ThreadBoard ArchivesSite FeaturesActiveworlds SupportHistoric Archives |
Trojans (Community)
Trojans // CommunitysweetsJan 9, 2006, 5:37pm
I recently told you all about a Trojan SpySheriff I recently had to fight.
Looking at the scan logs I was quite surprised today to see the results. Yes the Trojans were found and destroyed, along with other miscellaneous. Most were located in my Documents, System or registry. The regular shit LOL.... But I was surprised to see the following mention on the quarantine list: Worlds\cache\art\objects.activeworlds.com-awgatesn\sounds\egyptian.mid,Cracking Tool,991936588,Deleted,d12da306e8b1f31caaebe2eb0bb45a84,DEN 01/21/2005,0502168000,00-00-00-00-00-00,Donald Gardner,C:\Active Worlds\cache\art\objects.activeworlds.com-awgatesn\sounds\egyptian.mid,Cracking Tool,991936588,Deleted,d12da306e8b1f31caaebe2eb0bb45a84,DEN 01/26/2005,0502667856,00-00-00-00-00-00,Donald Gardner,C:\Active Worlds\cache\art\objects.activeworlds.com-awgatesn\sounds\egyptian.mid,Cracking Tool,991936588,Deleted,d12da306e8b1f31caaebe2eb0bb45a84,DEN 02/01/2005,0503278049,00-00-00-00-00-00,Donald Gardner,C:\Active Worlds\cache\art\objects.activeworlds.com-awgatesn\sounds\egyptian.mid,Cracking Tool,991936588,Deleted,d12da306e8b1f31caaebe2eb0bb45a84,DEN 02/02/2005,0503372375,00-00-00-00-00-00,Donald Gardner,C:\Active Worlds\cache\art\objects.activeworlds.com-awgatesn\sounds\egyptian.mid,Cracking Tool,991936588,Deleted,d12da306e8b1f31caaebe2eb0bb45a84,DEN 02/09/2005,0504068684,00-00-00-00-00-00,Donald Gardner,C:\Active Worlds\cache\art\objects.activeworlds.com-awgatesn\sounds\egyptian.mid,Cracking Tool,991936588,Deleted,d12da306e8b1f31caaebe2eb0bb45a84,DEN 02/15/2005,0504670148,00-00-00-00-00-00,Donald Gardner,C:\Active Worlds\cache\art\objects.activeworlds.com-awgatesn\sounds\egyptian.mid,Cracking Tool,991936588,Deleted,d12da306e8b1f31caaebe2eb0bb45a84,DEN 03/04/2005,0506343648,00-00-00-00-00-00,Donald Gardner,C:\Active Worlds\cache\art\objects.activeworlds.com-awgate3\sounds\egyptian.mid,Cracking Tool,991936588,Ignored,d12da306e8b1f31caaebe2eb0bb45a84,DEN 04/20/2005,0511074978,00-00-00-00-00-00,Donald Gardner,C:\Active Worlds\cache\art\objects.activeworlds.com-awgate3\sounds\egyptian.mid,Cracking Tool,991936588,Deleted,d12da306e8b1f31caaebe2eb0bb45a84,DEN 05/22/2005,0514219230,00-00-00-00-00-00,Donald Gardner,C:\Active Worlds\cache\art\objects.activeworlds.com-awgate3\sounds\egyptian.mid,Cracking Tool,991936588,Deleted,d12da306e8b1f31caaebe2eb0bb45a84,DEN 07/12/2005,0519370873,00-00-00-00-00-00,Donald Gardner,C:\Active Worlds\cache\art\objects.activeworlds.com-awgate3\sounds\egyptian.mid,Cracking Tool,991936588,Ignored,d12da306e8b1f31caaebe2eb0bb45a84,DEN no other aw files were mentoned, nor any other music files, personal files etc. After a few other virus mentions these lines do show again as further entries (approx 20 of the 40 'threats' were AW)....always the same egyptian.mid in the cache. Anyone care to explain why AW seems to be compromised? Why this one file shows up over and over in my quarantine listing or deletion listing? Donald Gardner is the signature of the Trojan SpySheriff, a nasty one. These listings started happening after infection, why this one aw file? thanks sweets 77Jan 9, 2006, 6:29pm
this doesn't surprise at all after installing MacAfee spyware scan it found
some spywear threats from betalbo and blu-pearl so needless to say I never went there again. what is even weirder is that I had Norton when I got those and it didn't even blink at them and the spywear had been in my system for at least 6 months. 77Jan 9, 2006, 6:33pm
also if you have spysherrif on your comp check this posting on CNET
http://msn-cnet.com.com/5208-6132-0.html?forumID=32&threadID=143433&messageID=1607316 jermeJan 9, 2006, 8:35pm
Since no one has said anything yet.. I guess I'll take a minute to explain.
