Spyware, viruses, & security : Yahoo Games download Trojan
Yahoo Games download Trojan
by raduzhok - 7/2/08 9:10 AMSeveral years ago I purchased a yahoo game (I've already written to them and they are viewing the problem as a corrupted file) which has been downloaded on several systems as I've gotten new computers. With each change in computer I would re-download the game. I've never encountered a problem with it until June 30, 2008 when my virus scan showed four infections, all related to this game (ZUMA).
Of course AVG put it into the virus vault. My question is, having uninstalled the game, and given it appears that the trojan was coded to 'attack' on June 30, would the new download of the game contain that trojan and would it's time have passed for infecting the computer or would it now be active continuously and the game is no longer safe to download at any time from June 30th onward?
I didn't know how to find out if other players of this download game have encountered the same problem. Can you tell me if others may have posted concerning this problem? Thank you.
Rad
I Wonder Why You'd Download....
by tobeach - 7/2/08 11:05 PM In reply to: Yahoo Games download Trojan by raduzhokZUMA from Yahoo!??? The game originally came from PopCap Games. You can download from there or BETTER still, order the Zuma on CD from there. When I did, it arrived 3 days later by post.
I am glad I did the latter as I find about 1 time per year, I remove & re-install it from the CD to correct what appears to be degraded driver performance causing hick-ups (lack of "smooth" run of balls)in the video run.
"Thanks again for your purchase, and we hope you come back to PopCap for
more great games in the future!
Team PopCap
http://www.popcap.com"
Online download is limited in number & if you change machines etc. or site moves you've got nothing.
None of my scanners (many) have ever found a trojan in this game 'tho it does have an adware angle as it tries, via samples of other games, to induce you to order permanent versions of the other games.
Myself, I found the folder responsible for this (adlist) & deleted it to My Docs where it sits IF I should ever want to put it back in. Game still works without it.
The Pop-Cap Games site did download tracking adware if you used their online playing of the game(s) via an Active-x (PopCap Loader.dll) which can be removed from IE or disabled via Spybot etc. This also added 1 other folder for the online site mainly used to ensure the site got commissions on sale if you ordered CD rather than download.
This is not anywhere near the first time Yahoo!! has been known to download virus/trojan laced items.
Even on their 10th anniversary,(2004) Yahoo! distributed a free "thank you" to their loyal users in form of a FREE Tennis Game:
MIME type: application/x-msdownload
File name: Yahoo!Tennis.scr
File size: 93.06 kB
Virus name: W32/Oror.gen@MM
http://forums.cnet.com/5208-6132_102-0.html?forumID=32&threadID=45827&messageID=542238#542238
SOME THANK YOU!!! I wouldn't download anything from them (despite it all being free) after my Cable ISP sold all 2 million of us into Yahoo bondage. I WILL NOT visit ANY Yahoo Geocities site/link due to permanent deeply buried ID cookie required to enter site. Difficult to remove once you even find out about it. JMHO & Words of Warning (WOW).
Good Luck & truly suggest CD is your best bet! 
Pop Cap vs Yahoo download
by raduzhok - 7/3/08 10:53 AM In reply to: I Wonder Why You'd Download.... by tobeachIt seems nobody else has been infected with this trojan. Has anyone every heard of Trojan Horse Generic10.AUUT? I googled it and found one person who said their AV found it but he didn't know where it might have come from.
Onto the popcap vs yahoo. I bought the game from yahoo. So if I want the game on CD, does that mean I pay for it all over again, or does popcap honor that I already bought the game?
Thanks
Rad
I would think that it may be
by roddy32
- 7/3/08 5:55 AM
In reply to: Yahoo Games download Trojan by raduzhok
a false positive. I have Zuma and although I don't use AVG nor did I download it from Yahoo, none of my protection programs flag it. You could upload the file to VirusTotal which will give you results from numerous scanners.
http://www.virustotal.com/
Is generic10.AUUT a known false positive?
by raduzhok - 7/3/08 10:58 AM In reply to: I would think that it may be by roddy32
I've had another situation over a year ago, not connected with a game, but connected with a paint program. It hasn't been picked up by my malware/av scanners since.
That would be nice if I could find out if it was actually the situation. Still, there's the matter of already having paid for it at one site. What I found odd was that I've actually had the game for several years.
