On Thu, May 17, 2018 at 5:26 AM, Ryan Saunders <saunders@aggienetwork.com> wrote:

Hello webmaster,

A little over a week ago, I got hit by a rather nasty virus…one of those “ransomware” viruses that encrypts everything on your disk and then demands bitcoin payment in exchange for the decryption key. Yuck.

One potential way in which this virus might have gotten onto my system is via a version of Python I downloaded, as I was working on a script to auto-download Python around that time. It’s a bit difficult to be sure, since (a) my antivirus (Windows Defender) didn’t notice the virus at all and (b) most files on my HDD are now hopelessly encrypted, including the copies of Python I downloaded, which makes postmortem analysis…difficult.

I plan to do some more investigation to try to determine exactly how I got this bug, but I thought it prudent to bring this to your attention quickly, just in case Python actually was the infection vector, so that you can remove any infected files from your download site.

If I recall correctly, the versions of Python that I was working with were the following:

https://www.python.org/ftp/python/3.7.0/python-3.7.0b4-amd64.exe
https://www.python.org/ftp/python/3.7.0/python-3.7.0b4-embed-amd64.zip
https://www.python.org/ftp/python/3.7.0/python-3.7.0b3-amd64.exe
https://www.python.org/ftp/python/3.7.0/python-3.7.0b3-embed-amd64.zip
https://www.python.org/ftp/python/3.6.5/python-3.6.5-amd64.exe
https://www.python.org/ftp/python/3.6.5/python-3.6.5-embed-amd64.zip

The virus is the “Arrow” virus, which most antivirus sites identify as a variant of the “dharma/crysys” family of malware. Unfortunately, Windows Defender did not catch it, so I’m not sure what AV tools to recommend. But I do suggest scanning the above files with whatever AV tools are at your disposal, just to be on the safe side, so that no one else contracts this thing.

If I am later able to determine conclusively the source of my infection, I will let you know.

Ryan

Sent from Mail for Windows 10

_______________________________________________
Webmaster mailing list
Webmaster@python.org
https://mail.python.org/mailman/listinfo/webmaster

Hi Ryan,

Thanks for your note, and I'm sorry to hear that you have fallen victim to malware.

I suspect the probability of a virus in the official installer distributions is very low. I understand that the release process for Windows does involve anti-virus scans, and I am not personally aware of even any false positives on 3.6.

Since 3.7.0 is a pre-release I am notifying the developers list as a precaution. You will hear from them if they require any further information.

Good luck restoring your system.

regards

Steve