Official ComboFix Mirror Infected with Sality Virus

BleepingComputer.com has rushed to remove the compromised application

  ComboFix installer hosted on BleepingComputer.com infected with Sality virus
The official mirror of the ComboFix malware removal tool, the one hosted on BleepingComputer.com, has been found to be infected with the Sality virus.

The official mirror of the ComboFix malware removal tool, the one hosted on BleepingComputer.com, has been found to be infected with the Sality virus.

Marcos, an ESET moderator on the Wilders Security Forums, was the first to tell everyone about the existence of the infected version. Apparently, the mirror contains a file called iexplore.com, which is plagued by the Sality virus.

“Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com,” Lawrence Abrams of BleepingComputer.com explained.

BleepingComputer.com believes that the affected version has been available since 2AM EST on January 29, but some users have reported seeing it even earlier.

The most worrying fact about this incident is that when users run ComboFix, they’re advised to disable all other antivirus solutions. So, despite the fact that most versions of Sality are identified by antiviruses, a lot of computers could have become infected.

In the meantime, the application’s developer, sUBs, is looking into the issue, trying to determine what has happened.

Users who have downloaded ComboFix from BleepingComputer.com over the past 48 hours (just to be on the safe side), should immediately scan their computers with an up-to-date antivirus to check if it’s infected with Sality.

Any decent antivirus should be capable of removing it, but you can also use a Sality removal application, such as the one developed by Kaspersky. It can be found on Softpedia at this link.

Softpedia hosts a clean version of ComboFix. Users who want to download the application can do so from here. Be sure to avoid untrusted sources that might be serving the malware-infected version.

3 Comments