trojan virus in dsetup.dll

[trailmix]

I reinstalled Project 1999 yesterday and found Avast is now hitting on the version 36 dsetup.dll as a trojan. The size of the file is about 2.5mb dated this year instead of 59k dated 2005. I uploaded the 2.5mb version to virustotal and it came up with half a dozen other antivirus softwares that also think it's malware. I would like to respectfully suggest the possibility your website has been compromised by a third party to inject malware into your download, or that your download was compromised before you posted it.

[falkun]

http://www.project1999.com/forums/sh...d.php?t=164472

You're late to the party.

[Poosammich]

There are many cases when AV will fire on a file just because it doesn't know about it, or it hasn't been "signed". I'm thinking this is the case here, and because the official signed version is either 1.) very old, or 2.) signed on a different date by SOE. I've had 0 issues on any of the 3 machines I have this installed on in my home, and others here in the community as well.

Also at least IMO if you're running Avast because you want decent free AV. I would use Security Essentials from M$. Its the same or almost recognizably similar to their Enterprise product which is fair in terms of AV, and fair is about as good as it gets anymore.

[trailmix]

When I originally installed Project 1999 the dsetup.dll was 59k, now in the latest distribution it is a different size, much larger. Lucky for me I kept a copy of the original install. The original file doesn't give a trojan hit on virustotal but the larger file does. We are also talking about 8 or so different softwares that are saying the bigger file isa trojan, not just McAfee. Virustotal is rarely wrong because of consensus. Virustotal doesn't think the 59k file is a trojan but does think the 2.5mb file is.

The game starts just fine with the smaller .dll, so I copied that to my Everquest directory and am playing it using that one just fine. I still posit that it is possible the current version being distributed has been compromised because of the file size difference and the fact that one hash hits as compromised at virustotal when the other doesn't.

For the record this is a paid version of Avast Internet Security and it was Malwarebytes that hit on the file originally.

[Poosammich]

Could be the case, but I mean how many hits are we talking on this site? I'm doubting that though I'm digging P99, we are generating 10k hits a day. Even that number is very small on the interwebs. With Heartbleed, and so many other vulnerabilities in the wild why target a site this size?

[trailmix]

You are asking a speculative question whereas I am providing the facts I know. Yes, I am aware of false positives and submitted the file for review to Avast as a possible false positive.

edit: the results of the scan by Virustotal, decide for yourself. It does appear Themida has had problems in the past with false positives. That said, hackers also use it to protect malware, so..../shrug


AVware Trojan.Win32.Generic!BT 20141212
Avast Win32:Malware-gen 20141212
Baidu-International Hacktool.Win32.Themida.bgen 20141212
ESET-NOD32 a variant of Win32/Packed.Themida 20141212
K7AntiVirus Trojan ( 0002749e1 ) 20141212
K7GW Trojan ( 0002749e1 ) 20141212
Sophos Generic PUA HM 20141212
Symantec Trojan.Gen.SMH.2 20141212
VIPRE Trojan.Win32.Generic!BT 20141212
ALYac 20141212
AVG 20141212
Ad-Aware 20141212
AegisLab 20141212
Agnitum 20141212
AhnLab-V3 20141212
Antiy-AVL 20141212
Avira 20141212
BitDefender 20141212
Bkav 20141212
ByteHero 20141212
CAT-QuickHeal 20141212
CMC 20141212
ClamAV 20141212
Comodo 20141212
Cyren 20141212
DrWeb 20141212
Emsisoft 20141212
F-Prot 20141212
F-Secure 20141212
Fortinet 20141212
GData 20141212
Ikarus 20141212
Jiangmin 20141211
Kaspersky 20141212
Kingsoft 20141212
Malwarebytes 20141212
McAfee 20141212
McAfee-GW-Edition 20141211
MicroWorld-eScan 20141212
Microsoft 20141212
NANO-Antivirus 20141212
Norman 20141212
Panda 20141212
Qihoo-360 20141212
Rising 20141212
SUPERAntiSpyware 20141212
Tencent 20141212
TheHacker 20141208
TotalDefense 20141212
TrendMicro 20141212
TrendMicro-HouseCall 20141212
VBA32 20141212
ViRobot 20141212
Zillya 20141212
Zoner 20141210
nProtect 20141212

[Glenzig]

P99 confirmed bad for your computer. K.

[Secrets]

Themida-protected applications cannot be scanned without being unpacked in memory thus AVs flag them as a precaution because it cannot determine the contents of the application.

Of course if you submit this file to an AV vendor they'll say it is malicious - this is because dsetup.dll is used as the injection method to apply classic tweaks to the EverQuest Titanium client as well as provide a deterrant to cheaters using programs like MacroQuest. It's packed with Themida so people can't just bypass it by hex editing or hooking it. It's also virtualized, which means even after it unpacks itself in memory, it cannot be read unless you unvirtualize the code. Which, again, AV vendors are unable to do on the fly. It requires manually disassembly, but even then,

AV vendors will say because of the methods used to inject code into the application that it's a 'trojan' - because they cannot determine what the application actually does without going through each case manually. Normally dsetup.dll is a generic name of an application and because of the 'odd' place, they'll automatically review it as malicious because it has the name of a popular Microsoft product.

The application is not malicious. There's plenty of people that have manually unpacked the application that have the knowledge to do so. It's safe.

[trailmix]

Makes sense. As long as you guys are aware and don't find an issue I'll whitelist it. I would like to respectfully suggest a mention of this matter be added to the installation instructions for security wonks who panic on false positives. If it's already there and I missed it, then apologies. Odd that Avast didn't hit on this any time in the 6 months I've had P99 installed though, only after I reinstalled yesterday with the v36 files. The v36 file is different than v33, which was what was installed prior.

[haksum]

Quote:

Originally Posted by trailmix [You must be logged in to view images. Log in or Register.]

The game starts just fine with the smaller .dll, so I copied that to my Everquest directory and am playing it using that one just fine.

Interesting.