Trojan in On2 Flix Pro v8.545? Where da md5s at?!

I just loaded On2 Flix Pro (video conversion software to create Flash videos) and was told there was an update.

The application doesn’t have the smarts to update itself directly, instead sending you to the website to download a zip file containing the new update.

It installed successfully (well, the first attempt failed trying to register itself online to make sure I wasn’t copying it – super annoying DRM ties each install to a particular piece of hardware, making it hard to move between computers), but then when I went to run it I got an AVG error informing me that there was a trojan horse in the file winprojector8.exe – PSW.Ldpinch.VKM to be exact.

I’m fairly confident this is a false positive, but I can’t be sure, because there’s no digital signature or md5 or anything for this file, OR the zip file that I downloaded the application in, OR the self-installing .exe that came out of the zip file.

In case anyone else is running into this error, here are the md5s for each file:

577cbe65ae7f718b365b560e5109773b SetupFlixProPC_8_545.exe
4dbc59a37e213fc096f69eb9f6085964 SetupFlixProPC_8_545.zip
260e655dd577e54cd3a215feb60aa021 winprojector8.exe (the allegedly infected file)

Currently Googling for the md5 of the infected file yields this virscan.org URL, which indicates a few other applications detect a trojan in this file as well.

I have contacted On2 support (usually I get a response within 24 hours) and await what I hope will just be a ‘false positive’ response.

If they’d published an md5 hash of these files, I wouldn’t need to be worried. But they didn’t, so I am.

If you’re putting a file on the Internet up for download, please always publish a hash of the file – md5sum or sha1sum would be best – so that people can verify that what they think they’re getting is what you want them to be getting.

3 thoughts on “Trojan in On2 Flix Pro v8.545? Where da md5s at?!”

  1. .. except that anyone able to replace the file on a website with an infected copy could also easily change the md5 to match.

  2. Well, the hope is that the authoritative site for a file will not be compromised. If it is, all bets are off anyway (unless they’re using proper digital signatures, assuming their private keys are also not compromised).

    Hashing as I’ve described it here is good for mirroring. It’s a pretty standard practice already in open source software.

    You reminded me I /still/ haven’t heard back from On2 about this. Lame. Fired them another support request.

  3. You’d also have to hope that On2 didnt unknowingly upload an infected version themselves :)

Leave a Reply

Your email address will not be published. Required fields are marked *