Notice: Any messages purporting to come from this site telling you that your password has expired, or that you need to verify your details, confirm your email, resolve issues, making threats, or asking for money, are
spam. We do not email users with any such messages. If you have lost your password you can obtain a new one by using the
password reset link.
Entire forum
➜ MUSHclient
➜ Bug reports
➜ Problem with MUSHclient 4.72
Problem with MUSHclient 4.72
|
Posting of new messages is disabled at present.
Refresh page
Posted by
| Jess
(2 posts) Bio
|
Date
| Mon 02 May 2011 07:12 PM (UTC) |
Message
| So, recently I've been having some problems with my computer randomly freezing and then not starting Windows after initial log in attempts outside of safe mode. After a few scans with different antivirus programs, I've found that the newest build of MUSHclient contains a trojan inside the .exe, apprently. Below is the log of the last scan of mushclient472.exe downloaded directly from the mushclient website.
I had deleted it and all of the files associated with it, then redownloaded it just a few minutes, but before installing it I scanned it with Malwarebytes just to avoid the trouble of having to get rid of it after installation and low and behold, it was there again.
----
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6484
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
5/2/2011 2:00:17 PM
mbam-log-2011-05-02 (14-00-17).txt
Scan type: Quick scan
Objects scanned: 1
Time elapsed: 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\Jess\Desktop\mushclient472.exe (Trojan.P2P.Dropper) -> Quarantined and deleted successfully.
| Top |
|
Posted by
| Nick Gammon
Australia (23,122 posts) Bio
Forum Administrator |
Date
| Reply #1 on Tue 03 May 2011 09:23 AM (UTC) |
Message
| The source code to MUSHclient is publicly available. It would be difficult if not impossible for me to hide malware inside it.
I run antivirus software on my development PC because I do not want to inadvertently upload a virus.
I am tentatively regarding this as a spam post advertising the Malwarebytes product.
Does anyone else have any comments? |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
Posted by
| Twisol
USA (2,257 posts) Bio
|
Date
| Reply #2 on Tue 03 May 2011 09:32 AM (UTC) Amended on Tue 03 May 2011 09:33 AM (UTC) by Twisol
|
Message
| To be on the safe side, I sent the installer through Jotti's multi-service scanner. Everything turned up clean. There are a few possibilities I can think of:
1) Jotti's scanner missed the malware. Unlikely, as it uses twenty different services including AVG and Kaspersky to scan uploads.
2) Jess's computer is infected with a virus that modifies downloads to contain viruses. Just a thought.
3) Jess is spamming convincing advertisments. I'd rather not believe this one.
In any case, Jess, try running Trend Micro's HouseCall [1] scanner on your computer. I use it every now and then and I'm pretty happy with it.
(For reference, the results of the multi-service scan are public. [2])
[1] http://housecall.trendmicro.com/
[2] http://virusscan.jotti.org/en/scanresult/3cec3c85444ab0b3449b0140f790c38f84e614c6 |
'Soludra' on Achaea
Blog: http://jonathan.com/
GitHub: http://github.com/Twisol | Top |
|
Posted by
| Nick Gammon
Australia (23,122 posts) Bio
Forum Administrator |
Date
| Reply #3 on Tue 03 May 2011 11:05 AM (UTC) |
Message
| Thank you Twisol for that comprehensive analysis.
For those who may not want to follow the links:
MUSHclient 4.72 was released on 4th February 2011. A few months back. No complaints have been received.
The virus scanner done by Twisol shows it is clean. The source is a matter of public record.
I smell a rat, because this post is saying "hey, your MUSHclient might be infected! Download xxx.exe and you will be saved!". Maybe the scanner is the problem. |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
Posted by
| Nick Gammon
Australia (23,122 posts) Bio
Forum Administrator |
Date
| Reply #4 on Tue 03 May 2011 11:07 AM (UTC) Amended on Tue 03 May 2011 12:38 PM (UTC) by Nick Gammon
|
Message
| Jess, if you are genuine, run a MD5 check on the executable. The number posted in the image above agrees with the one on my download page:
MD5 sum for the download
If you do an md5sum on mushclient472.exe you should get this result:
b4b36217560d898703a06654d50c38a5
So if yours is different you are the one with the problem. |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
Posted by
| Twisol
USA (2,257 posts) Bio
|
Date
| Reply #5 on Tue 03 May 2011 11:51 AM (UTC) Amended on Tue 03 May 2011 11:53 AM (UTC) by Twisol
|
Message
|
Nick Gammon said: Jotti
Jess. Jotti is the guy who wrote the scanner.
[EDIT]: Also, it's worth noting that he could have downloaded MUSHclient from a third-party website. |
'Soludra' on Achaea
Blog: http://jonathan.com/
GitHub: http://github.com/Twisol | Top |
|
Posted by
| Nick Gammon
Australia (23,122 posts) Bio
Forum Administrator |
Date
| Reply #6 on Tue 03 May 2011 12:39 PM (UTC) |
Message
| Fixed post.
