Register forum user name Search FAQ

Gammon Forum

Notice: Any messages purporting to come from this site telling you that your password has expired, or that you need to verify your details, confirm your email, resolve issues, making threats, or asking for money, are spam. We do not email users with any such messages. If you have lost your password you can obtain a new one by using the password reset link.
 Entire forum ➜ MUSHclient ➜ Bug reports ➜ Problem with MUSHclient 4.72

Problem with MUSHclient 4.72

It is now over 60 days since the last post. This thread is closed.     Refresh page


Posted by Jess   (2 posts)  Bio
Date Mon 02 May 2011 07:12 PM (UTC)
Message
So, recently I've been having some problems with my computer randomly freezing and then not starting Windows after initial log in attempts outside of safe mode. After a few scans with different antivirus programs, I've found that the newest build of MUSHclient contains a trojan inside the .exe, apprently. Below is the log of the last scan of mushclient472.exe downloaded directly from the mushclient website.

I had deleted it and all of the files associated with it, then redownloaded it just a few minutes, but before installing it I scanned it with Malwarebytes just to avoid the trouble of having to get rid of it after installation and low and behold, it was there again.

----


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6484

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/2/2011 2:00:17 PM
mbam-log-2011-05-02 (14-00-17).txt

Scan type: Quick scan
Objects scanned: 1
Time elapsed: 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Jess\Desktop\mushclient472.exe (Trojan.P2P.Dropper) -> Quarantined and deleted successfully.
Top

Posted by Nick Gammon   Australia  (23,120 posts)  Bio   Forum Administrator
Date Reply #1 on Tue 03 May 2011 09:23 AM (UTC)
Message
The source code to MUSHclient is publicly available. It would be difficult if not impossible for me to hide malware inside it.

I run antivirus software on my development PC because I do not want to inadvertently upload a virus.

I am tentatively regarding this as a spam post advertising the Malwarebytes product.

Does anyone else have any comments?

- Nick Gammon

www.gammon.com.au, www.mushclient.com
Top

Posted by Twisol   USA  (2,257 posts)  Bio
Date Reply #2 on Tue 03 May 2011 09:32 AM (UTC)

Amended on Tue 03 May 2011 09:33 AM (UTC) by Twisol

Message
To be on the safe side, I sent the installer through Jotti's multi-service scanner. Everything turned up clean. There are a few possibilities I can think of:

1) Jotti's scanner missed the malware. Unlikely, as it uses twenty different services including AVG and Kaspersky to scan uploads.
2) Jess's computer is infected with a virus that modifies downloads to contain viruses. Just a thought.
3) Jess is spamming convincing advertisments. I'd rather not believe this one.

In any case, Jess, try running Trend Micro's HouseCall [1] scanner on your computer. I use it every now and then and I'm pretty happy with it.

(For reference, the results of the multi-service scan are public. [2])

[1] http://housecall.trendmicro.com/
[2] http://virusscan.jotti.org/en/scanresult/3cec3c85444ab0b3449b0140f790c38f84e614c6

'Soludra' on Achaea

Blog: http://jonathan.com/
GitHub: http://github.com/Twisol
Top

Posted by Nick Gammon   Australia  (23,120 posts)  Bio   Forum Administrator
Date Reply #3 on Tue 03 May 2011 11:05 AM (UTC)
Message
Thank you Twisol for that comprehensive analysis.

For those who may not want to follow the links:



MUSHclient 4.72 was released on 4th February 2011. A few months back. No complaints have been received.

The virus scanner done by Twisol shows it is clean. The source is a matter of public record.

I smell a rat, because this post is saying "hey, your MUSHclient might be infected! Download xxx.exe and you will be saved!". Maybe the scanner is the problem.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
Top

Posted by Nick Gammon   Australia  (23,120 posts)  Bio   Forum Administrator
Date Reply #4 on Tue 03 May 2011 11:07 AM (UTC)

Amended on Tue 03 May 2011 12:38 PM (UTC) by Nick Gammon

Message
Jess, if you are genuine, run a MD5 check on the executable. The number posted in the image above agrees with the one on my download page:

MD5 sum for the download

If you do an md5sum on mushclient472.exe you should get this result:

b4b36217560d898703a06654d50c38a5

So if yours is different you are the one with the problem.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
Top

Posted by Twisol   USA  (2,257 posts)  Bio
Date Reply #5 on Tue 03 May 2011 11:51 AM (UTC)

Amended on Tue 03 May 2011 11:53 AM (UTC) by Twisol

Message
Nick Gammon said:
Jotti

Jess. Jotti is the guy who wrote the scanner.

[EDIT]: Also, it's worth noting that he could have downloaded MUSHclient from a third-party website.

'Soludra' on Achaea

Blog: http://jonathan.com/
GitHub: http://github.com/Twisol
Top

Posted by Nick Gammon   Australia  (23,120 posts)  Bio   Forum Administrator
Date Reply #6 on Tue 03 May 2011 12:39 PM (UTC)
Message
Fixed post.

