Trojan in Electrum 3.0.0 wallet?

[cryptolucidity]

Two weeks ago I downloaded Electrum 3.0.0 Standalone from Electrum.org.
Worked fine until now, but today when I tried to copy the file from my laptop to a USB drive Windows Defender identified it as containing Trojan:Win32/Bitrep.A virus. It then also quarantined the file on my laptop as well. Apparently other users are reporting the same issue.

Three immediate possibilities come to mind, 1) the source file was infected, 2) my computer became infected after downloading it, 3) it's a false positive. While it's probably #2 or #3, have there been known cases of malicious code appearing in .exe or .asc files on the electrum.org site?

(edit: I tried downloading the Electrum 3.0.0.exe again from the site and got the same virus alert. However, Electrum 3.0.2.exe scanned clean)

Is there a step by step guide for dummies on how to verify the signature on the .exe file, or a simpler way? The instructions I've found so far are partial or daunting and incomprehensible.

And is there a safe way to transfer my bitcoins in the infected wallet to a new wallet?

[1714947697]

1714947697

[1714947697]

1714947697

[1714947697]

1714947697

[TryNinja]

It's probably just a false positive.

If you are still worried, you can verify the executable signature[1] and confirm that you have the right files.

[1] https://steemit.com/bitcoin/@jklepatch/how-to-verify-the-integrity-of-electrum-wallet-executable-on-windows

[Coin-Keeper]

If you ever have any serious concerns about the computer/wallet you are using its best to make sure things are all clean before transferring any more coins.  Electrum makes it easy in that you can use ANY computer and your SEED words to quickly create a new wallet on a "known" clean machine and Electrum file.  Then using the known clean wallet you can make transactions safely.  Your absolute best bet when downloading Electrum files is to VERIFY the file download via the GPG signature.  Thomas signs all official releases and its positive/certain you have a good file if you VERIFY that way.  At this time I want to present my opinion (others differ) that it would be better to never have your SEED containing wallet online.  Use a cold wallet or hardware wallet.  At 9000 US dollars a coin thieves are rampant online, and honestly they are damn good at what they do.  Just how it is.

[cryptolucidity]

Thanks for the replies. I strongly suspect it was a false positive. Defender and a few others flagged it, but the major antivirus programs did not. The alerts are triggered by heuristic analysis of the 3.0.0 standalone and 3.0.2 portable, but not the other versions I tested. I also did my homework and went through the steps to verify the signatures - an essential process, I agree, but it really needs a simple, intuitive console for the uninitiated.

[xorxor]

3.0.2 portable got deleted by security essentials with message:
trojan :  Win32/Tilken.B!cl

almost died on the spot !!!!!
anyone got this also ?

[Spendulus]

If you ever have any serious concerns about the computer/wallet you are using its best to make sure things are all clean before transferring any more coins.  Electrum makes it easy in that you can use ANY computer and your SEED words to quickly create a new wallet on a "known" clean machine and Electrum file.  Then using the known clean wallet you can make transactions safely.  Your absolute best bet when downloading Electrum files is to VERIFY the file download via the GPG signature.  Thomas signs all official releases and its positive/certain you have a good file if you VERIFY that way.  At this time I want to present my opinion (others differ) that it would be better to never have your SEED containing wallet online.  Use a cold wallet or hardware wallet.  At 9000 US dollars a coin thieves are rampant online, and honestly they are damn good at what they do.  Just how it is.

When it comes to being right or wrong there is no democracy.

I would add that when people attempt to create "adequate security" by layering additional complexity on top of existing systems, it often backfires.

Look at all the issues people seem to be having with 2FA and Electrum.

But 2FA was supposed to improve security, right? Something to ponder there.

[Digika]

How much on a scale [I only have 500$ btc]-[I have full 2.0BTC] are you positive that this is false positive?

For reference:

https://virustotal.com/en/file/adbe7a02700ec0466af70dbd842a3fb5f26e142f03ce41bb3f275c79310b873e/analysis/

https://virustotal.com/en/file/f35bce22dd80b383ec97e75b399da10f91eb7950a2315baa52f2e665beb769d8/analysis/

https://bitcointalk.org/index.php?topic=1993592.20
https://www.reddit.com/r/Bitcoin/comments/2y0e08/electrum_20_detected_as_trojan_by_avast_false/
https://www.reddit.com/r/litecoin/comments/2vivx2/is_it_common_for_av_programs_to_detect_electrum/
https://bitcointalk.org/index.php?topic=1250394.0

I mean this is not the first time this topic pops up.

