On Thu, May 17, 2018 at 5:26 AM, Ryan Saunders email@example.com wrote:
A little over a week ago, I got hit by a rather nasty virus…one of those “ransomware” viruses that encrypts everything on your disk and then demands bitcoin payment in exchange for the decryption key. Yuck.
One potential way in which this virus might have gotten onto my system is via a version of Python I downloaded, as I was working on a script to auto-download Python around that time. It’s a bit difficult to be sure, since (a) my antivirus (Windows Defender) didn’t notice the virus at all and (b) most files on my HDD are now hopelessly encrypted, including the copies of Python I downloaded, which makes postmortem analysis…difficult.
I plan to do some more investigation to try to determine exactly how I got this bug, but I thought it prudent to bring this to your attention quickly, just in case Python actually was the infection vector, so that you can remove any infected files from your download site.
If I recall correctly, the versions of Python that I was working with were the following:
The virus is the “Arrow” virus, which most antivirus sites identify as a variant of the “dharma/crysys” family of malware. Unfortunately, Windows Defender did not catch it, so I’m not sure what AV tools to recommend. But I do suggest scanning the above files with whatever AV tools are at your disposal, just to be on the safe side, so that no one else contracts this thing.
If I am later able to determine conclusively the source of my infection, I will let you know.
Sent from Mail https://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10
Webmaster mailing list Webmaster@python.org https://mail.python.org/mailman/listinfo/webmaster
Thanks for your note, and I'm sorry to hear that you have fallen victim to malware.
I suspect the probability of a virus in the official installer distributions is very low. I understand that the release process for Windows does involve anti-virus scans, and I am not personally aware of even any false positives on 3.6.
Since 3.7.0 is a pre-release I am notifying the developers list as a precaution. You will hear from them if they require any further information.
Good luck restoring your system.