Yes, I meant libsqlite3.dll.
Well, obviously I don't want to reproduce it locally because if it's not a
false alarm, I don't want to re-infect my system, but basically, here's what
happened and how you might be able to reproduce it:
1. I downloaded the stable version of DokuWiki with MicroApache and installed
it. I included the wrap plugin, the upgrade plugin, and the gallery plugin in
the download.
2. I used 7zip to extract the tarball and copied the folder to my desktop.
3. I opened the folder and ran the .cmd script to start the server.
4. A few seconds later, BitDefender told me it was cleaning a malicious file.
Further examination told me that libsqlite3.dll was infected with the
Gen:Variant.Razy trojan.
5. The next morning, I checked the BitDefender log entries and found the
following that both correspond to the time last night when I ran DokuWiki the
first time:
- Device Vulnerability: We detected a change in your device's settings that
allows it to execute setup files from media drives as soon as they are inserted
in the drive without your knowledge. Automatic execution of unknown files may
harm your device. (I did not make this change. I assume the trojan must have
done it.)
- In the firewall log, mapache.exe made a connection to the ip address
216.105.38.15/0. I do not recognize this IP address, and there is no reason I
can think of that an internal web server intended purely for testing purposes
should be making a connection to an external IP address without my knowledge.
Because of the above log entries in BitDefender, I do not believe this to be a
false alarm.
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist
