Trojan Horse in Oolite!

TGHC · Post by **TGHC** » Mon Jul 23, 2007 12:08 am

If you haven't already picked this up' my AVG found this yesterday:

Trojan Horse Downloader Zlob.MCQ

It's location was C:\ programme files\Oolite\Uninst.exe

I'm still running version 1.65 which was downloaded when it first came out last year, although I did add Dajt's patch for planet textures a while later.

I prompted AVG to heal it, but apparently it is unhealable though it has dropped it into the virus vault.

It's not just me either, it has been picked up by others on the EBBS here

Has anyone else here had this, and WTF do I do to fix it?

Killer Wolf · Post by **Killer Wolf** » Mon Jul 23, 2007 6:44 am

that's odd, my avs etc hasn't spotted anything. where did it come from, i can't imagine Giles or Ahruman etc put anything in like that, has someone taken the code, added summat nasty and put it out for download on an official site??
gonna have to do a full rscan of my machines when i get home :-/

Captain Hesperus · Post by **Captain Hesperus** » Mon Jul 23, 2007 7:54 am

Could be a false positive. I run bi-weekly virus scans on my PC and it's never flagged that one up, I use Oolite 1.65-tp for Assassins and 1.68 for everything else.

Captain Hesperus

Killer Instinct · Post by **Killer Instinct** » Mon Jul 23, 2007 8:07 am

Using McAfee antivirus and Spybot S&D and scanning like wot you should do frequently these days I've found absolutely nothing wrong or untoward with any Oolite application.

Helvellyn · Post by **Helvellyn** » Mon Jul 23, 2007 4:50 pm

If something has been sitting around for a long time unchanged and only gets picked up now it's probably going to be a false positive.

JensAyton · Post by **JensAyton** » Mon Jul 23, 2007 5:07 pm

Helvellyn wrote:
If something has been sitting around for a long time unchanged and only gets picked up now it's probably going to be a false positive.

Either that, or it’s been infected by something else… in which case it isn’t actually a trojan.

Captain Hesperus · Post by **Captain Hesperus** » Mon Jul 23, 2007 5:11 pm

Ahruman wrote:
Either that, or it’s been infected by something else… in which case it isn’t actually a trojan.

But then where would it have come from. Only you and a select group have the ability to upload to the BerliOS site, and none of you would knowingly upload anything even remotely virusy (is that a word? Probably not, but hey).
I think it's just an over-protective AV program.

Captain Hesperus

JensAyton · Post by **JensAyton** » Mon Jul 23, 2007 5:22 pm

There was a time, in deepest, darkest history, when viruses primarily spread between programs on the same computer. I know you can’t remember this, since you’re just an ickle kitty. :-)

Frame · Post by **Frame** » Mon Jul 23, 2007 6:31 pm

Ahruman wrote:
There was a time, in deepest, darkest history, when viruses primarily spread between programs on the same computer. I know you can’t remember this, since you’re just an ickle kitty.

ohh i recall that... that was... yeah...

Before The Internet...

Helvellyn · Post by **Helvellyn** » Mon Jul 23, 2007 8:18 pm

Ahruman wrote:
Helvellyn wrote:
If something has been sitting around for a long time unchanged and only gets picked up now it's probably going to be a false positive.
Either that, or it’s been infected by something else… in which case it isn’t actually a trojan.

Hence my use of the word "unchanged". I had AVG report a false positive on C&C Generals once, which was rather obviously such when it gave the same result when I scanned the original CD.

davcefai · Post by **davcefai** » Mon Jul 23, 2007 9:19 pm

This could be a false positive. Best way to check will be to compare an "infected" file with a fresh download.

If anybody would like to send me an "infected" file I'll gladly investigate.

You can upload the file to ftp://cloud9.dyndns.tv . Login as anonymous and them PM me.

Note: I am risk free in this as I run Linux.