[Home] [Downloads] [Search] [Help/forum]

Gammon Software Solutions forum

See www.mushclient.com/spam for dealing with forum spam. Please read the MUSHclient FAQ!

[Folder]  Entire forum
-> [Folder]  MUSHclient
. -> [Folder]  Bug reports
. . -> [Subject]  Install is infected with Trojan.P2P.Dropper
Home  |  Users  |  Search  |  FAQ
Username:
Register forum user name
Password:
Forgotten password?

Install is infected with Trojan.P2P.Dropper

[Reply to this subject]  Reply to this subject   [New subject]  Start a new subject   [Refresh] Refresh page


Posted by Blueapples   (2 posts)  [Biography] bio
Date Thu 12 May 2011 08:59 PM (UTC)  quote  ]
Message
I scanned the most recent installer (mushclient472.exe) with Malwarebytes and received a notice that the file is infected with Trojan.P2P.Dropper.

I'd like to give this a try but it seems that the installer isn't safe to run...
[Go to top] top

Posted by Mleo2003   (25 posts)  [Biography] bio
Date Reply #1 on Thu 12 May 2011 09:07 PM (UTC)  quote  ]
Message
You can use 7zip to unzip the installer, and then scan the files themselves if you're that afraid, but I can assure you, it's a false positive on Malwarebytes side. I run 4.72 on several PCs, with different antivirus products (and Malwarebytes), and haven't had any issues.

You're also the 2nd person I've seen to post something about this on the forum, so it isn't just your file/computer, but might not be a bad idea to double check it.
[Go to top] top

Posted by Twisol   USA  (2,230 posts)  [Biography] bio
Date Reply #2 on Thu 12 May 2011 09:52 PM (UTC)  quote  ]
Message
Original thread:
Template:post=11071 Please see the forum thread: http://gammon.com.au/forum/?id=11071.

I scanned the installer with 20 different virus scanners (via the Jotti service linked in the original thread), and none of them found anything. Of course, none of them were Malwarebytes, but there were some well-known services such as AVG.

'Soludra' on Achaea

Blog: http://jonathan.com/
GitHub: http://github.com/Twisol
[Go to top] top

Posted by Blueapples   (2 posts)  [Biography] bio
Date Reply #3 on Thu 12 May 2011 10:17 PM (UTC)  quote  ]
Message
Well this is frustrating... I downloaded the latest ZIP and scanned that (I have 4 scanners on my machine including Malewarebytes, Kaspersky, Panda, and ClamWin) and none of them returned anything.

VirtusTotal (http://www.virustotal.com/file-scan/report.html?id=7dad5903b5f8e962f19afb0f7e890eeac4371923fb28b2ce6c871724d164feda-1305234648) was *almost* clean except for a WS.Reputation.1 "detection" by Symantec which seems to indicate that their cloud users decided the app or file was a threat. Seems silly to me.

I guess I'll go ahead and trust you guys then. ;-) Excited to try this app out, it looks awesome.
[Go to top] top

Posted by Twisol   USA  (2,230 posts)  [Biography] bio
Date Reply #4 on Thu 12 May 2011 10:23 PM (UTC)  quote  ]
Message
Let us know if you need anything! Enjoy MUSHclient :)

'Soludra' on Achaea

Blog: http://jonathan.com/
GitHub: http://github.com/Twisol
[Go to top] top

Posted by Nick Gammon   Australia  (19,342 posts)  [Biography] bio   Forum Administrator
Date Reply #5 on Thu 12 May 2011 11:43 PM (UTC)  quote  ]

Amended on Thu 12 May 2011 11:44 PM (UTC) by Nick Gammon

Message
Can someone who is using Malewarebytes please try to scan the very latest (version 4.73 as of today) version of MUSHclient?

http://www.gammon.com.au/forum/?id=11087

I am mildly concerned about these virus reports. My own anti-virus program is not reporting problems, but it also doesn't know of Trojan.P2P.Dropper. I suppose that makes sense, if it knew about it, it would report it.

However I am quite careful with the development machine I use to develop MUSHclient on. No peer-to-peer networks, no game playing (other than MUSHclient, heh), and I don't collect emails on it (I use my Mac for that).

It could be worth checking the MD5 sum of the downloaded file and see if it agrees with what is on the download page. There are md5sum programs on various web sites, just choose one at random.

Since the installer is a compressed file, it is possible that the compressed data just randomly matches a virus signature. In which case the "trojan" would only show up on that particular version.

A reasonable approach (as suggested by Mleo2003) would be to unzip the (installer) file yourself and then check the contents with your scanner.

I have been trying to find documentation for the signature for this trojan without luck so far. I could at least then check to see if the file has this signature or not. And quite possibly simply re-making the installer would make it go away.

In any case if version 4.73 does not have the trojan signature I would use that, as it fixes a number of bugs, and would also confirm that this site is to be trusted.

