Trojans in my plugins?!?

[KBW]

2 days ago some of my plug-ins stopped working, and my Kaspersky anti-virus warned me of trojans, finding 18 in the plug-in folders. Now, I don't recall if the warning came before or after the plug-ins stopped working.

So I loaded the files onto my bosses computer, he never uses VW. All was fine, then his Kaspersky anti-virus warned me of the same trojans! I'm afraid to do the scan and possibly screw up the VW on that computer - I'm terrified of losing all my symbols etc.

I've removed VW from my PC and am about to re-install it. Guess now I've lost all my shortcuts, there goes hours of work!

Any clue about these trojans? What's going on???

Thanks for any advice.

VW2011

Windows 7

[jezscott]

Same here.

Kaspersky finds Trojan.Win32.Mediyes and deletes the infected plugin dlls on 4 of our PCs with VW2011 Architect on Win7x64

I did a full scan of the hard disks in each PC using an up to date copy of Kaspersky Internet Security 2012 and it only found Trojans in the VW plugin dlls.

I deleted VW2011 application folder and reinstalled it from my own installation file and also from the file redownloaded from VSS today. Both times Kaspersky again detected the Trojans in the plug ins.

I am now updating the PC with Windows updates (20 updates) and downloading MS Security Essentials to see if that does anything.

The 2 machines I am trying to fix are REALLY slow right now.

not happy.

[klinzey]

Apparently a recent update by Kaspersky caused it to identify files in Vectorworks as containing viruses when they actual do not.

Till Kaspersky corrects the error the only thing to do is to create a trusted zone.

1. Create a trusted Zone and pick Vectorworks: http://latam.kaspersky.com/knowledge-base-article/2695

2. And then uninstall Vectorworks and reinstall if the plug-ins have been compromised (deleted).

An article should be posted in the knowledge base soon with more information.

[KBW]

Yeesh! Those are exactly the same Trojans.

It wasn't on my bosses computer until I opened a particular file - could it be in there - I used a symbol from a CAD symbol site, and some from Kohler. 2 fonts from Fonts101 last week. But computers are networked.

Please let me know how things go?

What a waste of time, energy & money.

[KBW]

Thanks Kevin - I had a feeling it was a Kaspersky issue with VW...it just felt like a strange place for a virus to target.

BUT - according to the internet, the Trojan.Win32.Mediyes is a real virus - how can I be sure before allowing Kaspersky to ignore it?

[klinzey]

The only way to tell is by checking the MD5 check sums of the file against an unaltered one to see if it has been changed.

This is something that happened with Kaspersky in the past day or so, we are still gathering the details at this point.

Once we get the knowledge base article created with all the details I'll make sure a like gets posted here.

[KBW]

The only way to tell is by checking the MD5 check sums of the file against an unaltered one to see if it has been changed.

Thank you, Kevin.

I'm Live Chatting with Kaspersky now, and "They will respond to via e-mail with whether or not this is a false positive. If it's not an infection, no action is required. If it is infected, they will let you know and provide further steps to resolve the issue."

I don't know how to do what you said, but I will post the outcome of Kaspersky's analysis so you know.

[jezscott]

deleted VW2011

installed VW2012

no trojan

[KBW]

Ah, but I don't have 2012... Guess that does mean that it wasn't a trojan, though.

Thanks for the update.

[KBW]

UPDATE:

Kaspersky has been a right pain in the arse about this - friendly, but so many avenues that are trying to deal with it / assuming it's been taken care of. But they have the info, I guess the next release will work better. I keep trying to work-around the issue, but may ditch them, as it would be cheaper than my time wasted, and VW is SO glitchy now - DAYS spent on this! GGrrrrrr!!!!

[Guest Jim Kelly]

KBW: have you been speaking to a particular person there on this issue?

[JHEarcht]

My ZoneAlarm antivirus just found 14 trojan viruses in VW2012 plug-in folder. I think ZA uses the Kaspersky system. I recently added a plug-in from this forum, but I haven't used it yet. I hope it's all just an error in the virus scanner. [img:left]http://home.mindspring.com/~gnomon/Images/Vworks%20virus%20A_%2005-22-12.jpg[/img]

[KBW]

It's hard to see from your image, JHEarcht, but it looks like the same files that Kaspersky is picking up and deleting on my computer. Door, TrueType, General Notes, among about 30 others.

Some* of them work again now that I have 'restored' them, but I can't use the door tool, nor change the door properties - awesome.

What is this plug-in you're talking about?

[JHEarcht]

What is this plug-in you're talking about?

It was the Break Poly tool posted recently in another forum thread. The first time I clicked on the icon VW crashed. But after reopening, it seemed to be OK. I still haven't had occasion to use the tool.

[Guest Jim Kelly]

In the interest of keeping you guys a bit in the loop on this, we are continuing to look at this and have contacted Kaspersky. I'm hoping we have some resolution to the issue in the near future, but as you can understand we're trying to be thorough and get feedback from Kaspersky themselves before making any definitive statements.

[Guest Jim Kelly]

I wanted to fill you all in on where we ended up on this. After a lengthy internal investigation, we've found no evidence of a trojan. We've confirmed that the alerts were coming from DVD-installed versions of Vectorworks, sometimes even from versions years old, meaning that this is not some new virus infection targeting Vectorworks. We took the alternate possibility seriously, that somehow there was something in our shipping code, but found no evidence of this.

As a result, we believe this was a false positive. We tried to contact Kaspersky on this, but they refused to even acknowledge the question, and would only treat our query as if it were an individual incident.

I apologize for the delay in getting a definitive answer on this, but I'm sure you understand there's a need to be careful and investigate all avenues. If anyone has further questions on this, let me know.

[Guest Jim Kelly]

To clarify my statement regarding DVD-installed versions of Vectorworks, that statement was regarding our efforts to eliminate the possibility that someone had maliciously replaced our downloadable installers.

[KBW]

Thank you, Jim.

I went through a huge, lengthy thing with Kaspersky, and they have updated their 2012 Anti-virus so it no longer finds these false-positives (which they agreed were false). The 2012 is a free update, for anyone using Kaspersky 2011.

Guess all our nagging with them worked!

[Guest Jim Kelly]

Thanks for updating us on what happened, that's more than I was able to get out of them, even after identifying myself as an employee (and writing to them from a vectorworks.net address), so it's good to have some more information we can pass on to people.