(windows 8.1 user)
A few months ago I downloaded binaries from: https://github.com/noahp/srlua-mingw
They had 2 exe files in the folder: srlua.exe and glue.exe. I had been unable to compile srlua from the original github posting for srlua, so I used the srlua.exe from the binary and the glue.exe which I compiled on my own. I was able to use the tools successfully. The only issue was I received a few positives (1-2) when scanning the various files via virustotal, but that was expected given they are programs that compile lua code into .exe (i.e. c compilers get flagged alot on virustotal).
Skip ahead to today, I needed to use the program again. But because srlua.exe deletes itself (glues itself) to the created .exe, I needed another copy. I found the old zip for the binary in my recycle bin so I restored. I then proceeded to try and get the code to work again, but couldn’t get it to work. I then proceeded to use “just” the files in the binary’s zip srlua.exe and glue.exe (the ones in link above), and was able to create the .exe but not get them to run either. When opening the created .exe it said they were unrecognized filetypes. So again: 2 months ago, I didn’t use both files from the zip, but I did this time.
I then received a notification from my antivirus that “malware detected on pc”. It linked specifically to srlua.exe. I deleted the srlua.exe, and then followed the ‘disinfection’ protocols kasperky presented to me. I had never seen this prompt before and I couldn’t tell if it had detected anything real or was just presenting safety options. The only thing of worry it presented to me was that it detected an unknown program/code running at pc start.
I followed all their suggestions, and restarted the computer as they told me to. I then scanned the .zip file that had the binaries in it, on virus total. The database version showed its fine, I rescanned though and it turned over 50% positive. I then downloaded malewarebytes and ran that, and it picked up a registry key in an old divx player folder, I’m guessing that’s unrelated, and it picked up the zip folder from my downloads and the ones in my trashbin. I quarantined the zip in my downloads folder, I’ll delete later if necessary, and deleted the others.
I then went to the github page. I’m really bad at understanding github, but it says last commit was 4 years ago…and as stated I downloaded this zip 2 months ago originally. I then went to grab the zip file again, but was blocked by kasperky citing: Access denied Object URL: https://codeload.github.com/noahp/srlua-mingw/zip/master Reason: the object is infected by P2P-Worm.Win32.Palevo.ikpc
This was not there when I downloaded 2 months ago. This is all new. I messaged github, and am waiting for reply, however I am unsure of how github works and if I’m messaging the right place (they only had an abuse and harassment section). This raises questions like: Was the file infected while on the github servers…why is it still there on the site if everything is now flagged by all the antivirus as malware…etc..
My main concern though is: Was I likely infected? And how can I tell if I’m still infected? How would I even know? The antiviruses, when I look at the reports from kapersky and malewarebytes, don’t tell me anything other than that srlua.exe and the .zip it came from are positive. Wouldn’t there be more to report if it was actually malware?
The last backup I have is from months ago, and the backup was made after my use of the program back then. So the backup technically is of a pc that used the supposedly infected srlua.exe with the not infected glue.exe I compiled myself. It’s undesirable to backup to that point. And there’s the potential even that could be infected. I’d assume it’s unlikely that a perpetrator designed it so you needed to use both the srlua.exe and glue.exe from the zip to infect the pc.
I have not experienced any odd behaviour on my pc. But I have no idea what a pc with malware does or doesn’t do, or what else can be checked outside of scans.
The process for using srlua.exe and glue.exe, from the link, is in cmd prompt (windows user) to:
glue srlua.exe prong.lua prong.exe
where prong is the code file’s name. I’m assuming running this command is the same as opening the .exe and anything could happen if it is actually infected.