News:

11 March 2016 - Forum Rules

Main Menu

I found a Virus!!!

Started by freenit, January 06, 2016, 01:06:25 AM

Previous topic - Next topic

freenit

Hi, I found a virus in the file for Dragon Ball Z III - Killer Androids - SPANISH translation v1.0A by TransGen.
My PC was infected by the USB virus autorun.inf.
Please remove the file !

Gideon Zhi

#1
MSE reports this as Win32/Sality.AT. TransGen appears to be using a self-contained IPS-patching executable for most of its NES games though, and MSE didn't trigger on any of the six or so other patches of theirs that I downloaded which use a similar patching solution. I'd be very curious as to whether or not this is actually a false positive. Anyone have a sandbox VM they want to toss this into?

On that topic, autorun.inf is not a virus. It's something that manufacturers will put in the root directory of removable media (USB drives, CDs, DVDs, and the like) to cause something to start immediately once the media is detected. It could be used to launch a virus in the same way a boom box could be used to record a CD to a cassette tape back in the day, but most implementations of it were for automatically-launching software installers (anything from printer drivers to Windows itself) and splash screens for games. It is however inherently insecure and it's recommended that autorun be turned off. You can see how to do that here.

Edit:
Quoth the technical information on Microsoft's security portal:
Quote
Sality.AT tries to copy one of following files to the Windows temporary files folder (for example, %TEMP%) and infects the copied file:

%SystemRoot%\system32\NOTEPAD.EXE
%SystemRoot%\system32\WINMINE.EXE

The virus copies the infected file to the root of all remote and removable drives as one of the following:

\<random>.pif
\<random>.exe
\<random>.cmd

The virus then writes an Autorun configuration file named autorun.inf pointing to the virus copy. When the drive is accessed from a PC supporting the Autorun feature, the virus is launched automatically.

Given the OP's mention of autorun.inf, chances are better than usual that we're dealing with potentially a legit threat here (though reminder, Autorun can and probably should be disabled via group policy editor.) Again, does anyone have a sandbox VM they can test with?

Edit 2:
I tossed the file into VirusTotal per request from one of our admins. Here's the result:
https://www.virustotal.com/en/file/70fc6167b7d57139abc8c2f97896511a8c083f539f61ea7d83d379e8e5c58078/analysis/

I'd say that's pretty definitive. I've submitted a change request to the translation's entry in the database and ticked the nofile box. This will preserve a record of the translation, but should clear the file away.

Edit 3:
The file's been removed. Thanks for reporting this!


SunGodPortal

Is there a way to tell how the virus got there?
Cigarettes, ice-cream, figurines of the Virgin Mary...

Gideon Zhi

It's likely been there since the file was uploaded in 2012, but since the non-English sections of the site are some of the least well traveled, I could easily see it going unnoticed. saito didn't upload anything else within a year or two of that timeframe so I'm guessing it was a fluke. His system was probably infected at the time and the DBZ patch in question was a casualty.

Lilinda

...WELL I GUESS WE WEREN'T 100% SAFE AFTER ALL

Thanks, freenit.
Retired moderator/staff member as of July 14th 2016

Reiska

Out of curiosity, is it possible to extract the IPS data from the infected patcher safely, so that the translation itself is not lost?

Lilinda

With some clever tool use/programming to make a tool and a VM hosting a Linux variant? Sure, you could do that.
Retired moderator/staff member as of July 14th 2016

Bread


meunierd

Assuming the patcher itself actually works, you could run it in a sandbox and generate a new ips patch from the end-result.

joe73ffdq

I have been wanting to reply to this for a while.

In 2009/2010 mainly, I essentially downloaded everything from both here and Zophars Domain. I wanted a complete collection of everything from 1985 to 1995 mainly.

Several hundred downloads, and never a problem, from either site.

Once I got used to how things worked here at rhdn, I was able to surmise that the administration scans every file, before posting anything for everything else. I have uploaded 3 things here, and they all took 15-30 hours before they posted, so I know they are checked.

Lilinda

We don't scan each and every file. We get too many submissions for that. Usually what's done is we take a look at what's in the archive, see if there's any file names that Should Not Be There(TM), and a few other minor things that can be caught by just looking at the name, extension and file size(IPS patches accidentally containing the entire game can be caught this way, for instance).
Retired moderator/staff member as of July 14th 2016

henke37

No automation? Not even as an aid for manual processing?

assassin

as of January 18, the translation's been updated with a .BPS file.

i was encouraged when i saw the author had logged in shortly after this topic was active, but then gave up checking after a week or so, until now.