Notice: Any messages purporting to come from this site telling you that your password has expired, or that you need to verify your details, confirm your email, resolve issues, making threats, or asking for money, are
spam. We do not email users with any such messages. If you have lost your password you can obtain a new one by using the
password reset link.
Entire forum
➜ MUSHclient
➜ Bug reports
➜ Install is infected with Trojan.P2P.Dropper
Install is infected with Trojan.P2P.Dropper
|
It is now over 60 days since the last post. This thread is closed.
Refresh page
Posted by
| Blueapples
(2 posts) Bio
|
Date
| Thu 12 May 2011 08:59 PM (UTC) |
Message
| I scanned the most recent installer (mushclient472.exe) with Malwarebytes and received a notice that the file is infected with Trojan.P2P.Dropper.
I'd like to give this a try but it seems that the installer isn't safe to run... | Top |
|
Posted by
| Mleo2003
(32 posts) Bio
|
Date
| Reply #1 on Thu 12 May 2011 09:07 PM (UTC) |
Message
| You can use 7zip to unzip the installer, and then scan the files themselves if you're that afraid, but I can assure you, it's a false positive on Malwarebytes side. I run 4.72 on several PCs, with different antivirus products (and Malwarebytes), and haven't had any issues.
You're also the 2nd person I've seen to post something about this on the forum, so it isn't just your file/computer, but might not be a bad idea to double check it. | Top |
|
Posted by
| Twisol
USA (2,257 posts) Bio
|
Date
| Reply #2 on Thu 12 May 2011 09:52 PM (UTC) |
Message
| Original thread:
I scanned the installer with 20 different virus scanners (via the Jotti service linked in the original thread), and none of them found anything. Of course, none of them were Malwarebytes, but there were some well-known services such as AVG. |
'Soludra' on Achaea
Blog: http://jonathan.com/
GitHub: http://github.com/Twisol | Top |
|
Posted by
| Blueapples
(2 posts) Bio
|
Date
| Reply #3 on Thu 12 May 2011 10:17 PM (UTC) |
Message
| Well this is frustrating... I downloaded the latest ZIP and scanned that (I have 4 scanners on my machine including Malewarebytes, Kaspersky, Panda, and ClamWin) and none of them returned anything.
VirtusTotal (http://www.virustotal.com/file-scan/report.html?id=7dad5903b5f8e962f19afb0f7e890eeac4371923fb28b2ce6c871724d164feda-1305234648) was *almost* clean except for a WS.Reputation.1 "detection" by Symantec which seems to indicate that their cloud users decided the app or file was a threat. Seems silly to me.
I guess I'll go ahead and trust you guys then. ;-) Excited to try this app out, it looks awesome. | Top |
|
Posted by
| Twisol
USA (2,257 posts) Bio
|
Date
| Reply #4 on Thu 12 May 2011 10:23 PM (UTC) |
Message
| Let us know if you need anything! Enjoy MUSHclient :) |
'Soludra' on Achaea
Blog: http://jonathan.com/
GitHub: http://github.com/Twisol | Top |
|
Posted by
| Nick Gammon
Australia (23,120 posts) Bio
Forum Administrator |
Date
| Reply #5 on Thu 12 May 2011 11:43 PM (UTC) Amended on Thu 12 May 2011 11:44 PM (UTC) by Nick Gammon
|
Message
| Can someone who is using Malewarebytes please try to scan the very latest (version 4.73 as of today) version of MUSHclient?
http://www.gammon.com.au/forum/?id=11087
I am mildly concerned about these virus reports. My own anti-virus program is not reporting problems, but it also doesn't know of Trojan.P2P.Dropper. I suppose that makes sense, if it knew about it, it would report it.
However I am quite careful with the development machine I use to develop MUSHclient on. No peer-to-peer networks, no game playing (other than MUSHclient, heh), and I don't collect emails on it (I use my Mac for that).
It could be worth checking the MD5 sum of the downloaded file and see if it agrees with what is on the download page. There are md5sum programs on various web sites, just choose one at random.
Since the installer is a compressed file, it is possible that the compressed data just randomly matches a virus signature. In which case the "trojan" would only show up on that particular version.
A reasonable approach (as suggested by Mleo2003) would be to unzip the (installer) file yourself and then check the contents with your scanner.
I have been trying to find documentation for the signature for this trojan without luck so far. I could at least then check to see if the file has this signature or not. And quite possibly simply re-making the installer would make it go away.
In any case if version 4.73 does not have the trojan signature I would use that, as it fixes a number of bugs, and would also confirm that this site is to be trusted.