Some viruses/trojans attach themselves to a specific file in the file system, making it easy to identify if a system is infected (take a look at one file and you can tell right away). Other viruses attach themselves to (or infect) files at random. I can't tell you why the egyptian.mid file was chosen to be infected, but it could have been chosen at random. From looking at the logs, it also appears that the same virus was removed from the same file several times over the course of time. The virus removals date back to 02/02/2005, just short of a year ago. This makes me think that this particular midi file is a false positive. Because viruses can 'mutate', most virus scanners are based on pattern matching. You may have heard the updates that you download for your virus scanner referred to as "virus signatures". That's because the file contains the 'signatures' of all the known viruses at the time. These 'signatures' are more like characteristics, or a pattern of bits that uniquely identifies a particular virus (thus the term 'signature'). The pattern of bits can be searched for throughout a file system quite easily. However, sometimes it just so happens that the signature of bits from a virus matches the pattern of bits in a random file (in this case, the midi file). When this happens, the virus scanner will complain about the virus, and dutifully delete the file. Then, AW re-downloads the file, having not found it in the cache, and the virus scanner deletes it again.... and the cycle continues every time you visit the world. -Jeremy [View Quote] jermeJan 9, 2006, 8:38pm
FYI... I host the OP files for BluPearl, and while I haven't personally
scanned them, I'm almost completely confident that they were not (and are not currently) infected. I wouldn't avoid a world just because your virus scanner is complaining. See my other post about false-positives for more info. -Jeremy [View Quote] sweetsJan 10, 2006, 12:11am
ok thanks...it just seemed strange of all the midi files in that file it
kept attaching to that one. That cache is in my backup browser that I have not used for months, using another browser on another drive. I deleted the cache. I did not have the tool before this January to find or remove the troubles. All of those were found in one scan in one day....all as seperate instances on the list. It is only marked as Date, not explaining what those dates are, but the scan was only run once, January 6, 2006 (44 found), then again January 7, 2006 (none were found) seems strange to a non tech that that many 'instances' of threats (approx 20) found in one day, could all be attached to one AW midi file....and no other music audio data files.... gotta love puters heh sweets kfJan 11, 2006, 9:08am
MID files cannot carry a virus anyway, since they are not executeable -
and when they play as intended (and to check that you simply listen to it - in opposite to a an executeable file that just has the ending "mid" to hide it), then they wont be infected at all. :-) I have seen and investigated several of those alleged "virus" alarms and found that they were all false, also, none of the "real" anti-virus programs (eg. Nod32, Bitdefender, Norton, etc.) will doubt these files, it is only a few (and mostly always the same) of the, mostly free, virus checkers which are a bit generous with signatures. :-) [View Quote] sweetsJan 11, 2006, 5:31pm
Yup....that is what they used to say about jpg....didn't they
Seems we cannot predict anymore what a virus will do. Not like these hackers actually have to follow any rules of conduct. They just get more and more slick....we are doomed sweets rossyfox oJan 13, 2006, 2:53am
JPEG files were only able to carry nasty code because of a bug in the
thing that was reading the files, not because of the files themselves. They cannot carry a virus in the same way an executable file can. Malicious code can be inserted into any file at all. That doesn't mean that the code will be run. The code will run if there is a fault in whatever is reading the file (as was the case with JPEG files on *certain systems*) or if the file is able to execute the code itself (i.e. an executable file). As far as I am aware there is no known exploit in anything designed to read MIDI files that can be used to execute embedded code. [View Quote] |