puzzle.wcx, a third-party one) is infected(or including?) a bullshitware, which is using DLL injection. Nod32 under clean OS, as you recommended, catched it.

Thanks, guys!

Balderstrom · Post by *Balderstrom » 2009-09-27, 21:58 UTC

There was a Delphi-infection warning a few weeks (~month) ago -- basically it was infecting compiled Delphi code. So if you had Delphi installed your library might be infected if this virus was able to get onto your machine -- then any code you compiled/distributed spread the virus.

kdv · Post by *kdv » 2009-09-27, 22:57 UTC

Balderstrom wrote:There was a Delphi-infection warning a few weeks (~month) ago -- basically it was infecting compiled Delphi code. So if you had Delphi installed your library might be infected if this virus was able to get onto your machine -- then any code you compiled/distributed spread the virus.

Well... i have no Delphi. I am a happy Win32/PSW.Legendmir.NHT trojan user

It puts Lpk.dll or Usp10.dll near almost every *.exe file, so it is actually not a dll injection. There are same named dll-s somewhere in windows/system32/... or so. If an executable refers to any of these dll-s, windows first looks for it near the *.exe and if none found - in system folders. So, if the fake dll is found, it's used instead of system one.

What is really annoying, this trojan puts it's dll-s into zip archives.

Post by *ghisler(Author) » 2009-09-28, 12:47 UTC

Thanks for the info. Which puzzle.wcx do you mean? The one on totalcmd.net is clean, just checked it on virustotal:
http://www.totalcmd.net/plugring/PUZZLE.html

Only 2 scanners find it suspicious because it seems to be exe-packed.

Boofo · Post by *Boofo » 2009-09-28, 14:39 UTC

The puzzle.wcx archive on totalcmd.net passed Norton AV 2010 with flying colors.