Gammon Forum : MUSHclient : Bug reports : Install is infected with Trojan.P2P.Dropper

Log on

Gammon Forum

Entire forum

MUSHclient

Bug reports

Install is infected with Trojan.P2P.Dropper

Install is infected with Trojan.P2P.Dropper

It is now over 60 days since the last post. This thread is closed. Refresh page

Posted by

Blueapples (2 posts)

bio

Date

Thu 12 May 2011 08:59 PM (UTC)

Message

I scanned the most recent installer (mushclient472.exe) with Malwarebytes and received a notice that the file is infected with Trojan.P2P.Dropper.

I'd like to give this a try but it seems that the installer isn't safe to run...

top

Posted by

Mleo2003 (32 posts)

bio

Date

Reply #1 on Thu 12 May 2011 09:07 PM (UTC)

Message

You can use 7zip to unzip the installer, and then scan the files themselves if you're that afraid, but I can assure you, it's a false positive on Malwarebytes side. I run 4.72 on several PCs, with different antivirus products (and Malwarebytes), and haven't had any issues.

You're also the 2nd person I've seen to post something about this on the forum, so it isn't just your file/computer, but might not be a bad idea to double check it.

top

Posted by

Twisol USA (2,257 posts)

bio

Date

Reply #2 on Thu 12 May 2011 09:52 PM (UTC)

Message

Original thread:

Please see the forum thread: http://gammon.com.au/forum/?id=11071.

I scanned the installer with 20 different virus scanners (via the Jotti service linked in the original thread), and none of them found anything. Of course, none of them were Malwarebytes, but there were some well-known services such as AVG.

'Soludra' on Achaea

Blog: http://jonathan.com/
GitHub: http://github.com/Twisol

top

Posted by

Blueapples (2 posts)

bio

Date

Reply #3 on Thu 12 May 2011 10:17 PM (UTC)

Message

Well this is frustrating... I downloaded the latest ZIP and scanned that (I have 4 scanners on my machine including Malewarebytes, Kaspersky, Panda, and ClamWin) and none of them returned anything.

VirtusTotal (http://www.virustotal.com/file-scan/report.html?id=7dad5903b5f8e962f19afb0f7e890eeac4371923fb28b2ce6c871724d164feda-1305234648) was *almost* clean except for a WS.Reputation.1 "detection" by Symantec which seems to indicate that their cloud users decided the app or file was a threat. Seems silly to me.

I guess I'll go ahead and trust you guys then. ;-) Excited to try this app out, it looks awesome.

top

Posted by

Twisol USA (2,257 posts)

bio

Date

Reply #4 on Thu 12 May 2011 10:23 PM (UTC)

Message

Let us know if you need anything! Enjoy MUSHclient :)

'Soludra' on Achaea

Blog: http://jonathan.com/
GitHub: http://github.com/Twisol

top

Posted by

Nick Gammon Australia (22,975 posts)

bio Forum Administrator

Date

Reply #5 on Thu 12 May 2011 11:43 PM (UTC)

Amended on Thu 12 May 2011 11:44 PM (UTC) by Nick Gammon

Message

Can someone who is using Malewarebytes please try to scan the very latest (version 4.73 as of today) version of MUSHclient?

http://www.gammon.com.au/forum/?id=11087

I am mildly concerned about these virus reports. My own anti-virus program is not reporting problems, but it also doesn't know of Trojan.P2P.Dropper. I suppose that makes sense, if it knew about it, it would report it.

However I am quite careful with the development machine I use to develop MUSHclient on. No peer-to-peer networks, no game playing (other than MUSHclient, heh), and I don't collect emails on it (I use my Mac for that).

It could be worth checking the MD5 sum of the downloaded file and see if it agrees with what is on the download page. There are md5sum programs on various web sites, just choose one at random.

Since the installer is a compressed file, it is possible that the compressed data just randomly matches a virus signature. In which case the "trojan" would only show up on that particular version.

A reasonable approach (as suggested by Mleo2003) would be to unzip the (installer) file yourself and then check the contents with your scanner.

I have been trying to find documentation for the signature for this trojan without luck so far. I could at least then check to see if the file has this signature or not. And quite possibly simply re-making the installer would make it go away.

In any case if version 4.73 does not have the trojan signature I would use that, as it fixes a number of bugs, and would also confirm that this site is to be trusted.

It also seems mildly odd to me that the 20 other virus scanners don't report any problems.

- Nick Gammon

www.gammon.com.au, www.mushclient.com

top

Posted by

Nick Gammon Australia (22,975 posts)

bio Forum Administrator

Date

Reply #6 on Thu 12 May 2011 11:50 PM (UTC)

Message

Blueapples said:

Well this is frustrating... I downloaded the latest ZIP and scanned that (I have 4 scanners on my machine including Malewarebytes, Kaspersky, Panda, and ClamWin) and none of them returned anything.

