Bitcoin Forum

Just did a scan on Electrum wallet since I felt like my pc was acting odd and it ends up showing a Trojan on it. What should I do? Why would they add a Trojan to their file?


SHA256: c01ffe2205716284d88ba7981233b74830d3ecf7604ad57ca60e5930d397156e
File name: electrum-2.7.2.exe
Detection ratio: 1 / 56
Analysis date: 2016-10-08 07:53:18 UTC ( 0 minutes ago )


Antivirus Result Update
Invincea trojan.win32.multiinjector.c!rfn 20160928

Thanks for the info.

I highly doubt so. The detection ratio between the antivirus is so low that I suspect it to be a false positive and there is nothing to worry about.

Just in case, did you download the exe from here: https://electrum.org/#download ? You can also verify[1] if the checksum matches: https://download.electrum.org/2.7.2/electrum-2.7.2.exe.asc. If it does then it would be fine.

Check your entire file system for virus, not only Electrum.

[1] https://www.torproject.org/docs/verifying-signatures.html.en

I've had a couple friends do a virus check on their own Electrum wallet and it is showing as a Trojan for them as well... Not really happy by the outcome of this.... The file should 0/56 we are dealing with money here we cant be risking false positives and Electrum should do something about it now.


Another thing. The file is impossible to delete. I've tried shredding it, deleting it, deleting it through CMD. NOTHING! Its impossible. Every time i try to delete it it tells me FILE IS IN "USE" Even after restarting my PC.


It's also odd that Electrum does not show up on Programs List and its just a exe file.

I downloaded it yesterday.

After your message i checked it with Virustotal and it showed 0/53, no infections.

Verify where you downloaded it from, as ranochigo suggested.

I will keep watching on this.

If you downloaded the Portable version then It's normal that It only shows the .exe files , If you didn't , then you could right click the .exe and do "Open file location" .
According to Windows Defender/Microsoft , here is what the detected trojan is trying to do : https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/MultiInjector.C!rfn&ThreatID=-2147272772
I scanned the file as well , and It seems like I'm having the same results as you , however when I scan an earlier version (2.5.4) It's totally clean. So , either Electrum has been compromised (I doubt it) or ThomasV added something in the recent updates that triggered this false detection.

Electrum should show up in programs list. It shows very well in mine and I have downloaded it only from the official website. You do the same and I am thinking you may have download something else disguised as electrum.

Please do an immediate check with the best antivirus and internet security (for me is AVIRA).

Download it from their official website https://electrum.org/#download The windows version.




I download the Standalone Executable or Windows Installer. Version 2.6 and 2.7 are showing as Trojans.

Tell me that, This one will not pass any virus in my pc right. Confirm me is there any malware operation from the above mentioned version?

did you check the signature after you finished downloading Electrum?

No I did not.

Previously i was scanning the installation file, and it showed no infection 0/53.

Now i scanned the exe file of installed version of electrum, and i got 1/56 infections... same result as you.
In scanning datails i see that detection is from "Invincea" antivirus, updated to 20160928 which is quite old.

I checked my task manager and electrum process shows correctly (windows xp os).

I Think is a false positive too.

then get right on it and report back.

i don't know how reliable virustotal is about .exe files but here are the results (all 0/68):
https://www.virustotal.com/en/url/c096e0ca01756ce8f5cb2e93485054a94f14ad8ec34bae36f77a1e59280ba165/analysis/1475921551/
https://www.virustotal.com/en/url/209415e6ffcf095588fd702336f45d216a52ce8bc3ef7d1316c46cd675de5712/analysis/1475921700/
https://www.virustotal.com/en/url/1e8ccd93295e937efdb629ee2d8866308db7534eb0f6ed48e5f17b46a574f5aa/analysis/1475921727/

It shows 0/68 because your scanning the URL. But when you scan the file itself you have installed it shows up as a Trojan.

I presume you are using Microsoft Winduhs? Boot into safe mode and then try and delete the files. I prefer to use a multi boot for the

different things I do. I like the Linux OS's like Ubuntu or even something like Tails. You have much less hassles with viruses and Malware

and you can clean boot, after every session.  ;D

The antivirus companies have all the rights to label the software and Electrum can't really do anything about it. If the top popular antiviruses does not have anything to say about it, there isn't much to worry about.

The portable version will not be installed to the computer if that is what you mean. Go to Task manager>Processes, find the Electrum.exe and force stop it. You should be able to delete it then.

I checked with my AntiVirus (Eset Smart Security with latest virus signature database 14246) there is no Trojan or any other kind of alert.