It also seems mildly odd to me that the 20 other virus scanners don't report any problems. |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
Posted by
| Nick Gammon
Australia (23,120 posts) Bio
Forum Administrator |
Date
| Reply #6 on Thu 12 May 2011 11:50 PM (UTC) |
Message
|
Blueapples said:
Well this is frustrating... I downloaded the latest ZIP and scanned that (I have 4 scanners on my machine including Malewarebytes, Kaspersky, Panda, and ClamWin) and none of them returned anything.
That .zip was for version 4.61, a somewhat older version.
I'll make a .zip for 4.73. It takes a bit longer to make the .zip because it is a bit of a manual process. I run the installer myself, fiddle with a couple of files to tweak "first time" flags, and then zip it up. |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
Posted by
| Nick Gammon
Australia (23,120 posts) Bio
Forum Administrator |
Date
| Reply #7 on Thu 12 May 2011 11:52 PM (UTC) |
Message
|
Blueapples said:
VirtusTotal (http://www.virustotal.com/file-scan/report.html?id=7dad5903b5f8e962f19afb0f7e890eeac4371923fb28b2ce6c871724d164feda-1305234648) was *almost* clean except for a WS.Reputation.1 "detection" by Symantec which seems to indicate that their cloud users decided the app or file was a threat. Seems silly to me.
I think I know what is happening here. Most people would download the .exe (installer) rather than the .zip (especially as the .zip is somewhat older). So it probably has a low reputation because not many people use it. They explain that the WS.Reputation.1 doesn't really mean anything is wrong with the file, only that not many people have rated it. |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
Posted by
| Mleo2003
(32 posts) Bio
|
Date
| Reply #8 on Thu 12 May 2011 11:55 PM (UTC) |
Message
| Sorry to say, malwarebytes reports the latest (4.73) installer the same. I found a link describing what it means, but had to look at it through Google Cache: http://webcache.googleusercontent.com/search?q=cache:YkBGyWHqHNwJ:www.malwarebytes.org/malwarenet.php%3Fname%3DTrojan.P2P.Dropper+malwarebytes+Trojan.P2P.Dropper&cd=1&hl=en&ct=clnk&gl=us&source=www.google.com
It doesn't say anything specific. I imagine an email or two to the people at Malwarebytes.org would have this resolved. | Top |
|
Posted by
| Nick Gammon
Australia (23,120 posts) Bio
Forum Administrator |
Date
| Reply #9 on Thu 12 May 2011 11:57 PM (UTC) Amended on Fri 13 May 2011 12:45 AM (UTC) by Nick Gammon
|
Message
| This report here:
http://www.virustotal.com/file-scan/report.html?id=1b5d6764b3cb960045f66efe51ff2069eb5081928921cba075ca3b5d1baa7923-1305229802
... reports no problems at all with mushclient472.exe (and the MD5 sum matches what is posted on the downloads page).
That includes the output of 42 virus scanners, as at yesterday's date (12th May) - which is probably today if you are in the USA.
Also for version 4.73:
http://www.virustotal.com/file-scan/report.html?id=13d267257b8a048f036dfd4ec7d9777148b7562356b25008b763130059c4a485-1305243605
No problems reported. |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
Posted by
| Nick Gammon
Australia (23,120 posts) Bio
Forum Administrator |
Date
| Reply #10 on Fri 13 May 2011 02:36 AM (UTC) |
Message
| I have lodged a support request at Malwarebytes. I have got a response that my ticket is under investigation. |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
Posted by
| Nick Gammon
Australia (23,120 posts) Bio
Forum Administrator |
Date
| Reply #11 on Fri 13 May 2011 07:07 AM (UTC) |
Message
| I got a message from Malwarebytes as follows:
Quote:
Hi Nick,
If your users update their databases, this should no longer be detected. Thanks for your patience.
So you may want to re-scan to check this, and assure yourselves that I am not distributing malware. |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
Posted by
| Mleo2003
(32 posts) Bio
|
Date
| Reply #12 on Fri 13 May 2011 03:06 PM (UTC) |
Message
| This isn't the first time I've seen Malwarebytes flag a file as bad when I knew it was good, so I knew it wasn't you.
Rescanned the latest with updates, all is well. | Top |
|
Posted by
| Crowe
(21 posts) Bio
|
Date
| Reply #13 on Sat 14 May 2011 03:43 PM (UTC) |
Message
| I got this from my scan just now.
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6577
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421
5/14/2011 10:40:57 AM
mbam-log-2011-05-14 (10-40-57).txt
Scan type: Full scan (E:\|)
Objects scanned: 170531
Time elapsed: 3 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
| Top |
|
The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).
To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.
38,852 views.
It is now over 60 days since the last post. This thread is closed.
Refresh page
top