It also seems mildly odd to me that the 20 other virus scanners don't report any problems.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
[Go to top] top

Posted by Nick Gammon   Australia  (19,342 posts)  [Biography] bio   Forum Administrator
Date Reply #6 on Thu 12 May 2011 11:50 PM (UTC)  quote  ]
Message
Blueapples said:

Well this is frustrating... I downloaded the latest ZIP and scanned that (I have 4 scanners on my machine including Malewarebytes, Kaspersky, Panda, and ClamWin) and none of them returned anything.


That .zip was for version 4.61, a somewhat older version.

I'll make a .zip for 4.73. It takes a bit longer to make the .zip because it is a bit of a manual process. I run the installer myself, fiddle with a couple of files to tweak "first time" flags, and then zip it up.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
[Go to top] top

Posted by Nick Gammon   Australia  (19,342 posts)  [Biography] bio   Forum Administrator
Date Reply #7 on Thu 12 May 2011 11:52 PM (UTC)  quote  ]
Message
Blueapples said:

VirtusTotal (http://www.virustotal.com/file-scan/report.html?id=7dad5903b5f8e962f19afb0f7e890eeac4371923fb28b2ce6c871724d164feda-1305234648) was *almost* clean except for a WS.Reputation.1 "detection" by Symantec which seems to indicate that their cloud users decided the app or file was a threat. Seems silly to me.


I think I know what is happening here. Most people would download the .exe (installer) rather than the .zip (especially as the .zip is somewhat older). So it probably has a low reputation because not many people use it. They explain that the WS.Reputation.1 doesn't really mean anything is wrong with the file, only that not many people have rated it.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
[Go to top] top

Posted by Mleo2003   (25 posts)  [Biography] bio
Date Reply #8 on Thu 12 May 2011 11:55 PM (UTC)  quote  ]
Message
Sorry to say, malwarebytes reports the latest (4.73) installer the same. I found a link describing what it means, but had to look at it through Google Cache: http://webcache.googleusercontent.com/search?q=cache:YkBGyWHqHNwJ:www.malwarebytes.org/malwarenet.php%3Fname%3DTrojan.P2P.Dropper+malwarebytes+Trojan.P2P.Dropper&cd=1&hl=en&ct=clnk&gl=us&source=www.google.com

It doesn't say anything specific. I imagine an email or two to the people at Malwarebytes.org would have this resolved.
[Go to top] top

Posted by Nick Gammon   Australia  (19,342 posts)  [Biography] bio   Forum Administrator
Date Reply #9 on Thu 12 May 2011 11:57 PM (UTC)  quote  ]

Amended on Fri 13 May 2011 12:45 AM (UTC) by Nick Gammon

Message
This report here:

http://www.virustotal.com/file-scan/report.html?id=1b5d6764b3cb960045f66efe51ff2069eb5081928921cba075ca3b5d1baa7923-1305229802

... reports no problems at all with mushclient472.exe (and the MD5 sum matches what is posted on the downloads page).

That includes the output of 42 virus scanners, as at yesterday's date (12th May) - which is probably today if you are in the USA.

Also for version 4.73:

http://www.virustotal.com/file-scan/report.html?id=13d267257b8a048f036dfd4ec7d9777148b7562356b25008b763130059c4a485-1305243605

No problems reported.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
[Go to top] top

Posted by Nick Gammon   Australia  (19,342 posts)  [Biography] bio   Forum Administrator
Date Reply #10 on Fri 13 May 2011 02:36 AM (UTC)  quote  ]
Message
I have lodged a support request at Malwarebytes. I have got a response that my ticket is under investigation.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
[Go to top] top

Posted by Nick Gammon   Australia  (19,342 posts)  [Biography] bio   Forum Administrator
Date Reply #11 on Fri 13 May 2011 07:07 AM (UTC)  quote  ]
Message
I got a message from Malwarebytes as follows:

Quote:

Hi Nick,

If your users update their databases, this should no longer be detected. Thanks for your patience.



So you may want to re-scan to check this, and assure yourselves that I am not distributing malware.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
[Go to top] top

Posted by Mleo2003   (25 posts)  [Biography] bio
Date Reply #12 on Fri 13 May 2011 03:06 PM (UTC)  quote  ]
Message
This isn't the first time I've seen Malwarebytes flag a file as bad when I knew it was good, so I knew it wasn't you.

Rescanned the latest with updates, all is well.
[Go to top] top

Posted by Crowe   (21 posts)  [Biography] bio
Date Reply #13 on Sat 14 May 2011 03:43 PM (UTC)  quote  ]
Message
I got this from my scan just now.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6577

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

5/14/2011 10:40:57 AM
mbam-log-2011-05-14 (10-40-57).txt

Scan type: Full scan (E:\|)
Objects scanned: 170531
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
[Go to top] top

The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).

To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.


3,698 views.

[Reply to this subject]  Reply to this subject   [New subject]  Start a new subject   [Refresh] Refresh page

Go to topic:           Search the forum


[Go to top] top

[Home]

Written by Nick Gammon - 5K

Comments to: Gammon Software support
[RH click to get RSS URL] Forum RSS feed ( http://www.gammon.com.au/rss/forum.xml )

[Best viewed with any browser - 2K]    [Internet Contents Rating Association (ICRA) - 2K]    [Web site powered by FutureQuest.Net]