Thanks
Rad
False positives are usually fixed
by roddy32 - 7/3/08 3:10 PM
In reply to: Is generic10.AUUT a known false positive? by raduzhok
quickly depending on the AV program. Did you take my suggestion and upload it to virustotal? The link is in my provious post. That would eliminate all the guess work and would only take you a couple of minutes to do.
Ran the file through the virustotal
by raduzhok - 7/5/08 10:51 AM In reply to: False positives are usually fixed by roddy32
Yes, I did try that and the results simply showed a hyphen after each program that tested it. I'm thinking that meant no virus was detected by these. The file I sent was from the AVG8 virus vault since AVG placed the game in quarantine. Thanks for the help.
Rad
Actually...
by jpomerening - 8/22/08 8:25 PM In reply to: Ran the file through the virustotal by raduzhokI went ahead and tested it with one of the files AVG did find to be infected, which was files.cab.
AntiVir: TR/Smalltroj.DBHQ
Avast: Win32:Trojan-gen (Other)
AVG: Generic10.AUUT
eSafe: Suspicious File
GData: Win32:Trojan-gen
Norman: W32/Smalltroj.DBHQ
Prevxl: Malicious Software
Sophos: Sus/UnkPacker
Webwasher-Gateway: Win32.Malware.gen (suspicious)
Also:
File size: 5555112 bytes
MD5...: 0aee5fb0024d14b2d6c2b8fc8e0237d9
SHA1..: edfeeae76f98f8e3175014643dca269eba3269d4
SHA256: c203a59c922dc5d0956d5f0f4a90a1163ce370710d01913c5fe840c6fd6a5a0d
SHA512: ccced89dabc1cd4046eec82997c5f974ae38bd21e9ad50903a3807a631c93554
1a08420da7e8d809f666cff18c741f76779b7a490fee61b7d749744a2b1ef7c9
PEiD..: -
PEInfo: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=66258A4A3475FA568F040144C0F00A005C18756E
Not the best advice
by jpomerening - 8/22/08 8:19 PM In reply to: False positives are usually fixed by roddy32
Not trying to say that VT isn't a legitimate site, but most ISPs scan traffic for virus transfers and may quarantine your modem if you're caught uploading infected files as a safety precaution.
Be careful uploading anything that you think might be infected. Your ISP's abuse department won't care what your reasons for uploading it are, as you're knowingly sharing files that you think/know to be infected with harmful software.
Use this site with caution. Maybe check with your ISP's abuse department first, to be on the safe side.
Not a false positive
by jpomerening - 8/22/08 8:15 PM In reply to: Is generic10.AUUT a known false positive? by raduzhokI just had the same thing happen on my mother's computer. She's had Zuma on her PC for a little over a year, and we've always done regular virus scans. Never found anything like this.
Out of the blue this morning, some virus infected the system. We weren't sure what caused it, but we couldn't remove it using multiple tools. Backed up all of her files (including installers) and reformatted and installed a fresh copy of WinXP SP2. She went to install Zuma, and AVG caught it, detecting "Generic10.AUUT" as a Trojan horse.
Scanned PC, detected the Zuma installer as infected in the following locations:
C:\Documents and Settings\[name]\Local Settings\Temp\popcfg2\files.cab
C:\Documents and Settings\[name]\Local Settings\Temp\files.cab:\files\Zuma Deluxe\Zuma.exe
Whatever it is, you're not the only one, and it doesn't appear to be just some random false positive with AVG, because the first time any scanner caught this file is also the same time that we actually had a real infection on this PC.
I realize that it's a bit late replying to you, but this just happened to us earlier this morning, and the only two Google results were this thread and a comment Rad made on another blog.
Thank you for additional info
by raduzhok - 8/25/08 9:46 AM In reply to: Not a false positive by jpomereningThanks for your additional info. I was never able to find specifically what the trojan did after the system was infected either.
Nobody seemed to have info on that particular named file.
Rad
Keylogger?
by SultanEmerr - 7/3/08 8:47 AM In reply to: Yahoo Games download Trojan by raduzhokhttp://www.vnunet.com/vnunet/news/2220665/trojans-fun-web-gaming
Do you know this to be a keylogger?
by raduzhok - 7/3/08 11:01 AM In reply to: Keylogger? by SultanEmerrWhile my system isn't reacting the way it did before when my scan picked up on a keylogger (this was years ago when I was using Norton) things might have changed and I'll check out that link you posted.
Thanks
Rad
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
