Possible trojan contamination

News and discussion of the PC port of Oolite.

Moderators: winston, another_commander

Post Reply
User avatar
Pegleg
Above Average
Above Average
Posts: 17
Joined: Sun Dec 28, 2008 7:37 pm
Location: Adirondack Mountains

Possible trojan contamination

Post by Pegleg » Mon Aug 31, 2009 9:06 pm

I've been trying for months to track down a trojan on my computer that was harvesting data from my contacts list and sending out fake emails in my name to the people on that list. Today I uninstalled Panda Antivirus and switched over to Avira, then ran a complete scan. It found a trojan that it called HTML/Silly.Gen that was located in the Custom Sounds Plist in the config folder of the resources section of the 1.72.2 build for Windows. I cleaned and uninstalled Oolite from my hard-drive and downloaded the new 1.73 build from Berlios. The download scanned clean, but when I began extracting the files I quickly got a warning that one of them was infected with the HTML/Silly.Gen trojan and needed to be quarrantined. So I again deleted all the Oolite files from my computer. You may want to check into this.
Shoot first and pick up the goodies later...

User avatar
DaddyHoggy
Intergalactic Spam Assassin
Intergalactic Spam Assassin
Posts: 8501
Joined: Tue Dec 05, 2006 9:43 pm
Location: Newbury, UK
Contact:

Post by DaddyHoggy » Mon Aug 31, 2009 9:39 pm

I use AVG free just rescanned and it doesn't find anything - that doesn't mean its not there of course...
Selezen wrote:Apparently I was having a DaddyHoggy moment.
Oolite Life is now revealed here

another_commander
Quite Grand Sub-Admiral
Quite Grand Sub-Admiral
Posts: 5394
Joined: Wed Feb 28, 2007 7:54 am

Post by another_commander » Mon Aug 31, 2009 9:59 pm

False positive. The entire build (installer + tree structure after installation) was scanned using McAfee VirusScan Enterprise, scan engine 5301.4018, with DAT dated 28 August 2009 before its release. Additionally, there is absolutely nothing wrong in customsounds.plist. It is a standard NeXTStep format property file. It is safe to install.

Chaky
Deadly
Deadly
Posts: 213
Joined: Sat Aug 15, 2009 6:15 am

Post by Chaky » Tue Sep 01, 2009 1:34 am

Wanna another false positive?

Just make one empty bat file and put this in it:

Code: Select all

copy
copy
copy
BitDefender will pick it up.

User avatar
Diziet Sma
---- E L I T E ----
---- E L I T E ----
Posts: 6310
Joined: Mon Apr 06, 2009 12:20 pm
Location: Aboard the Pitviper S.E. "Blackwidow"

Post by Diziet Sma » Tue Sep 01, 2009 6:50 am

You may want to install, update and run Malwarebytes' Anti-Malware to check (and clean) your PC... there are lots of nasty things out there that anti-virus programs won't detect.. the free one will do everything the paid version does except for real-time protection and auto-updating.
Most games have some sort of paddling-pool-and-water-wings beginning to ease you in: Oolite takes the rather more Darwinian approach of heaving you straight into the ocean, often with a brick or two in your pockets for luck. ~ Disembodied

User avatar
Svengali
---- E L I T E ----
---- E L I T E ----
Posts: 2365
Joined: Sat Oct 20, 2007 2:52 pm

Post by Svengali » Tue Sep 01, 2009 9:16 am

It's the last entry that gives a warning.
In Oolites customsounds.plist

Code: Select all

"[wormhole-created]" = "";
And in CustomSounds.oxp

Code: Select all

"[wormhole-created]" = "w_hole.ogg";
Both seem to trigger Avira's heuristical search. I've reported it ~3 weeks ago to Avira,but they haven't reacted. The LAB has the files, so maybe someday they'll do something, but I wouldn't count on it. So I'd think that the Byte-combination is the problem here. Renaming this entry solves it.

Code: Select all

"[wrmhole-created]" = "w_hole.ogg";
Edit: For sure reported it as 'false positive' .-)

User avatar
JensAyton
Grand Admiral Emeritus
Grand Admiral Emeritus
Posts: 6657
Joined: Sat Apr 02, 2005 2:43 pm
Location: Sweden
Contact:

Post by JensAyton » Tue Sep 01, 2009 11:30 pm

I’ve had a couple of bug reports from Avira users about the customsounds.plist “issue”. Avira appears to be incorrectly identifying it as JavaScript doing strange stuff. customsounds.plist does not contain executable code of any sort and cannot carry a trojan.

I asked those who e-mailed me to send bug reports to Avira, and recommend you do the same.

Post Reply