VIRUS Detected when clicking PLAY! (Appears Fixed Now 09/17) : General & Trouble Shooting

[Guest]

Run a virus scan of your system immediatly!!!

I just found out that when you start up Xunleased and click Play, as one of the plugins auto update, it tries to run a virus. Symantec AntiVirus detects it as Backdoor.Graybird.

This only happens when you click the Play button, not before this point.

I deleted my XUnleashed dir. re-d/l'ed it, Installed 3 plugins (EQ2Crafter, EQ2Unleashed Map, EQ2Servicer). I am in the process of trying to figureout which one exactly does it. Will post in a few minutes.

[bloodknight]

Ok, Deleted XUnleashed, Re downloaded the install file and ran. It downloaded everything like before. I DID NOT install anything extra. Just base Xunleashed install. I still get the Virus Detected message when clicking on Play. I can Run EQ2 just fine with no virus detected messages.

After I get a Virus detected message I have to reboot to get it to show up again when clicking play. I suspect this is becasue when it was trying to run it locked up Xunleashed because it was denied access to the file that had the virus.

This is very new as I was using it yesterday for sure just fine and I can not remember if I used it this morning just fine. But it did just show up.

[bloodknight]

Here is the writeup from symantec about this virus:

http://securityresponse.symantec.com/av ... ybird.html

[kevinalaska]

I had that virus come up on my system today as well. I am not sure what the cause of the virus is but Norton Antivirus did catch it.

I also downloaded XUleashed over and installed ONLY the Crafting plug-in. I only had the crafting plug-in before the this whole problem started with not running XUleashed program.

Virus scan was also finished

I recomment scanning via the internet as well (as it is like having more then one Doctors opinion) go to [url]housecall.antivirus.com[/url]. This will let you do a good scan of yoru system for free.

I still want to know what this is all about.. So if anyone finds any information please post it. I really dont want to be running XUleashed with the idea of it being a security hole in my computer as well as a possbile way that SoE to find out I am using XUleashed... =/

Thank you...

[bloodknight]

I am still working on analyzing exactly which files are beinf accessed when Symantec detects the virus. Will post in a few more minutes.

[bloodknight]

There is a PATCH.BIN file that is creating the temp file that Symantec detects as a virus.

This file exists in the root of the XUnleashed Directory where the XUnleashed.exe file resides.

This temp file it creates is the one that is detected with the virus. I used sysinternals FILEMON tool to see what files were being called and which one was the one creating the file that symantec detected as a virus.

[bloodknight]

I found an old install of XUnleashed that I had on another one of my machines from about 2 months ago. I am in the process of determining what creates the patch.bin file as I have already tried to see if it was a direct d/l from the auto-update by launching xunleashed. I did this by processing my firewall logs for all activity from my test machine.

[bloodknight]

OK, I gifured out why it was not showing up in my firewall logs. I was assuming that is was making HTTP calls to grab any files as it does use this method to check some files. Using a TCP/IP sniffer after I determined that XUnleashed was making a pure socket call to an external IP to download most of it's files for updateing I was able to determin that XUnleashed.exe was making the socket connection and downloading the PATCH.BIN file. I assume it is suppose to do this as it also updates all the other files this way.

I was able to determin that 1 ip address is server out this virus infected file at 24.155.5.159. Unfortunatly this appears to be a dynamic addess from an ISP. I am going to block access to IP address and test again in hopes that there is a mirror it will use that does not have an infected file.

[bloodknight]

Well, that didn't work. Seems that this web site is also served by that same IP as I had to unblock it to get back to the forums. I did a nslookup and verified that these forums are served by that IP also.

So the only thing we can do now is wait for the admin to check his files and get rid of the virus. Unless it was intentional and I don't even want to go down that road as I have trusted Tault for a very long time.

[bloodknight]

I'm going to backtrack through all my posts and also say that I am not sure that the PATCH.BIN file is the one with the virus. What appears to happen is this:

XUnleashed.exe creates PATCH.BIN. It either does this from downloading code over the internet or from making a copy of itself.

Then PATCH.BIN creates and access many other files.

After XUnleashed has fully downloaded and you click the play button PATCH.BIN does create a MC21.TMP (typically named as this, but a few times has been other names) which is the one that has a virus.

Now it creates this file either from other files that have already been downloaded at this point, or by downloading the code from the internet at the time.

My point is, I have indeed determined that the file PATCH.BIN creates this temp file which has the virus.

[kevinalaska]

Wow Bloodknight... you were well spoken (err... written) and logical in your appoach... I hope the amazing work you have shown here really helps them solve this.

I would also like to ask if you perchance have the name of the "filemon" program you use. I have had great need in the past for such a utility.

Thanks and best wishes.

[bloodknight]

yes, the filmon.exe and other very useful utilities are at www.sysinternals.com

The filemon is called just that, 'filemon' which is short for file monitor. It is located at http://www.sysinternals.com/utilities/filmon.html

[bloodknight]

ok, as of this morning when I woke up looking forward to seeing some relpy from the admin or someone involved in fixed this I was disappointed to see nothing of the sort.

I decided to check and see if it was fixed anyways. Everything that I tracked yesterday with a temp file being created and causing a detection of a virus is gone. It appears that it is fixed now. It causes no detection of a virus. I belive it is fixed, unless the virus' signature was changed so it is not detectable by an anti-virus program. I have detected that it still creates the temp file but does not cause a trigger of the virus detection. After succesful run I did a virus scan and checked every place the previous virus modifies stuff (as posted previously) and no known signs of that virus being on my system.

I just wish that the admin of who ever is involved with fixing this posted something about it.

[Tault_admin]

Not that i know of are there any viruses in xunleashed. LOL wouldnt make any sense for business for us to ruin peoples computers.

[muzzleflash]

Having the same problem with Symantec AntiVirus. Only started happening since a recent virusdefs update.

The temp file generated in the user's temporary directory is detected as being a virus and automatically deleted. Im guessing the file is the DirectX hook, since the XUnleashed menu bar fails to show in the game.