Review Trojan/Virus Reports « Giveaway of the Day Forums

Giveaway of the Day Forums » Talks

Review Trojan/Virus Reports

(114 posts)

Tags:

Related freeware tags:

line count software, document scan, basic calculator.

Started 1 year ago by Lee
Latest reply from my_name_is_brad

« Previous 1 2 3 4 Next »

haalam
Member

BuBBy, the Activate file for the 12/1/07 game also has something going on in it. Avira AntiVir reported "HEUR/MALWARE" in the file. The first time it came up I kept allowing it (numerous times) then figured I'd take a look at what Avira said about it. It was then my system locked up and I had to press the reset button to get out of it all. (Process Explorer wouldn't even come up!) Anyway, I went around it to get the game installed by temporarily disabling Avira's AntiVir Guard, hoping that it was just a false positive report. I would send it to Avira, but the last time I tried to send a file, I had to send manually and they got rather nasty about my not using their reporting tools.

Here's a link the the description page:
http://www.avira.com/en/threats/section/fulldetails/id_vir/2703/heur_malware.html

This is the first time the GAOTD activate file has had any problems. Did GAOTD make any changes to the activate file? If so, maybe they can fix this so people don't freak out when they see something like this?

Posted 7 months ago #
BuBBy
Administrator

I don't know if they have made any changes to the file. (I believe they are working hard to improve some of the issues Vista users sometimes experience - but I've no idea if anything has been released). All I can do is ask them.

I run NOD32, BOClean, Spyware Terminator and Spybot S&D - I haven't seen any alerts raised by the Activate.exe programs (during execution or afterwards).

I don't have the Activate from December 1. If you still have it - you could try disabling your antivirus and submitting the activate.exe to http://virusscan.jotti.org/

If you haven't used "jotti" before - it sends a file (up to 10mb in size) to about a dozen different virus scanners (from most of the major vendors). It scans the file against the latest signature files which are updated once an hour.

They have a bunch of disclaimers (to cover their butt) saying if the result says it is clean - it might not be, and vice versa. But at the very least it lets you see - "is it just me, that thinks this has a virus - or does everybody else agree".

I have found through experience that some Antivirus products trip over false positives far more often than others.

Perhaps a program that sends and receives data over the internet and writes data to the registry is considered "suspicious" or "malware" to some anti-virus programs.

Posted 7 months ago # | Login to Send PM
haalam
Member

BuBBy -- Thanks for the jotti link. Ran it on that file and Avira was the ONLY one that found anything, that same "HEUR/Malware". I am using the free version but going to think twice now before I buy that AV.

But this is still a weird thing. Avira has not found anything in any other GAOTD files since I started using it and getting GOATD files! Today a Game GAOTD commenter who I have seen there before is not downloading MagicBall 2 because he/she got a warning -- must be using Avira also. Comment posted to him, hope it is accepted by the PTB!

Just submitted to Avira as a false-pos suspect. They are supposed to email with results. I will let you know what they say.

Posted 7 months ago #
BuBBy
Administrator

But this is still a weird thing. Avira has not found anything in any other GAOTD files since I started using it and getting GOATD files!

If, for example, GOTD started raising "alerts" in Avira about a week ago - in my experience it is likely that nothing has changed with GOTD - but about a week ago, Avira might've changed their Heuristic module. Now all GOTD activate programs are detected as "Malware" because Avira has changed.

If you had an Activate.exe from 2 months ago - that was "clean" at the time - and rescanned it with Avira today, I am guessing it would also now be "infected".

If the AV software defines "dogs are animals with 4 legs" - and then starts classifying cats as being a type of dog - you refine your AV definition of "what is a dog". You DON'T start removing a leg from all cats. ;)

PS. Note that all AV products from time to time get false positives, some just get A LOT more than others.

Posted 7 months ago # | Login to Send PM
haalam
Member

BuBBy: Here are the results I received from Avira:

File ID Filename Size (Byte) Result
2252234 Activate.exe 256.64 KB FALSE POSITIVE

Please find a detailed report concerning each individual sample below:
Filename Result
Activate.exe FALSE POSITIVE

The file 'Activate.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.
===============================================================
Fortunately for Avira & GAOTD users, people will not get the malware warning once the update is done. I am glad I reported it to Avira!

Posted 7 months ago #
BuBBy
Administrator

Thanks for letting everyone know.

I am glad Avira fixed this problem in their virus signatures. Hopefully in future when some poor bunny gets a suspected "virus alert" they can be directed here (to this forum section), instead of screaming outrage and conspiracy (in the comment section) that GOTD is releasing viruses and malware, as these users consider what their virus scanner reports, as "gospel".

