Malware in Win32 GnuCash 2.6.0

John Ralls jralls at ceridwen.us
Tue Dec 31 10:08:31 EST 2013 

On Dec 30, 2013, at 9:46 PM, Jules Levinson <juleslevinson at comcast.net> wrote:

> Dear John,
> 
> I have been using GnuCash for several years. I have learned a great deal from this program and I enjoy it enormously. This afternoon I happily downloaded release 2.6.0, and this evening I installed it on my desktop and my laptop. As I did, the program that I use to detect viruses, malware, and so forth detected malware (I think that what I saw was "Win32.trojan.gen" but I may not have seen or remembered that correctly) wrapped up in some way with gnucash.exe and immediately removed that file from my systems, rendering GnuCash unusable. I am trying to locate release 2.4.14 so that I can revert to the previous version of the program. When I try to do this, I end up with release 2.4.13.
> 
> I hope you do not mind my writing to you directly. I do not know whom I should contact, and so I have written to you because I assume you would want to know this.
> 
> With best wishes and many thanks for GnuCash, which I look forward to using again soon,
> 

Please use the mailing lists to communicate with us rather than emailing individual developers. When responding to list messages, use "Reply All" and then prune the CC list as appropriate so that only the person you're responding to and one list are addressed.

It's possible but unlikely that the build machine is infected; unlikely because that machine is a VM in a unix server which does nothing but build GnuCash. It's more likely that the security product you use issued a false alarm based on a bit pattern in gnucash.exe that happens to match one in "Win32.trojan.gen", whatever that is. Perhaps someone on the user list will have some insight into the problem.

We've been having some difficulty getting the Win32 build of GnuCash 2.4.14 to complete, so it hasn't been released yet. You'll see another announcement as soon as it is. Until then, 2.4.13 is the correct fallback for you.

*For the list: Jules sent me a followup message with this output from his security program:
> Mon 2013-12-30 22:25:37.0380	Infection detected: c:\program files (x86)\gnucash\bin\gnucash.exe [MD5: 9D753EED75EFD3A1B2E6229F0F301943] [3/00080020] [W32.Trojan.Gen]
> Mon 2013-12-30 22:25:37.0380	File blocked in realtime: c:\program files (x86)\gnucash\bin\gnucash.exe [MD5: 9D753EED75EFD3A1B2E6229F0F301943, Size: 272605 bytes] [524320/00000003] [W32.Trojan.Gen]
> Mon 2013-12-30 22:25:37.0380	File blocked in realtime: c:\program files (x86)\gnucash\bin\gnucash.exe [MD5: 9D753EED75EFD3A1B2E6229F0F301943, Size: 272605 bytes] [524320/00000003] [W32.Trojan.Gen]

Regards,
John Ralls

More information about the gnucash-user mailing list