[Python-Dev] [Webmaster] Possible virus in Win32 build of python?

Steve Holden steve at holdenweb.com
Thu May 17 05:30:30 EDT 2018 

On Thu, May 17, 2018 at 5:26 AM, Ryan Saunders <saunders at aggienetwork.com>
wrote:

> Hello webmaster,
>
>
>
> A little over a week ago, I got hit by a rather nasty virus…one of those
> “ransomware” viruses that encrypts everything on your disk and then demands
> bitcoin payment in exchange for the decryption key. Yuck.
>
>
>
> One potential way in which this virus might have gotten onto my system is
> via a version of Python I downloaded, as I was working on a script to
> auto-download Python around that time. It’s a bit difficult to be sure,
> since (a) my antivirus (Windows Defender) didn’t notice the virus at all
> and (b) most files on my HDD are now hopelessly encrypted, including the
> copies of Python I downloaded, which makes postmortem analysis…difficult.
>
>
>
> I plan to do some more investigation to try to determine exactly how I got
> this bug, but I thought it prudent to bring this to your attention quickly,
> just in case Python actually *was* the infection vector, so that you can
> remove any infected files from your download site.
>
>
>
> If I recall correctly, the versions of Python that I was working with were
> the following:
>
>    - https://www.python.org/ftp/python/3.7.0/python-3.7.0b4-amd64.exe
>    - https://www.python.org/ftp/python/3.7.0/python-3.7.0b4-
>    embed-amd64.zip
>    - https://www.python.org/ftp/python/3.7.0/python-3.7.0b3-amd64.exe
>    - https://www.python.org/ftp/python/3.7.0/python-3.7.0b3-
>    embed-amd64.zip
>    - https://www.python.org/ftp/python/3.6.5/python-3.6.5-amd64.exe
>    - https://www.python.org/ftp/python/3.6.5/python-3.6.5-embed-amd64.zip
>
>
>
> The virus is the “Arrow” virus, which most antivirus sites identify as a
> variant of the “dharma/crysys” family of malware. Unfortunately, Windows
> Defender did not catch it, so I’m not sure what AV tools to recommend. But
> I do suggest scanning the above files with whatever AV tools are at your
> disposal, just to be on the safe side, so that no one else contracts this
> thing.
>
>
>
> If I am later able to determine conclusively the source of my infection, I
> will let you know.
>
>
>
> Ryan
>
>
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
> _______________________________________________
> Webmaster mailing list
> Webmaster at python.org
> https://mail.python.org/mailman/listinfo/webmaster
>
> Hi Ryan,

Thanks for your note, and I'm sorry to hear that you have fallen victim to
malware.

I suspect the probability of a virus in the official installer
distributions is very low. I understand that the release process for
Windows does involve anti-virus scans, and I am not personally aware of
even any false positives on 3.6.

Since 3.7.0 is a pre-release I am notifying the developers list as a
precaution. You will hear from them if they require any further information.

Good luck restoring your system.

regards
 Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20180517/2d748849/attachment-0001.html>

More information about the Python-Dev mailing list