Posted 7 months ago # | Login to Send PM
haalam
Member

BuBBy: Well, Avira said "with one of the next updates". They seem to update daily, so I am now getting todays update and will see if it is fixed yet. In the meantime, I am still reading posts of problems but directing people here to see the outcome. I guess I should also tell people to UPDATE AVIRA ANTIVIR DAILY!

Posted 7 months ago #
BuBBy
Administrator

Considering the speed viruses & worms can spread across the internet - a single daily update should be considered a minimum.

Posted 7 months ago # | Login to Send PM
MagicMan
Member

Thanks to ALL for help with the AntiVir (Heur/Malware) problems!!!

BuBBy, I'm still wondering where the fault lies (maybe with both Avira & GAOTD??) in starting to get False-Positives?
Before I had read this forum, I had re-scanned recent (zipped) files and ones from months ago from GAOTD, and with the exceptions of the ones over the last week, none of them had any problems. So that rules out the "If you had an Activate.exe from 2 months ago - that was "clean" at the time - and rescanned it with Avira today, I am guessing it would also now be "infected"." theory.
Also, after reading the forum and reading haalam's posts, I downloaded today's AntiVir update & retried running the scan on "Bee Icons" & "Destiny Architect" both still came up with 'Contains suspicious code HEUR/Malware'. But, I also re-scanned Magic Ball 2 from Dec.2nd, and it came up fine now, where it had previously been 'flagged'!!? I also tried some 'older' zipped files, and they still came up fine.
So, this is all very, very, weird to me!!!!

I hope between GAOTD & AntiVir they can get this problem worked out!!?
Although, honestly, I'm considering changing to Comodo AntiVirus, because I don't like wondering if my downloaded files are safe, and I can't handle not having my GAOTD fix!
You guys are GREAT!!!!

In conclusion, from now on I'll keep my 'virus problems' confined to this Forum,...now that I've found the correct area to post. I've never figured my AntiVir for'gospel', I just found it VERY weird that the problems started on both the GAOTD & GGAOTD sites at the same time, and for several days in a row now, without the 'Heuristic module' theory being correct either...?? So, ...go figure?!?

Anyways, THANKS AGAIN TO ALL, for the help in trying to figure this one out!!! I'll keep reading here in the future!

I have also sent Avira emails in the past, here is the most recent with thier response. Enjoy...? ;o)

I sent Avira(AntiVir) the following email:

******************
To whom it may concern,

I am having problems with downloads from the following sites:
http://www.giveawayoftheday.com/
http://game.giveawayoftheday.com/

Todays downloads on both sites, "Bee Icons" & "Destiny Architect" both came up with 'Contains suspicious code HEUR/Malware'.

Can someone please explain how come I've downloaded from these sites for a year now, have always scanned the files with Anti-Vir, never had a problem, and now almost every program for a week now, has come up as 'Contains suspicious code HEUR/Malware'??!!??

My Anti-Vir is up to date.

Did you change something in the anti-vir engine that is now giving out false positives???

Thanks for your help!
******************

Here's the response I got from Avira (AntiVir) -

*****************************************
Thank you for your recent inquiry.

We checked the files (links) you have told us and the AntiVir heuristic found the signature of 'HEUR/Malware'. The current version of AntiVir already detects these files.
The reason for the detection by our heuristic is that the setup.exe of both programs is a downloader which works exactly like malware downloaders.
The software producer shouldn't use such malware-like mechanisms.

We hope to have helped you with that.

--
Freundliche Gruesse / Best regards
Avira GmbH

Andreas Pohl
First Level Support

Avira GmbH
Lindauer Str. 21, D-88069 Tettnang, Germany
Internet: http://www.avira.com
*****************************************

Posted 7 months ago #
haalam
Member

BuBBy: I have noticed that Avira does actually do multiple updates each day.

MagicMan: Avira AntiVir is known to have a ton of false positives. I too wanted to go with Comodo AV, but until they release a non-beta version, I will not use it. Other than the high f-p's, Avira is one of the top AV's that is free (for awhile anyway). Go to http://www.av-comparatives.org/ and you can see their testing results reports of various AV products. Comodo is not mainstream tested yet, probably due to the beta situation. (But I hear that Comodo's firewall is excellent!)

All: I downloaded and installed today's game. I did not get any warnings from AntiVir, so either Avira has fixed their false positive on the Activate.exe file, or GAOTD made a change. HOORAY!

Peace!

Posted 7 months ago #
MagicMan
Member

haalam, I agree, HOORAY!!!
I also downloaded 'Folder Castle',
NO warnings from AntiVir! DOUBLE HOORAY!!!!