[BitMaxz]

How much on a scale [I only have 500$ btc]-[I have full 2.0BTC] are you positive that this is false positive?

For reference:

https://virustotal.com/en/file/adbe7a02700ec0466af70dbd842a3fb5f26e142f03ce41bb3f275c79310b873e/analysis/

https://virustotal.com/en/file/f35bce22dd80b383ec97e75b399da10f91eb7950a2315baa52f2e665beb769d8/analysis/

https://bitcointalk.org/index.php?topic=1993592.20
https://www.reddit.com/r/Bitcoin/comments/2y0e08/electrum_20_detected_as_trojan_by_avast_false/
https://www.reddit.com/r/litecoin/comments/2vivx2/is_it_common_for_av_programs_to_detect_electrum/
https://bitcointalk.org/index.php?topic=1250394.0

I mean this is not the first time this topic pops up.

Well  i can say its false positive they are just detect the latest version of electrum because of python script.. even my windows defender detected electrum wallet but i just add it an exclusion until now its not having any problem i am holding of almost $1,000 plus..
So i can say that this is false positive..  if you are afraid to use it why not use the old version of electrum you can download the old version here https://download.electrum.org/

And wait for the latest version of electrum that fix this issue i'm also waiting for their latest wallet which is work in windows 7

[Aken]

My defender just reacted to Electrum 3.0.0 installer (virus) but it was fine for the others.

[300cpilot]

My Windows defender just popped up that Electrum-3.0.0-setup.exe includes the Trojan:Win32/Tiggre!plock

I run Malwarebytes Premium and Windows Defender scans every day. Electrum has been installed for several weeks and this is the first time Defender said anything. Pretty sure there was an update to BitDefender that added this to it.

[Aken]

I just verified the exe of the version 3.0 with signature and it says that the data is not verified. Is it normal?

[Digika]

I just verified the exe of the version 3.0 with signature and it says that the data is not verified. Is it normal?

Ofc it is normal, just enter your passphrase and open the wallet, nothing bad will happen!

[pooya87]

I just verified the exe of the version 3.0 with signature and it says that the data is not verified. Is it normal?

it depends on what you mean by "verified the exe with signature" and what you mean by "not verified"!

you have to verify the PGP signature of the .exe you have downloaded using https://www.gpg4win.org/ for windows or use a Linux distro with GnuPG installed.
and the verification should indicate that it has found a "good signature" with a warning that the public key is not in your trusted list. you can ignore the warning but you need to see the "good signature" result.

[nc50lc]

Guys, I saw a post regarding electrum having two websites.
These two:

• Electrum.org (owned by electrum)
  
• https://www.electrumsource.org/ <!--- WARNING: Fake Site! -->

if you downloaded your wallet from the fake one,  it might be the cause of this.
I'm not accusing the other domain or anything.

Can anyone shed some light please. <edit> Thanks for the info, pooya87.

[pooya87]

@nc50lc
the second website you listed here is an absolute scam. and it is super easy to verify it if you check the signature which is provided with the download files.
i did a quick check of the Electrum-3.0.0.tar.gz file for Linux with the provided signature file which turned out to be a fake one.

please note that i already have ThomasV's public key which is 0x2BD5824B7F9470E6 stored on my OS.

see the "good signature" for the real one. and "Bad signature" warning for the fake one:

[Digika]

Even so, here are Virus scan results for ORIGINAL installers:

https://virustotal.com/en/file/adbe7a02700ec0466af70dbd842a3fb5f26e142f03ce41bb3f275c79310b873e/analysis/

https://virustotal.com/en/file/f35bce22dd80b383ec97e75b399da10f91eb7950a2315baa52f2e665beb769d8/analysis/

I mean this is not the first time this topic pops up.

[kostepanych2]

Still Windows Defender swear to Electrum 3.3.4 and don't let to download it without creating exclusion...
I'm sure it's false positive... But why developers do not do anything with that?
It scare users and potential BTC investors...

[Abdussamad]

see the note for windows users at the bottom: https://electrum.org/#download