That .zip was for version 4.61, a somewhat older version.

I'll make a .zip for 4.73. It takes a bit longer to make the .zip because it is a bit of a manual process. I run the installer myself, fiddle with a couple of files to tweak "first time" flags, and then zip it up.

- Nick Gammon

www.gammon.com.au, www.mushclient.com

top

Posted by

Nick Gammon Australia (22,975 posts)

bio Forum Administrator

Date

Reply #7 on Thu 12 May 2011 11:52 PM (UTC)

Message

Blueapples said:

VirtusTotal (http://www.virustotal.com/file-scan/report.html?id=7dad5903b5f8e962f19afb0f7e890eeac4371923fb28b2ce6c871724d164feda-1305234648) was *almost* clean except for a WS.Reputation.1 "detection" by Symantec which seems to indicate that their cloud users decided the app or file was a threat. Seems silly to me.

I think I know what is happening here. Most people would download the .exe (installer) rather than the .zip (especially as the .zip is somewhat older). So it probably has a low reputation because not many people use it. They explain that the WS.Reputation.1 doesn't really mean anything is wrong with the file, only that not many people have rated it.

- Nick Gammon

www.gammon.com.au, www.mushclient.com

top

Posted by

Mleo2003 (32 posts)

bio

Date

Reply #8 on Thu 12 May 2011 11:55 PM (UTC)

Message

Sorry to say, malwarebytes reports the latest (4.73) installer the same. I found a link describing what it means, but had to look at it through Google Cache: http://webcache.googleusercontent.com/search?q=cache:YkBGyWHqHNwJ:www.malwarebytes.org/malwarenet.php%3Fname%3DTrojan.P2P.Dropper+malwarebytes+Trojan.P2P.Dropper&cd=1&hl=en&ct=clnk&gl=us&source=www.google.com

It doesn't say anything specific. I imagine an email or two to the people at Malwarebytes.org would have this resolved.

top

Posted by

Nick Gammon Australia (22,975 posts)

bio Forum Administrator

Date

Reply #9 on Thu 12 May 2011 11:57 PM (UTC)

Amended on Fri 13 May 2011 12:45 AM (UTC) by Nick Gammon

Message

This report here:

http://www.virustotal.com/file-scan/report.html?id=1b5d6764b3cb960045f66efe51ff2069eb5081928921cba075ca3b5d1baa7923-1305229802

... reports no problems at all with mushclient472.exe (and the MD5 sum matches what is posted on the downloads page).

That includes the output of 42 virus scanners, as at yesterday's date (12th May) - which is probably today if you are in the USA.

Also for version 4.73:

http://www.virustotal.com/file-scan/report.html?id=13d267257b8a048f036dfd4ec7d9777148b7562356b25008b763130059c4a485-1305243605

No problems reported.

- Nick Gammon

www.gammon.com.au, www.mushclient.com

top

Posted by

Nick Gammon Australia (22,975 posts)

bio Forum Administrator

Date

Reply #10 on Fri 13 May 2011 02:36 AM (UTC)

Message

I have lodged a support request at Malwarebytes. I have got a response that my ticket is under investigation.

- Nick Gammon

www.gammon.com.au, www.mushclient.com

top

Posted by

Nick Gammon Australia (22,975 posts)

bio Forum Administrator

Date

Reply #11 on Fri 13 May 2011 07:07 AM (UTC)

Message

I got a message from Malwarebytes as follows:

Quote:

Hi Nick,

If your users update their databases, this should no longer be detected. Thanks for your patience.

So you may want to re-scan to check this, and assure yourselves that I am not distributing malware.

- Nick Gammon

www.gammon.com.au, www.mushclient.com

top

Posted by

Mleo2003 (32 posts)

bio

Date

Reply #12 on Fri 13 May 2011 03:06 PM (UTC)

Message

This isn't the first time I've seen Malwarebytes flag a file as bad when I knew it was good, so I knew it wasn't you.

Rescanned the latest with updates, all is well.

top

Posted by

Crowe (21 posts)

bio

Date

Reply #13 on Sat 14 May 2011 03:43 PM (UTC)

Message

I got this from my scan just now.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6577

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

5/14/2011 10:40:57 AM
mbam-log-2011-05-14 (10-40-57).txt

Scan type: Full scan (E:\|)
Objects scanned: 170531
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

top

The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).

To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.

34,824 views.

It is now over 60 days since the last post. This thread is closed. Refresh page

Go to topic: Search the forum

top

Quick links: MUSHclient. MUSHclient help. Forum shortcuts. Posting templates. Lua modules. Lua documentation.

Information and images on this site are licensed under the Creative Commons Attribution 3.0 Australia License unless stated otherwise.