Coolness,
MagicMan

Posted 7 months ago #
BuBBy
Administrator

All: I downloaded and installed today's game. I did not get any warnings from AntiVir, so either Avira has fixed their false positive on the Activate.exe file, or GAOTD made a change. HOORAY!

Scan one of the "infected" Activate programs (like from last weekend) - that should tell you who has changed. My money is on AntiVir.

AntiVir said,

The file 'Activate.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

Some "Gumby" on the AntiVir helpdesk said,

The current version of AntiVir already detects these files.
The reason for the detection by our heuristic is that the setup.exe of both programs is a downloader which works exactly like malware downloaders.
The software producer shouldn't use such malware-like mechanisms.

AntiVir "Support Gumby" is saying that GOTD Activate "Cat" is at fault because it has the same number of legs as a Dog - it is up to GOTD to remove a leg from all future "Cats" so the AntiVir Heuristics doesn't get "confused". (What on earth are you talking about?)

Still, I maintain these results from jotti give a pretty good indication where the problem was most likely with.

Posted 7 months ago # | Login to Send PM
haalam
Member

BuBBy: I love your funny analogies! I needed a good laugh tonight too! Thanks!

Yes, when I saw that Avira was about (or was?) the only one on the jotti results list with the malware, I suspected it was a f-p. Always good to go to the source though, as I did via their website (not the Gumby).

I don't keep the zipped GAOTD files once the app/game is installed so I don't have any old files to check. However, I may have a few from months ago when I did save them, but now that Avira fixed their problem, there is no use in even trying. I see no point in saving the zipped files when the app can't be activated after the one day offering.

MagicMan: Glad you are as happy as me! Hopefully others read my comments and heeded my Avira update suggestion. Although I think it auto-updates. I see no settings in Anti-Vir Pers Ed Classic to change frequency of updates. The only ones who need to do manually are those complainers of large file downloads using dial-up! ;>

Joy!

Posted 7 months ago #
boa
Member

My linkscanner Pro is notifying me that your web page is unsafe. This just started today. Previous vists of late have not given this error. It appears it is your linked advertising. The exact message is:

"The web page you are attempting to visit can, either directly or via one or more links on the page, silently install malicious software without your permission by exploiting the browser or operating system vulnerabilities. For you protection, LinkScanner has blocked access to this web page."

Blocked URL: pagead2.googlesyndication.com
Source address: 209.85.237.164

Posted 6 months ago #
graylox
Member

Hi boa,
since I installed Firefox + adblockplus
surfing the net is safer, faster and much more fun.

http://adblockplus.org/en/installation

graylox

Posted 6 months ago #
BuBBy
Administrator

Regarding the discussion about "FolderMarker Pro" and some possible detections. I believe these to be false positives.

To scan files using multiple antivirus engines - to determine if there is any consistency or consensus to the findings submit files to either

http://virusscan.jotti.org/ or
http://www.virustotal.com/

In terms of todays Giveaway

Jotti - foldermarker.exe

Note on the results from AntiVir and Ikarus (Note: This file was only classified as Malware from scanners known to generate more false positives than the average scanner. Do not consider these results definitely accurate. Also, because of this, results of this scan will not be recorded in the database).

Not a huge vote of confidence in either AntiVir or Ikarus.

PrevX - foldermarker.exe Which describes why it rated a mention. Perhaps the most "suspicious" - the process uses HTTP to talk to another computer (check for upgrades, launch a "buy" webpage), and can change the desktop background.

Posted 6 months ago # | Login to Send PM
BeenTaken
Member

I am getting a Trojan alert from BOClean for yesterday's game giveaway SeaSoar.

Here is the alert:
ANET MALWARE STOPPED by BOCLEAN!
Location of startup:FILE
C:\PROGRAM FILES\SEESOAR\SEESOAR.EXE
This trojan horse program was found on your machine. It has been shut down, but the FILE from which it started still remains and can be started up again.

Do you want the file removed also?

Jotti's malware scan 2.99 also reports file as infected. See that report below.

File: SeeSoar.exe
Status: INFECTED/MALWARE
MD5: cebbd4807c0964d947a0e6f03b9bbf36
Packers detected: PE_PATCH
Bit9 reports: File not found

Scan taken on 17 Jan 2008 09:21:27 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Const.W32.IDL.A
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Suspect code-parts (probable variant)
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

The detections do not occur from BOClean nor Jotti when scanning the games setup.exe. It is only after the game is unpacked and installed that ANET MALWARE is detected.

This was detected within the download from both the regular and the alternate download links.

I am using Windows XP Home SP2 fully updated. BOClean contains the most current update. I have not scanned with any other product.

Please advise.

Thanks in advance.

