TrojanDownloader:097M/Donoff detected in archive

Hi,

Thank you for your message. We are not aware of any issues. I suspect a false positive. Do those softwares say exactly which file is affected? It would help me narrow down the issue and fix it.

Best,
Jason

That’s really weird!

To my surprise, I can also confirm this.
I just downloaded Slimstat from the repository here and uploaded it on virustotal.

Here are the results:

https://www.virustotal.com/#/file/8242c67a4feda469f5e44b4aa26e06a2d830e498420f74d26047e5783d42bc24/detection

2 trojans found. I hope it’s a false positive.
Can you please look into it Jason?

I’m still confused. Which file exactly seems to contain this trojan? We package our source code meticulously and use reputable third-party packages. Also, if you quickly google that Trojan file referenced by Microsoft, you’ll find this page:

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TROJANDOWNLOADER:O97M/DONOFF

As you can read on that page, this Trojan infects Microsoft Word files, and as far as I know, there are NO such files in our plugin, I’m pretty sure of that.

It’s definitely a false positive, where unfortunately the signature of our zipped file matches some signature associated to that trojan. I’m pretty sure this will go away once we release the next update in a few days.

If you have proof that there is harmful code in Slimstat beyond what 2 antivirus out of about 100 say, then please contact our support team and we will fix the issue right away.

As you know, our users’ security is out first priority.

Best,
Jason

From Microsoft Security Essentials:

Category: Trojan Downloader

Description: This program is dangerous and downloads other programs.

Recommended action: Remove this software immediately.

Items:
containerfile:C:\Users\iaps\Downloads\wp-slimstat.4.7.2.2.zip
file:C:\Users\iaps\Downloads\wp-slimstat.4.7.2.2.zip->wp-slimstat/admin/view/index.php->(SCRIPT0021)

By my quick research, it seems that following code is reported as “virus”:

for($i=1;$i<=12;$i++){
        if(!empty(wp_slimstat_db::$filters_normalized['date']['month']) && wp_slimstat_db::$filters_normalized['date']['month'] == $i) 
                echo "<option value='$i' selected='selected'>".substr($GLOBALS['month'][zeroise($i, 2)], 0, 3)."</option>";
        else
                echo "<option value='$i'>".substr($GLOBALS['month'][zeroise($i, 2)], 0, 3)."</option>";
}

But equivalent code is passed:

for($i=1;$i<=12;$i++){
	$i_month=substr($GLOBALS['month'][zeroise($i, 2)], 0, 3);
	if(!empty(wp_slimstat_db::$filters_normalized['date']['month']) && wp_slimstat_db::$filters_normalized['date']['month'] == $i)
		echo "<option value='$i' selected='selected'>".$i_month."</option>";
	else
		echo "<option value='$i'>".$i_month."</option>";
}

So, it’s definitely false positive report.

PS: Possible replacement for previous code:

global $wp_locale;
$month_abbrev = $wp_locale->get_month_abbrev( $wp_locale->get_month( $i ) );

• This reply was modified 7 years, 1 month ago by Sa?a.
• This reply was modified 7 years, 1 month ago by Sa?a.

I’m glad it’s a false positive ??

I also had this in Windows Defender

Thank you, all. We are going to update our code to remove this false positive per Sasa’s suggestion.

Best,
Jason.