Possible trojan contamination

News and discussion of the PC port of Oolite.

Moderators: winston, another_commander

Post Reply
User avatar
Pegleg
Above Average
Above Average
Posts: 17
Joined: Sun Dec 28, 2008 7:37 pm
Location: Adirondack Mountains

Possible trojan contamination

Post by Pegleg »

I've been trying for months to track down a trojan on my computer that was harvesting data from my contacts list and sending out fake emails in my name to the people on that list. Today I uninstalled Panda Antivirus and switched over to Avira, then ran a complete scan. It found a trojan that it called HTML/Silly.Gen that was located in the Custom Sounds Plist in the config folder of the resources section of the 1.72.2 build for Windows. I cleaned and uninstalled Oolite from my hard-drive and downloaded the new 1.73 build from Berlios. The download scanned clean, but when I began extracting the files I quickly got a warning that one of them was infected with the HTML/Silly.Gen trojan and needed to be quarrantined. So I again deleted all the Oolite files from my computer. You may want to check into this.
Shoot first and pick up the goodies later...
User avatar
DaddyHoggy
Intergalactic Spam Assassin
Intergalactic Spam Assassin
Posts: 8515
Joined: Tue Dec 05, 2006 9:43 pm
Location: Newbury, UK
Contact:

Post by DaddyHoggy »

I use AVG free just rescanned and it doesn't find anything - that doesn't mean its not there of course...
Selezen wrote:
Apparently I was having a DaddyHoggy moment.
Oolite Life is now revealed here
another_commander
Quite Grand Sub-Admiral
Quite Grand Sub-Admiral
Posts: 6682
Joined: Wed Feb 28, 2007 7:54 am

Post by another_commander »

False positive. The entire build (installer + tree structure after installation) was scanned using McAfee VirusScan Enterprise, scan engine 5301.4018, with DAT dated 28 August 2009 before its release. Additionally, there is absolutely nothing wrong in customsounds.plist. It is a standard NeXTStep format property file. It is safe to install.
Chaky
Deadly
Deadly
Posts: 213
Joined: Sat Aug 15, 2009 6:15 am

Post by Chaky »

Wanna another false positive?

Just make one empty bat file and put this in it:

Code: Select all

copy
copy
copy
BitDefender will pick it up.
User avatar
Diziet Sma
---- E L I T E ----
---- E L I T E ----
Posts: 6312
Joined: Mon Apr 06, 2009 12:20 pm
Location: Aboard the Pitviper S.E. "Blackwidow"

Post by Diziet Sma »

You may want to install, update and run Malwarebytes' Anti-Malware to check (and clean) your PC... there are lots of nasty things out there that anti-virus programs won't detect.. the free one will do everything the paid version does except for real-time protection and auto-updating.
Most games have some sort of paddling-pool-and-water-wings beginning to ease you in: Oolite takes the rather more Darwinian approach of heaving you straight into the ocean, often with a brick or two in your pockets for luck. ~ Disembodied
User avatar
Svengali
Commander
Commander
Posts: 2370
Joined: Sat Oct 20, 2007 2:52 pm

Post by Svengali »

It's the last entry that gives a warning.
In Oolites customsounds.plist

Code: Select all

"[wormhole-created]" = "";
And in CustomSounds.oxp

Code: Select all

"[wormhole-created]" = "w_hole.ogg";
Both seem to trigger Avira's heuristical search. I've reported it ~3 weeks ago to Avira,but they haven't reacted. The LAB has the files, so maybe someday they'll do something, but I wouldn't count on it. So I'd think that the Byte-combination is the problem here. Renaming this entry solves it.

Code: Select all

"[wrmhole-created]" = "w_hole.ogg";
Edit: For sure reported it as 'false positive' .-)
User avatar
JensAyton
Grand Admiral Emeritus
Grand Admiral Emeritus
Posts: 6657
Joined: Sat Apr 02, 2005 2:43 pm
Location: Sweden
Contact:

Post by JensAyton »

I’ve had a couple of bug reports from Avira users about the customsounds.plist “issue”. Avira appears to be incorrectly identifying it as JavaScript doing strange stuff. customsounds.plist does not contain executable code of any sort and cannot carry a trojan.

I asked those who e-mailed me to send bug reports to Avira, and recommend you do the same.
Post Reply