I thought of that but when he said "Below is the log of the last scan of mushclient472.exe downloaded directly from the mushclient website." I assumed that was not the case. |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
Posted by
| Keirath
(10 posts) Bio
|
Date
| Reply #7 on Tue 03 May 2011 07:22 PM (UTC) |
Message
| I play MUDs with Jess and downloaded MalwareBytes to test if what he was saying is true. MalwareBytes (a program I have used several times on several machines when I worked in IT support) does show MUSHclient as having a Trojan.
However, I have not had any issues whatsoever with my operating system or anything and have had no adverse affects. Additionally, software such as AntiVir, AVG, show nothing.
Also to note, MalwareBytes ONLY shows the Trojan when scanning the installer itself. Upon scanning the MUSHclient directory after installation, I am finding no trojans.
I am not sure whats going on, but I definitely think this is a misread by MB. | Top |
|
Posted by
| Jess
(2 posts) Bio
|
Date
| Reply #8 on Tue 03 May 2011 07:23 PM (UTC) |
Message
| I'm not trying to plug the program or anything like that, it's just that out of all of the programs I did run, it's the only one that picked it up. Each time I deleted the file, the computer started working properly again. Before I downloaded that build of Mush, I hadn't had any problems. It wasn't until after I had the problem that I downloaded the program that found the trojan, too, and it was only because a friend of mine told me to. I actually scanned the entire computer with Avast, AVG, the standard Windows security program and SpyBot before downloading the Malwarebytes.
I ran the MD5 check and it checked out just fine, but I still get the trojan and random Windows freezes after running the 4.72 exe. | Top |
|
Posted by
| Shadowfyr
USA (1,788 posts) Bio
|
Date
| Reply #9 on Tue 03 May 2011 07:59 PM (UTC) |
Message
| Its not completely improbable that it detected what it thought was one, for some reason. This happens some times. Often a scanner ends up having to have an exclusion added, to stop false positives. Usually this happens with installers, and usually ones that go online to download more stuff (though not always, sometimes the actual compressed file simply by chance accident has a set of bytes that are looked for as a signature of a virus, which is likely the case here, since the installer doesn't download anything).
Its the reason, in fact, a lot of games suggest disabling anti-virus when installing. Not because they have malware, but because they can trip alarms, or have, on some scanners, while running, but, in that case, not the installer exe, or the complete game. I imagine its quite annoying for people that run into it. | Top |
|
Posted by
| Nick Gammon
Australia (23,122 posts) Bio
Forum Administrator |
Date
| Reply #10 on Tue 03 May 2011 09:42 PM (UTC) |
Message
| OK thanks for clarifying.
I was going to mention false-positives (something is claimed to have a virus when it doesn't) and false-negatives (a virus slips through undetected).
Virtually any test (eg. medical ones) suffer from a certain percentage of both false-positives and false-negatives. The idea is to keep them low, of course.
Unfortunately with more and more viruses being released, and the detection method being to scan for "signature bytes" the likelihood of genuine uninfected software raising a false-positive increases.
|
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
Posted by
| Twisol
USA (2,257 posts) Bio
|
Date
| Reply #11 on Tue 03 May 2011 09:45 PM (UTC) |
Message
|
Jess said: I'm not trying to plug the program or anything like that, it's just that out of all of the programs I did run, it's the only one that picked it up.
If 20 different scanners don't see anything, and only one does, I'd say it's a false alarm. I can also say with confidence that my computer doesn't have those problems, and I have MUSHclient installed. Have you tried running HouseCall? |
'Soludra' on Achaea
Blog: http://jonathan.com/
GitHub: http://github.com/Twisol | Top |
|
Posted by
| Nick Gammon
Australia (23,122 posts) Bio
Forum Administrator |
Date
| Reply #12 on Wed 04 May 2011 12:17 AM (UTC) Amended on Wed 04 May 2011 12:18 AM (UTC) by Nick Gammon
|
Message
|
Jess said:
I'm not trying to plug the program or anything like that, it's just that out of all of the programs I did run, it's the only one that picked it up.
I went to Doctor #1, he said I was fine. I went to Doctor #2, he said I was fine. Finally after visiting 20 doctors I found one who told me there was something wrong. Finally! Now I'm happy. ;)
Look at it another way, there is only a 5% chance there is something wrong with me. |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
Posted by
| Nick Gammon
Australia (23,122 posts) Bio
Forum Administrator |
Date
| Reply #13 on Fri 13 May 2011 07:08 AM (UTC) |
Message
| I got a message from Malwarebytes as follows:
Quote:
Hi Nick,
If your users update their databases, this should no longer be detected. Thanks for your patience.
|
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).
To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.
39,254 views.
Posting of new messages is disabled at present.
Refresh page
top