I thought of that but when he said "Below is the log of the last scan of mushclient472.exe downloaded directly from the mushclient website." I assumed that was not the case.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
Top

Posted by Keirath   (10 posts)  Bio
Date Reply #7 on Tue 03 May 2011 07:22 PM (UTC)
Message
I play MUDs with Jess and downloaded MalwareBytes to test if what he was saying is true. MalwareBytes (a program I have used several times on several machines when I worked in IT support) does show MUSHclient as having a Trojan.

However, I have not had any issues whatsoever with my operating system or anything and have had no adverse affects. Additionally, software such as AntiVir, AVG, show nothing.

Also to note, MalwareBytes ONLY shows the Trojan when scanning the installer itself. Upon scanning the MUSHclient directory after installation, I am finding no trojans.

I am not sure whats going on, but I definitely think this is a misread by MB.
Top

Posted by Jess   (2 posts)  Bio
Date Reply #8 on Tue 03 May 2011 07:23 PM (UTC)
Message
I'm not trying to plug the program or anything like that, it's just that out of all of the programs I did run, it's the only one that picked it up. Each time I deleted the file, the computer started working properly again. Before I downloaded that build of Mush, I hadn't had any problems. It wasn't until after I had the problem that I downloaded the program that found the trojan, too, and it was only because a friend of mine told me to. I actually scanned the entire computer with Avast, AVG, the standard Windows security program and SpyBot before downloading the Malwarebytes.

I ran the MD5 check and it checked out just fine, but I still get the trojan and random Windows freezes after running the 4.72 exe.
Top

Posted by Shadowfyr   USA  (1,788 posts)  Bio
Date Reply #9 on Tue 03 May 2011 07:59 PM (UTC)
Message
Its not completely improbable that it detected what it thought was one, for some reason. This happens some times. Often a scanner ends up having to have an exclusion added, to stop false positives. Usually this happens with installers, and usually ones that go online to download more stuff (though not always, sometimes the actual compressed file simply by chance accident has a set of bytes that are looked for as a signature of a virus, which is likely the case here, since the installer doesn't download anything).

Its the reason, in fact, a lot of games suggest disabling anti-virus when installing. Not because they have malware, but because they can trip alarms, or have, on some scanners, while running, but, in that case, not the installer exe, or the complete game. I imagine its quite annoying for people that run into it.
Top

Posted by Nick Gammon   Australia  (23,120 posts)  Bio   Forum Administrator
Date Reply #10 on Tue 03 May 2011 09:42 PM (UTC)
Message
OK thanks for clarifying.

I was going to mention false-positives (something is claimed to have a virus when it doesn't) and false-negatives (a virus slips through undetected).

Virtually any test (eg. medical ones) suffer from a certain percentage of both false-positives and false-negatives. The idea is to keep them low, of course.

Unfortunately with more and more viruses being released, and the detection method being to scan for "signature bytes" the likelihood of genuine uninfected software raising a false-positive increases.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
Top

Posted by Twisol   USA  (2,257 posts)  Bio
Date Reply #11 on Tue 03 May 2011 09:45 PM (UTC)
Message
Jess said:
I'm not trying to plug the program or anything like that, it's just that out of all of the programs I did run, it's the only one that picked it up.

If 20 different scanners don't see anything, and only one does, I'd say it's a false alarm. I can also say with confidence that my computer doesn't have those problems, and I have MUSHclient installed. Have you tried running HouseCall?

'Soludra' on Achaea

Blog: http://jonathan.com/
GitHub: http://github.com/Twisol
Top

Posted by Nick Gammon   Australia  (23,120 posts)  Bio   Forum Administrator
Date Reply #12 on Wed 04 May 2011 12:17 AM (UTC)

Amended on Wed 04 May 2011 12:18 AM (UTC) by Nick Gammon

Message
Jess said:

I'm not trying to plug the program or anything like that, it's just that out of all of the programs I did run, it's the only one that picked it up.


I went to Doctor #1, he said I was fine. I went to Doctor #2, he said I was fine. Finally after visiting 20 doctors I found one who told me there was something wrong. Finally! Now I'm happy. ;)

Look at it another way, there is only a 5% chance there is something wrong with me.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
Top

Posted by Nick Gammon   Australia  (23,120 posts)  Bio   Forum Administrator
Date Reply #13 on Fri 13 May 2011 07:08 AM (UTC)
Message
I got a message from Malwarebytes as follows:

Quote:

Hi Nick,

If your users update their databases, this should no longer be detected. Thanks for your patience.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
Top

The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).

To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.


39,116 views.

It is now over 60 days since the last post. This thread is closed.     Refresh page

Go to topic:           Search the forum


[Go to top] top

Information and images on this site are licensed under the Creative Commons Attribution 3.0 Australia License unless stated otherwise.