MSE reports this as Win32/Sality.AT
. TransGen appears to be using a self-contained IPS-patching executable for most of its NES games though, and MSE didn't trigger on any of the six or so other patches of theirs that I downloaded which use a similar patching solution. I'd be very curious as to whether or not this is actually a false positive. Anyone have a sandbox VM they want to toss this into?
On that topic, autorun.inf is not a virus. It's something that manufacturers will put in the root directory of removable media (USB drives, CDs, DVDs, and the like) to cause something to start immediately once the media is detected. It could
be used to launch a virus in the same way a boom box could be used to record a CD to a cassette tape back in the day, but most implementations of it were for automatically-launching software installers (anything from printer drivers to Windows itself) and splash screens for games. It is however inherently insecure and it's recommended that autorun be turned off. You can see how to do that here
Quoth the technical information on Microsoft's security portal:
Sality.AT tries to copy one of following files to the Windows temporary files folder (for example, %TEMP%) and infects the copied file:
The virus copies the infected file to the root of all remote and removable drives as one of the following:
The virus then writes an Autorun configuration file named autorun.inf pointing to the virus copy. When the drive is accessed from a PC supporting the Autorun feature, the virus is launched automatically.
Given the OP's mention of autorun.inf, chances are better than usual that we're dealing with potentially a legit threat here (though reminder, Autorun can and probably should be disabled via group policy editor.
) Again, does anyone have a sandbox VM they can test with?
I tossed the file into VirusTotal per request from one of our admins. Here's the result:https://www.virustotal.com/en/file/70fc6167b7d57139abc8c2f97896511a8c083f539f61ea7d83d379e8e5c58078/analysis/
I'd say that's pretty definitive. I've submitted a change request to the translation's entry in the database and ticked the nofile box. This will preserve a record of the translation, but should clear the file away.
The file's been removed. Thanks for reporting this!