Check these and report back:
1) Make sure you have downloaded from the right source
https://electrum.org/#download
Standalone Executable: https://download.electrum.org/2.7.2/electrum-2.7.2.exe
sig: https://download.electrum.org/2.7.2/electrum-2.7.2.exe.asc

Windows Installer: https://download.electrum.org/2.7.2/electrum-2.7.2-setup.exe
sig: https://download.electrum.org/2.7.2/electrum-2.7.2-setup.exe.asc

ThomasV sig: https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6

2) Check the signatures after you finished downloading. There is helpful link in one of the above comments.

3) Make sure you did not have a Trojan already on your PC from before (like having it from a month ago but not knowing about it)

4) If and only if you did all of the above and you still had the same problem, make a proper report and wait for a developer to see this.

The developer should look into this regardless. The fact is virustotal is labeling it as a Trojan. I don't care if its a false positive or not. We are dealing with money here and I won't risk my money due to a mistake from the developers of Electrum. Therefore, I wont be using your application.

You are mistaken.

If virustotal a virus scanning program is labeling it as a Trojan as a false positive, then the developer of virustotal the virus scanning program should look into this.

There is nothing Electrum can do.  Electrum created a good piece of software that is NOT a trojan, and virustotal the virus scanning program has chosen to lie to you about it.  Electrum can't make virustotal the virus scanning program stop lying.

If I lie to you and tell you that Windows is a trojan, does that mean that Microsoft should change their software?


You mean due to a mistake from the developers of virustotal a virus scanning program, don't you?  They are the ones that are lying


That's fine.  Nobody is going to force you to use good software that you don't want to use, and nobody is going to force you to stop using the software that lies to you either if you still want to use it.

Why isn't virus total lying about every other wallet I've tested? Do they have something against Electrum? Every single other wallet has been 0/56

Goddammit.

I just moved from core wallet to electrum and now this pops up.

I also checked the file in virus total and got 1/56 result. It has a trojan named: trojan.win32.multiinjector.c!rfn

Fck this shit.

I can't delete it too.

Fuck.

edit: ok deleted the bastard. just keep trying.

I am curious to know how you are using virustotal?
Do you download on your computer and then upload using their file tab?


Read Danny's comment in last page.

I uploaded the file. Should i worry?

A part of the Electrum code may have resembled a string from a known virus or may have behavior that they deem suspicious. It is important to note that the analyse is not done by virustotal but done by the antiviruses. Antiviruses are at times quite inaccurate. That being said, the only antivirus that detected it as a virus is Invincea and it isn't even well known.

No there is nothing to worry about, and as I said read This]https://bitcointalk.org/index.php?topic=1639722.msg16496231#msg16496231]This (https://bitcointalk.org/index.php?topic=1639722.msg16496231#msg16496231). I have also downloaded and checked it with my AV and there is nothing to worry about.

The reason I asked this is because I though there is an easier way to check it directly and not download, upload

How did you delete it? I've been trying to delete it ever since I noticed the Trojan and it says "File cant be deleted because its in USE" I checked task manager and its not there. Tried shredding it, nothing. Restarted my PC and it tells me "File is in USE" Really???

Note that Electrum binaries for Windows are not created on Windows, but on a Linux computer running Wine.
Thus, this machine cannot be infected with Windows malware.

I was in the same position. I kept hitting delete button and it succeeded after a few tries. Keep trying :D

I don't know.  They are probably being lied to by the virus scanning program. You'll have to ask them.


Maybe.  Or maybe they just aren't very careful about their reporting. More likely, the virus scanning program isn't very careful about their reporting.


Every single other wallet?  How many others have you tested? perhaps the ones you tested just got lucky.

Danny Hamilton.... I hope you realize that virus total has nothing to do with it. They aren't the one scanning the file, is the antivirus scanning the file. So when you say that Virus Total is lying well ummm you sound like a very arrogant person if you actually meant it. I'm sure you've gotten that before from Family and Friends. I am a very good judge of character and you sir are not liked by many.

Nope. I had no idea.  I assumed based on the conversation in the thread that VirusTotal was an antivirus program that you and others were using. I've gone back and fixed my posts.  Thanks for explaining.


Obviously.  I wasn't familiar with Virus Total, and the context of the discussion in the thread made it appear that it was a virus scanning program.


Nope. I meant that the virus scanning program was lying.  I figured that was obvious from the context of my posts.  Does that mean I'm not arrogant after all?


Nope.  But perhaps they've avoided saying anything about it to me, because they don't want to hurt my feelings?


Thanks.  That's good to know.  Is there some way I can fix that, or am I stuck with not being liked forever?  Perhaps I'll just need to accept being liked by a few rather than many?