Installing gem triggers virus scanner

[GoogleCodeExporter]

What steps will reproduce the problem?
1. gem install origami
2. virus scanner reports Exploit:Win32/Pdfjsc.Q
3.

What is the expected output? What do you see instead?
I expect to install the gem without triggering the virus scanner

What version of the product are you using? On what operating system?
Windows 7, ruby 1.9.1, origame-1.2.2

Please provide any additional information below.
More details on the exploit: 
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win
32/Pdfjsc

Original issue reported on code.google.com by emiliano...@iris-advies.com on 20 Oct 2011 at 7:33

[GoogleCodeExporter]

Same problem at mine computer! I'm running Windows 7 x64, Ruby 1.9.2-p290, 
Origami 1.2.3... Anti-virus software is ESET Smart Security 4 (NOD32).

Regards,
Stole

Original comment by condor...@gmail.com on 25 Oct 2011 at 12:40

[GoogleCodeExporter]

Hello,

Origami ships with a few exploit samples taken from old vulnerabilities in the 
wild.
As they contain potentially malicious JS scripts, they may be detected as 
malware, although they shouldn't since they are contained in Ruby scripts.


does your AV software reports which files are concerned?

Original comment by guilla...@security-labs.org on 25 Oct 2011 at 6:27

• Added labels: OpSys-Windows, Type-Other, Usability
• Removed labels: Type-Defect

[GoogleCodeExporter]

Thanks for the response...

About AV report, well, I have not paid attention. :( I exited my AV, installed 
gem, and then started AV again. I will try to reproduce issue on my other 
computer, I will let You know.

Regards,
Stole

Original comment by condor...@gmail.com on 25 Oct 2011 at 7:36

[GoogleCodeExporter]

Hi,

Here is the log of NOD AV:

http://production.cf.rubygems.org/gems/origami-1.2.3.gem    multiple 
threats connection terminated - quarantined Threat was detected upon access to 
web by the application: C:\Ruby192\bin\ruby.exe.
http://production.cf.rubygems.org/gems/origami-1.2.3.gem » TAR » 
data.tar.gz multiple threats
http://production.cf.rubygems.org/gems/origami-1.2.3.gem » TAR » data.tar.gz 
» GZIP » data.tar multiple threats
http://production.cf.rubygems.org/gems/origami-1.2.3.gem » TAR » data.tar.gz 
» GZIP » data.tar » TAR » 
samples/exploits/cve-2008-2992-utilprintf.rb    JS/Exploit.Shellcode.A.gen trojan
http://production.cf.rubygems.org/gems/origami-1.2.3.gem » TAR » data.tar.gz 
» GZIP » data.tar » TAR » 
samples/exploits/cve-2009-0927-geticon.rb   JS/Exploit.Shellcode.B trojan
http://production.cf.rubygems.org/gems/origami-1.2.3.gem » TAR » data.tar.gz 
» GZIP » data.tar » TAR » 
samples/exploits/exploit_customdictopen.rb  JS/Exploit.Shellcode.A.gen trojan
http://production.cf.rubygems.org/gems/origami-1.2.3.gem » TAR » data.tar.gz 
» GZIP » data.tar » TAR » 
samples/exploits/getannots.rb   JS/Exploit.Shellcode.A.gen trojan

Regards,
Stole

Original comment by condor...@gmail.com on 26 Oct 2011 at 11:13

[GoogleCodeExporter]

Yes, I tried installing origami 1.2.3 gem, McAfee didn't like 
exploit_customdictopen.rb when it was unpacking in  folder C:\Ruby 
193\lib\ruby\gems\1.9.1\cache\origami-1.2.3.gem\data.tar.gz\data.tar.  

It "detects" it as JS/Exploit-BO.gen.

Unfortunately, my AV product is controlled by group policy, and I can't 
configure it to ignore it.  

I'm going to install it on linux instead, but if you wanted to know what it was 
hitting the above was it.

Original comment by jamie.ko...@gmail.com on 10 Nov 2011 at 9:41