Posted 5 months ago #
Lee
Moderator

Todays software giveaway Incontrol v2.4 maybe has a key logger in it.

SpyBot search and destroy tells me such.

Anyone else found this?

Posted 5 months ago # | Login to Send PM
BuBBy
Administrator

Spybot is detecting a false positive. (It also did the same last time the Virtuoza products were offered).

http://www.giveawayoftheday.com/forums/topic/1021

Posted 5 months ago # | Login to Send PM
mrkesik2008
Member

InControl? A keylogger, if it was then wouldn't it be sending keys to the internet or something? I don't see it accessing the internet during it's running time. Also, this giveaway was available a long time ago (maybe last year) and I have been using it ever since, it is a great software, nothing to worry about.

Posted 5 months ago #
RunesageMagik
Member

It's likely you'll keep seeing an increase in false positives, as the science of anticipatory heuristics means developing fuzzy search algorithms. I don't think any of the anti-v companies do a good enough job of educating the public, or of creating the right sieves and results reports. Every "hit" should be quickly rechecked/compared to the updated virus defs and then reported as a known virus or a fuzzy. If they don't do something soon, we're going to be overrun by tribbles.
http://tinyurl.com/2m6dtr

Posted 5 months ago #
whitemist
Member

New here and don't know how this works, but yesterday (Jan. 17, 2008) I couldn't get into site at all; kept getting 504 Error, so therefore couldn't get the game. Is there any way to report this?

Posted 5 months ago #
scubaguy
Member

Hi whitemist

GAOTD did not pay their electric bill! LOL!

We all had the same problem,(504 error) is a server problem and nothing you or any of us could do about it. As far as reporting it they already know about it that’s why the site is working now.
If you check the site early in the day and think you might want to try it,download and install as soon as you can ,this way if you have any problems with it you can check back in the forum’s for a solution. If not from one of the Moderators(these guys even know the age old question of “the meaning of life”)and as I have just learned myself, are capable of time travel!!!! You can also get a lot of helpful hints and info.from the members too.
Welcome to the forums!!!

PS. Always open and run the software within the 24hr.period,because when it's over that's it.

Posted 5 months ago #
mrkesik2008
Member

Yes, I have a screenshot from last night at about midnight when there were server errors. I don't think anyone goes to GAOTD at midnight unless you just remembered that the giveaway was good and you forgot to install it and what about the people in different time zones? GAOTD needs to have their servers powered on 24/7. Anyways, I have never seen this error before from GAOTD.

Posted 5 months ago #
scubaguy
Member

To mrkesik2008
The site is 24/7 and no matter what time zone your in, you still have 24hr's to download the offering of the day.
You will find people in the forums at all times of the night,that's when the fun starts.

So yall come back now Ya hear!!!!

Posted 5 months ago #
mrkesik2008
Member

Yes I know that the site is 24/7, I was just talking about that server error last night, it's not a big deal unless while GAOTD was having errors unless you wanted to download the Giveaway.

Posted 5 months ago #
mrkesik2008
Member

If you want to see what server errors were happening, go to my website and click on the thumbnail in the news section, and if you are going to talk about why there is two screens in one picture, I have two monitors.

Posted 5 months ago #
whitemist
Member

Do you think they will re-offer the mini golf game? I don't know how the give a ways work or how they can even do it. As I said, new to the site. Could you explain it to me? Thanks

Posted 5 months ago #
mrkesik2008
Member

Ok I could help you. First you go to here to download the software giveaway and here to download the game.
Click the download link and save the file somewhere to your computer, then open the zip file, Extract and run Activate.exe (if there is one) or Setup.exe. Remember, always run Activate.exe first. The readme.txt also has similar instructions like this.

Posted 5 months ago #
RunesageMagik
Member

Whitemist - On very rare occasions, GAOTD will offer a game or software appl again; but if past is prologue, not likely anytime soon... unless we guinea pigs discover a programming flaw and the vendor offers a do-over, in which case a few have fixed their errors and come right back with a secondary offering. Since GAOTD's a free site, and the guys behind the curtain have made arrangements with vendors for a strictly controlled time limit, if a funky server or severed telcom backbone or an act of nature or a primal force to be named at a later date decides to eat a few hours off the clock, it's tough noogies.

BTW- not that this helps your frustration, but if you enjoy the free javascript billiards games on the net, it's likely you would have enjoyed the mini-golf game as much or more. Same principle, only with quite a bit more variety. Surprisingly realistic. I'm particularly fond of games like this, that don't have to be played to conclusion right away, but will start up where they left off whenever I've a few minutes to kill.

Posted 5 months ago #

RSS feed for this topic

« Previous 1 2 3 4 Next »

Reply »

You must log in to post.