Malware in Strawberry Perl v5.10.1.2

[whitesmith]

On 2010-07-24 I uninstalled ActiveState Perl and installed Strawberry
Perl v5.10.1.2, largely on the strength of the webpage's implied
indorsement by Larry Wall: "When I'm on Windows, I use Strawberry
Perl." I hope you don't really use this implementation, Larry, because
a couple weeks after the install I got a call from American Express
about several bogus charges to my card--including a $1 charge by a
site called strawberry.com (not strawberryperl.com, the site from
which I downloaded the product). $1 charges seem to be the preferred
method used by scammers to test a card's validity: if the small charge
goes through, these dudes pounce and run it up to the max in an hour
or so. Amex is wise to the trick so they immediately cancelled the
card and sent me a new one with a different number.

I ran ZoneAlarm against the installation and it found bad boys called
Worm.Win32.c* in both xmlcatalog.exe and \bin\dmake.exe. Naturally
when I installed the product I didn't think too much about giving it
'Net access for auto-update purposes, which probably explains how it
was able to grab a credit card number and call home without detection.

*Don't use this product!!* I've gone back to ActiveState and I intent
to stay with it, with or without a recommendation from Wall.

 

[whitesmith]

On 2010-07-24 I uninstalled ActiveState Perl and installed Strawberry
Perl v5.10.1.2, largely on the strength of  the webpage's implied
indorsement by Larry Wall: "When I'm on Windows, I use Strawberry
Perl." I hope you don't really use this implementation, Larry, because
a couple weeks after the install I got a call from American Express
about several bogus charges to my card--including a $1 charge by a
site called strawberry.com (not strawberryperl.com, the site from
which I downloaded the product). $1 charges seem to be the preferred
method used by scammers to test a card's validity: if the small charge
goes through, these dudes pounce and run it up to the max in an hour
or so. Amex is wise to the trick so they immediately cancelled the
card and sent me a new one with a different number.

I ran ZoneAlarm against the installation and it found bad boys called
Worm.Win32.c* in both xmlcatalog.exe and \bin\dmake.exe. Naturally
when I installed the product I didn't think too much about giving it
'Net access for auto-update purposes, which probably explains how it
was able to grab a credit card number and call home without detection.

*Don't use this product!!* I've gone back to ActiveState and I intent
to stay with it, with or without a recommendation from Wall.

DLed directly from the big red strawberry. No mistake about it. I'm
quite careful about what and from whom I download.

 

[Uri Guttman]

w> DLed directly from the big red strawberry. No mistake about it. I'm
w> quite careful about what and from whom I download.

still, your opinion isn't much given all the others who use strawberry
perl without such issues. that means it is likely something on your box
that did this and not the download.

uri

 

[sisyphus]

I ran ZoneAlarm against the installation and it found bad boys called
Worm.Win32.c* in both xmlcatalog.exe and \bin\dmake.exe.

Yes, I prefer ActivePerl - and if you 'ppm install MinGW' first, then
you can pretty much build any module that ships with Strawberry Perl
anyway. (Mind you, however, some of those modules aren't all that
trivial to build.)

Anyway, I've just downloaded
http://d10xg45o6p6dbl.cloudfront.ne...ry-perl/strawberry-perl-5.10.1.2-portable.zip
and extracted it.

ClamWin couldn't find any malware in either of those files (or
anywhere else in the Strawberry distro, for that matter).
Maybe I should switch to using ZoneAlarm ;-)

Incidentally, I get the following hashes for xmlcatalog.exe:

MD5: b39677b4d1731a888c909f0e4d86cf36
SHA1: e30df004575008b9b53efc99863c81121b60b01a
SHA256:
f62576f055199e4a7dba50e8e1a581834b4dcc17208ce14ba337573c588bd36b

and the following for dmake.exe:

MD5: 6ba036e4ea092150bf860fc3d9bb86dc
SHA1: b722621998333fe53190ccf6296984b120f94ccc
SHA256:
c48149051ab3393caba80d9882158b958df5825d7405a417401f638af89ed3dc

If you're getting different for those files, then I suggest that
something has corrupted them.
I don't for one moment believe that those files are corrupted at their
source.

Cheers,
Rob

 

[sln]

I don't for one moment believe that those files are corrupted at their
source.

^^^^
It would be a sad day indeed.

-sln