#1
|
|||
|
trojan virus in dsetup.dll
I reinstalled Project 1999 yesterday and found Avast is now hitting on the version 36 dsetup.dll as a trojan. The size of the file is about 2.5mb dated this year instead of 59k dated 2005. I uploaded the 2.5mb version to virustotal and it came up with half a dozen other antivirus softwares that also think it's malware. I would like to respectfully suggest the possibility your website has been compromised by a third party to inject malware into your download, or that your download was compromised before you posted it.
| ||
|
#2
|
|||
|
__________________
| ||
|
#3
|
|||
|
There are many cases when AV will fire on a file just because it doesn't know about it, or it hasn't been "signed". I'm thinking this is the case here, and because the official signed version is either 1.) very old, or 2.) signed on a different date by SOE. I've had 0 issues on any of the 3 machines I have this installed on in my home, and others here in the community as well.
Also at least IMO if you're running Avast because you want decent free AV. I would use Security Essentials from M$. Its the same or almost recognizably similar to their Enterprise product which is fair in terms of AV, and fair is about as good as it gets anymore.
__________________
Squiggy Mcoldypants -- Ikky Necro -- OG Necro Mith Marr \\ Barallis Shadowcaller \\
Slarti Bartfast -- High Elf Enchanter Knights Who Say Ni!!! | ||
|
#4
|
|||
|
I would agree, but....
When I originally installed Project 1999 the dsetup.dll was 59k, now in the latest distribution it is a different size, much larger. Lucky for me I kept a copy of the original install. The original file doesn't give a trojan hit on virustotal but the larger file does. We are also talking about 8 or so different softwares that are saying the bigger file isa trojan, not just McAfee. Virustotal is rarely wrong because of consensus. Virustotal doesn't think the 59k file is a trojan but does think the 2.5mb file is.
The game starts just fine with the smaller .dll, so I copied that to my Everquest directory and am playing it using that one just fine. I still posit that it is possible the current version being distributed has been compromised because of the file size difference and the fact that one hash hits as compromised at virustotal when the other doesn't. For the record this is a paid version of Avast Internet Security and it was Malwarebytes that hit on the file originally. | ||
Last edited by trailmix; 12-12-2014 at 11:25 AM..
|
|
#5
|
|||
|
Could be the case, but I mean how many hits are we talking on this site? I'm doubting that though I'm digging P99, we are generating 10k hits a day. Even that number is very small on the interwebs. With Heartbleed, and so many other vulnerabilities in the wild why target a site this size?
__________________
Squiggy Mcoldypants -- Ikky Necro -- OG Necro Mith Marr \\ Barallis Shadowcaller \\
Slarti Bartfast -- High Elf Enchanter Knights Who Say Ni!!! | ||
|
#6
|
|||
|
??
You are asking a speculative question whereas I am providing the facts I know. Yes, I am aware of false positives and submitted the file for review to Avast as a possible false positive.
edit: the results of the scan by Virustotal, decide for yourself. It does appear Themida has had problems in the past with false positives. That said, hackers also use it to protect malware, so..../shrug AVware Trojan.Win32.Generic!BT 20141212 Avast Win32:Malware-gen 20141212 Baidu-International Hacktool.Win32.Themida.bgen 20141212 ESET-NOD32 a variant of Win32/Packed.Themida 20141212 K7AntiVirus Trojan ( 0002749e1 ) 20141212 K7GW Trojan ( 0002749e1 ) 20141212 Sophos Generic PUA HM 20141212 Symantec Trojan.Gen.SMH.2 20141212 VIPRE Trojan.Win32.Generic!BT 20141212 ALYac 20141212 AVG 20141212 Ad-Aware 20141212 AegisLab 20141212 Agnitum 20141212 AhnLab-V3 20141212 Antiy-AVL 20141212 Avira 20141212 BitDefender 20141212 Bkav 20141212 ByteHero 20141212 CAT-QuickHeal 20141212 CMC 20141212 ClamAV 20141212 Comodo 20141212 Cyren 20141212 DrWeb 20141212 Emsisoft 20141212 F-Prot 20141212 F-Secure 20141212 Fortinet 20141212 GData 20141212 Ikarus 20141212 Jiangmin 20141211 Kaspersky 20141212 Kingsoft 20141212 Malwarebytes 20141212 McAfee 20141212 McAfee-GW-Edition 20141211 MicroWorld-eScan 20141212 Microsoft 20141212 NANO-Antivirus 20141212 Norman 20141212 Panda 20141212 Qihoo-360 20141212 Rising 20141212 SUPERAntiSpyware 20141212 Tencent 20141212 TheHacker 20141208 TotalDefense 20141212 TrendMicro 20141212 TrendMicro-HouseCall 20141212 VBA32 20141212 ViRobot 20141212 Zillya 20141212 Zoner 20141210 nProtect 20141212 | ||
Last edited by trailmix; 12-12-2014 at 11:33 AM..
|
|
#7
|
|||
|
P99 confirmed bad for your computer. K.
| ||
|
#8
|
|||
|
Themida-protected applications cannot be scanned without being unpacked in memory thus AVs flag them as a precaution because it cannot determine the contents of the application.
Of course if you submit this file to an AV vendor they'll say it is malicious - this is because dsetup.dll is used as the injection method to apply classic tweaks to the EverQuest Titanium client as well as provide a deterrant to cheaters using programs like MacroQuest. It's packed with Themida so people can't just bypass it by hex editing or hooking it. It's also virtualized, which means even after it unpacks itself in memory, it cannot be read unless you unvirtualize the code. Which, again, AV vendors are unable to do on the fly. It requires manually disassembly, but even then, AV vendors will say because of the methods used to inject code into the application that it's a 'trojan' - because they cannot determine what the application actually does without going through each case manually. Normally dsetup.dll is a generic name of an application and because of the 'odd' place, they'll automatically review it as malicious because it has the name of a popular Microsoft product. The application is not malicious. There's plenty of people that have manually unpacked the application that have the knowledge to do so. It's safe.
__________________
Engineer of Things and Stuff, Wearer of Many Hats
“Knowing yourself is the beginning of all wisdom.” — Aristotle | ||
Last edited by Secrets; 12-12-2014 at 11:46 AM..
|
|
#9
|
|||
|
Makes sense. As long as you guys are aware and don't find an issue I'll whitelist it. I would like to respectfully suggest a mention of this matter be added to the installation instructions for security wonks who panic on false positives. If it's already there and I missed it, then apologies. Odd that Avast didn't hit on this any time in the 6 months I've had P99 installed though, only after I reinstalled yesterday with the v36 files. The v36 file is different than v33, which was what was installed prior.
| ||
Last edited by trailmix; 12-12-2014 at 12:05 PM..
|
|
|
|