News: 11 March 2016 - Forum Rules
Current Moderators - DarkSol, KingMike, MathOnNapkins, Azkadellia, Danke

Author Topic: I found a Virus!!!  (Read 4247 times)

freenit

  • Newbie
  • *
  • Posts: 1
    • View Profile
I found a Virus!!!
« on: January 06, 2016, 01:06:25 am »
Hi, I found a virus in the file for Dragon Ball Z III - Killer Androids - SPANISH translation v1.0A by TransGen.
My PC was infected by the USB virus autorun.inf.
Please remove the file !

Gideon Zhi

  • Discord Staff
  • Hero Member
  • *****
  • Posts: 3532
    • View Profile
    • Aeon Genesis
Re: I found a Virus!!!
« Reply #1 on: January 06, 2016, 01:46:51 am »
MSE reports this as Win32/Sality.AT. TransGen appears to be using a self-contained IPS-patching executable for most of its NES games though, and MSE didn't trigger on any of the six or so other patches of theirs that I downloaded which use a similar patching solution. I'd be very curious as to whether or not this is actually a false positive. Anyone have a sandbox VM they want to toss this into?

On that topic, autorun.inf is not a virus. It's something that manufacturers will put in the root directory of removable media (USB drives, CDs, DVDs, and the like) to cause something to start immediately once the media is detected. It could be used to launch a virus in the same way a boom box could be used to record a CD to a cassette tape back in the day, but most implementations of it were for automatically-launching software installers (anything from printer drivers to Windows itself) and splash screens for games. It is however inherently insecure and it's recommended that autorun be turned off. You can see how to do that here.

Edit:
Quoth the technical information on Microsoft's security portal:
Quote
Sality.AT tries to copy one of following files to the Windows temporary files folder (for example, %TEMP%) and infects the copied file:

%SystemRoot%\system32\NOTEPAD.EXE
%SystemRoot%\system32\WINMINE.EXE

The virus copies the infected file to the root of all remote and removable drives as one of the following:

\<random>.pif
\<random>.exe
\<random>.cmd

The virus then writes an Autorun configuration file named autorun.inf pointing to the virus copy. When the drive is accessed from a PC supporting the Autorun feature, the virus is launched automatically.

Given the OP's mention of autorun.inf, chances are better than usual that we're dealing with potentially a legit threat here (though reminder, Autorun can and probably should be disabled via group policy editor.) Again, does anyone have a sandbox VM they can test with?

Edit 2:
I tossed the file into VirusTotal per request from one of our admins. Here's the result:
https://www.virustotal.com/en/file/70fc6167b7d57139abc8c2f97896511a8c083f539f61ea7d83d379e8e5c58078/analysis/

I'd say that's pretty definitive. I've submitted a change request to the translation's entry in the database and ticked the nofile box. This will preserve a record of the translation, but should clear the file away.

Edit 3:
The file's been removed. Thanks for reporting this!
« Last Edit: January 06, 2016, 02:19:53 am by Gideon Zhi »

RyanfaeScotland

  • Sr. Member
  • ****
  • Posts: 366
    • View Profile
    • My Brill Game Site
Re: I found a Virus!!!
« Reply #2 on: January 06, 2016, 02:37:17 am »
Good catch guys.

SunGodPortal

  • Hero Member
  • *****
  • Posts: 2928
  • 2 + 2 = 5
    • View Profile
Re: I found a Virus!!!
« Reply #3 on: January 06, 2016, 02:49:47 am »
Is there a way to tell how the virus got there?
Cigarettes, ice-cream, figurines of the Virgin Mary...

Gideon Zhi

  • Discord Staff
  • Hero Member
  • *****
  • Posts: 3532
    • View Profile
    • Aeon Genesis
Re: I found a Virus!!!
« Reply #4 on: January 06, 2016, 02:58:48 am »
It's likely been there since the file was uploaded in 2012, but since the non-English sections of the site are some of the least well traveled, I could easily see it going unnoticed. saito didn't upload anything else within a year or two of that timeframe so I'm guessing it was a fluke. His system was probably infected at the time and the DBZ patch in question was a casualty.

Lilinda

  • Hero Member
  • *****
  • Posts: 4538
    • View Profile
Re: I found a Virus!!!
« Reply #5 on: January 06, 2016, 05:35:59 am »
...WELL I GUESS WE WEREN'T 100% SAFE AFTER ALL

Thanks, freenit.
Retired moderator/staff member as of July 14th 2016

Reiska

  • Full Member
  • ***
  • Posts: 142
    • View Profile
Re: I found a Virus!!!
« Reply #6 on: January 06, 2016, 12:40:08 pm »
Out of curiosity, is it possible to extract the IPS data from the infected patcher safely, so that the translation itself is not lost?

Lilinda

  • Hero Member
  • *****
  • Posts: 4538
    • View Profile
Re: I found a Virus!!!
« Reply #7 on: January 06, 2016, 01:59:51 pm »
With some clever tool use/programming to make a tool and a VM hosting a Linux variant? Sure, you could do that.
Retired moderator/staff member as of July 14th 2016

Bread

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Re: I found a Virus!!!
« Reply #8 on: January 08, 2016, 11:16:47 pm »
try malwarebytes

meunierd

  • RHDN Patreon Supporter!
  • Jr. Member
  • *****
  • Posts: 74
    • View Profile
Re: I found a Virus!!!
« Reply #9 on: January 10, 2016, 10:27:02 am »
Assuming the patcher itself actually works, you could run it in a sandbox and generate a new ips patch from the end-result.

joe73ffdq

  • Full Member
  • ***
  • Posts: 200
    • View Profile
Re: I found a Virus!!!
« Reply #10 on: January 11, 2016, 11:47:53 pm »
I have been wanting to reply to this for a while.

In 2009/2010 mainly, I essentially downloaded everything from both here and Zophars Domain. I wanted a complete collection of everything from 1985 to 1995 mainly.

Several hundred downloads, and never a problem, from either site.

Once I got used to how things worked here at rhdn, I was able to surmise that the administration scans every file, before posting anything for everything else. I have uploaded 3 things here, and they all took 15-30 hours before they posted, so I know they are checked.

Lilinda

  • Hero Member
  • *****
  • Posts: 4538
    • View Profile
Re: I found a Virus!!!
« Reply #11 on: January 12, 2016, 02:08:31 am »
We don't scan each and every file. We get too many submissions for that. Usually what's done is we take a look at what's in the archive, see if there's any file names that Should Not Be There(TM), and a few other minor things that can be caught by just looking at the name, extension and file size(IPS patches accidentally containing the entire game can be caught this way, for instance).
Retired moderator/staff member as of July 14th 2016

henke37

  • Hero Member
  • *****
  • Posts: 643
    • View Profile
Re: I found a Virus!!!
« Reply #12 on: January 12, 2016, 05:57:24 pm »
No automation? Not even as an aid for manual processing?

assassin

  • Full Member
  • ***
  • Posts: 153
    • View Profile
    • My Barren Webpage
Re: I found a Virus!!!
« Reply #13 on: February 18, 2016, 08:56:41 pm »
as of January 18, the translation's been updated with a .BPS file.

i was encouraged when i saw the author had logged in shortly after this topic was active, but then gave up checking after a week or so, until now.