trojan virus in dsetup.dll

[trailmix]

I reinstalled Project 1999 yesterday and found Avast is now hitting on the version 36 dsetup.dll as a trojan. The size of the file is about 2.5mb dated this year instead of 59k dated 2005. I uploaded the 2.5mb version to virustotal and it came up with half a dozen other antivirus softwares that also think it's malware. I would like to respectfully suggest the possibility your website has been compromised by a third party to inject malware into your download, or that your download was compromised before you posted it.

[falkun]

http://www.project1999.com/forums/sh...d.php?t=164472

You're late to the party.

[trailmix]

When I originally installed Project 1999 the dsetup.dll was 59k, now in the latest distribution it is a different size, much larger. Lucky for me I kept a copy of the original install. The original file doesn't give a trojan hit on virustotal but the larger file does. We are also talking about 8 or so different softwares that are saying the bigger file isa trojan, not just McAfee. Virustotal is rarely wrong because of consensus. Virustotal doesn't think the 59k file is a trojan but does think the 2.5mb file is.

The game starts just fine with the smaller .dll, so I copied that to my Everquest directory and am playing it using that one just fine. I still posit that it is possible the current version being distributed has been compromised because of the file size difference and the fact that one hash hits as compromised at virustotal when the other doesn't.

For the record this is a paid version of Avast Internet Security and it was Malwarebytes that hit on the file originally.

[haksum]

Quote:

Originally Posted by trailmix [You must be logged in to view images. Log in or Register.]

The game starts just fine with the smaller .dll, so I copied that to my Everquest directory and am playing it using that one just fine.

Interesting.

[Secrets]

Quote:

Originally Posted by haksum [You must be logged in to view images. Log in or Register.]

Interesting.

It starts just fine because the other DLL that comes with EverQuest Titanium by default simply asks you, "Do you want to upgrade your version of DirectX" and if you already have it installed, it does nothing.
It works like this:

Application loads up, allocates a memory space to the executable. It then imports functions from dynamic link libraries that are assigned to the executable.
When it loads dsetup.dll, in the entry point of said library, it executes more code - some of which writes to eqgame.exe, which in return can load more code when sections of eqgame are accessed. The original library does not do this, it simply exports a function for use that the application can reference.
Once this is done, the application starts, and code is activated as-needed based on what the library has written, for example in the application's main execution thread.

Basically, it's a way of modifying an executable you have no source code for.
If EQEmu had the source code to EverQuest, this DLL would not even be needed.

[myriverse]

Quote:

Originally Posted by trailmix [You must be logged in to view images. Log in or Register.]

When I originally installed Project 1999 the dsetup.dll was 59k

No. It has never been that small. The dsetup.dll that P99 uses is not the same one that is installed. The Devs have altered it to hunt for cheating programs. And it has been 1954kb since I've been here.

[Poosammich]

There are many cases when AV will fire on a file just because it doesn't know about it, or it hasn't been "signed". I'm thinking this is the case here, and because the official signed version is either 1.) very old, or 2.) signed on a different date by SOE. I've had 0 issues on any of the 3 machines I have this installed on in my home, and others here in the community as well.

Also at least IMO if you're running Avast because you want decent free AV. I would use Security Essentials from M$. Its the same or almost recognizably similar to their Enterprise product which is fair in terms of AV, and fair is about as good as it gets anymore.

[Poosammich]

Could be the case, but I mean how many hits are we talking on this site? I'm doubting that though I'm digging P99, we are generating 10k hits a day. Even that number is very small on the interwebs. With Heartbleed, and so many other vulnerabilities in the wild why target a site this size?

[trailmix]

You are asking a speculative question whereas I am providing the facts I know. Yes, I am aware of false positives and submitted the file for review to Avast as a possible false positive.

edit: the results of the scan by Virustotal, decide for yourself. It does appear Themida has had problems in the past with false positives. That said, hackers also use it to protect malware, so..../shrug


AVware Trojan.Win32.Generic!BT 20141212
Avast Win32:Malware-gen 20141212
Baidu-International Hacktool.Win32.Themida.bgen 20141212
ESET-NOD32 a variant of Win32/Packed.Themida 20141212
K7AntiVirus Trojan ( 0002749e1 ) 20141212
K7GW Trojan ( 0002749e1 ) 20141212
Sophos Generic PUA HM 20141212
Symantec Trojan.Gen.SMH.2 20141212
VIPRE Trojan.Win32.Generic!BT 20141212
ALYac 20141212
AVG 20141212
Ad-Aware 20141212
AegisLab 20141212
Agnitum 20141212
AhnLab-V3 20141212
Antiy-AVL 20141212
Avira 20141212
BitDefender 20141212
Bkav 20141212
ByteHero 20141212
CAT-QuickHeal 20141212
CMC 20141212
ClamAV 20141212
Comodo 20141212
Cyren 20141212
DrWeb 20141212
Emsisoft 20141212
F-Prot 20141212
F-Secure 20141212
Fortinet 20141212
GData 20141212
Ikarus 20141212
Jiangmin 20141211
Kaspersky 20141212
Kingsoft 20141212
Malwarebytes 20141212
McAfee 20141212
McAfee-GW-Edition 20141211
MicroWorld-eScan 20141212
Microsoft 20141212
NANO-Antivirus 20141212
Norman 20141212
Panda 20141212
Qihoo-360 20141212
Rising 20141212
SUPERAntiSpyware 20141212
Tencent 20141212
TheHacker 20141208
TotalDefense 20141212
TrendMicro 20141212
TrendMicro-HouseCall 20141212
VBA32 20141212
ViRobot 20141212
Zillya 20141212
Zoner 20141210
nProtect 20141212

[Glenzig]

P99 confirmed bad for your computer. K.