My antivirus software detected trojan in file downloaded from LEX.

diamonddog_74 · November 20, 2009, 08:44:30 PM

Has anyone encountered this issue before? Here is a screenshot of the offending file in the McAfee VirusScan screen. Please advise.

Andreas · November 20, 2009, 08:51:02 PM

This happens now and then, since antivirus programs are trying to detect files that look suspiciously like a virus - most times, those are false reports, though.

jmyers2043 · November 20, 2009, 09:01:33 PM

I did a Goole search for 'gtm release version.exe' and came up with no information. What file exactly did you download? I have McAfee as well and can double check your results.

As Andreas said - sometimes Virus programs report 'false positives' The free version of AVG is one that comes to mind. But you are wise to ask the question. Which brings me back to what file exactly did you download?

dragonshardz · November 20, 2009, 09:34:06 PM

It looks like he downloaded Jonathan's God Tools in Mayor Mode mod.

Jonathan · November 21, 2009, 01:18:58 AM

Quote from: Me @ STGTM LEX, is my God Terraforming In Mayor Mode (before I reuploaded it a few days ago it was called LEX because I simply forgot to change the name of the Zip folder) It is now called GTM STEX.

There is no trojan in it, I would never include one in my uploads. Can you please redownload it and do another scan and see if it still alerts you about the "trojan", repackaging it may have fixed this.

A lot of the time over sensitive virus software pick up installers as viruses. And if it was definitely a virus the STEX Mod team would remove the upload ASAP.

diamonddog_74 · November 22, 2009, 04:52:55 AM

Hi Jonathan,

I'm running a full scan again to see if it picks it up. I'll re-download from LEX and also see if it marks it as infected. I'll post the results here.

jmyers2043 · November 23, 2009, 05:21:51 AM

QuoteJonathan's God Tools in Mayor Mode mod

Ah - good thing this topic came up. I dowloaded the file a few months back but did not install it. Forgetful I am these days...

I have the full version of McAfee's and it's all up to date with the latest and greatest. I scanned the zip. Unzip. Scan again. Install and scan 'my documents'.

I now see that Diamonddog is using Comcast Security. Didn't notice that before. Albeit McAfee powered. But I am wondering now if the Comcast version is ready for prime time as it appears to be acting like AVG Free does at times?

BTW - Great mod, Jonathan!!

diamonddog_74 · November 24, 2009, 07:53:49 PM

JMyers, it's actually a McAfee application with Comcast branding. It has a McAfee installer, and it shows up on my System Tray as McAfee Security Center. So, for all intents and purposes, I don't think it's a watered down version of McAfee Internet Security.

The only reason I posted this issue is because I'd never run into anything like this before.

UPDATE: I downloaded Jonathan's GTM mod again and it came up clean.

However, there are 7 other plugin installers/zips that came up as containing a "Potentially Unwanted Program" called generic!bg.gms which apparently is some kind of Trojan.

I don't know how to contact the authors so they can check. The plugins are:

Batiments de la Concorde, Deutscher Dom, Germania VG BSC, Eglise Assomption, Salzburg Cathedral, Winterton Opera by DBBSYMN, and Saint Barbara Church by tag_one.

As a test, I downloaded them again fresh from the LEX , and rescanned them in my Downloads folder. They all came up infected with this generic!bg.gms thing.

Jonathan · November 24, 2009, 11:48:45 PM

While, I'm relieved to hear that, it is also quite strange, I didn't change anything in the reupload, I just remade the installer exactly the same way I did it before everything, using Install Creator. I didn't have the reader at the time I redid the installer so none of the dats were modified.

Also upon searching for the virus in google the only link that comes up is the McAffee one

Jonathan

BarbyW · November 25, 2009, 01:25:24 AM

I use the full (paid for) version of AVG Internet Security and have scanned all the files you list without finding any trace of trojan or any other virus alert. There are no files on the LEX that contain any form of virus or trojan so check your McAfee for updates.

wouanagaine · November 25, 2009, 02:32:30 AM

generic!bg.gms seems to be a new virus http://vil.mcafeesecurity.com/vil/content/v_242176.htm

As you listed files that were made way prior to its discovery date ( and surely way before it was created ), I think we can safely tell theses are false positives

Andreas · November 25, 2009, 04:36:28 AM

Since new viruses are popping up every day, antivirus software uses a technology called "heuristics" for detecting viruses that are not registered in their virus database yet. Those findings are usually marked like in your case, with "potential threat" or "generic" - this means that no actual virus or trojan has been found, but just some code that looks similar to a typical malware. In most cases, the warning disappears after the next update. Since installers are files that need to be executed (rather than just viewed), and since they often run with administrator priviledges, they are treated very carefully by the antivirus programs, which also means that false alarms are likely.

diamonddog_74 · November 25, 2009, 03:56:40 PM

They may be false positives, but like I said, I've never encountered viruses or Trojans before this scan. The rest of my 2 GB worth of SC4 plugin installers came up clean. I guess I'll assume they're OK as well.

News:

My antivirus software detected trojan in file downloaded from LEX.