ZDaemon Forum Index ZDaemon
Client/Server DOOM
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Zdaemon setup is infested by a virus

 
Post new topic   Reply to topic    ZDaemon Forum Index -> ZDaemon Help & Chatter
View previous topic :: View next topic  
Author Message
DoomerMrT
Spamming!


Joined: 09 Mar 2007
Location: http://destiny-server.ath.cx/forums/

PostPosted: Sat Apr 14, 2007 12:02 pm    Post subject: Zdaemon setup is infested by a virus Reply with quote

I've noticed that the Zd setup at this address is infested by a virus maybe.Here's my pic(sorry,it's hungarian):

Please check it.
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
ufon
Spamming!


Joined: 25 Aug 2003
Location: Czech republic

PostPosted: Sat Apr 14, 2007 12:43 pm    Post subject: Reply with quote

http://forums.zdaemon.org/viewtopic.php?t=9807&highlight=virus
Back to top
View user's profile Send private message
cha0tix
Spamming!


Joined: 04 Dec 2006
Location: Chicago, IL Hangout: #DarkAlley @ OFTC

PostPosted: Sat Apr 14, 2007 12:46 pm    Post subject: Reply with quote

Yeah it does that with NOD32. Its nothing. Just NOD suggesting it could be something...
Back to top
View user's profile Send private message
Konar6
Prepare your eyes!


Joined: 11 Apr 2005
Location: Czech Republic

PostPosted: Sat Apr 14, 2007 4:58 pm    Post subject: Reply with quote

Actually it's the file zslupdt.exe, part of Doom2pro's ZSL program. Some time ago, by uploading this file to online multi-antivirus scan (such as virustotal.com or virusscan.jotti.org), I noticed that two other antiviruses apart from NOD marks this file as an unknown possible virus.

When this happens, you can be sure that the file contains some curious instructions that the antivirus heuristic check finds as potentially bad (suspicious writings to registry, modifying system properties, suspicious internet connections...)
Doom2pro might point out what's the reason for his file to be marked as a virus and what kind of curious code it contains.
Back to top
View user's profile Send private message
cha0tix
Spamming!


Joined: 04 Dec 2006
Location: Chicago, IL Hangout: #DarkAlley @ OFTC

PostPosted: Sun Apr 15, 2007 12:07 am    Post subject: Reply with quote

Huh guess its second round then. Anyone care to explain?
Back to top
View user's profile Send private message
[n00b]Adereth
Spamming!


Joined: 16 Jul 2005
Location: Oh god, what year is this?!

PostPosted: Sun Apr 15, 2007 2:26 am    Post subject: Reply with quote

[n00b]Adereth wrote:
Google observes that false positives for NewHeur_PE are common because it's mostly made up of generic chunks of code and doesn't have a very distinctive style. Many other worms, and indeed perfectly innocent files, have all of the markers used to trigger such alarms.
Back to top
View user's profile Send private message Visit poster's website AIM Address
Doom2pro
Spamming!


Joined: 03 Oct 2002
Location: Glens Falls, NY. USA

PostPosted: Tue Apr 17, 2007 10:49 am    Post subject: Reply with quote

cha0tix wrote:
Huh guess its second round then. Anyone care to explain?


That is the Updater for ZSL, it downloads update information from my server, runs a script and checks your zsl file hashes and downloads any new versions...

I'm not sure why it would be flagged by antivirus, nothing I have ever written has been flagged by my antivirus.

Some of the things it does is close all running processes listed in the script, in this case zsllite.exe...

It deletes the old files, downloads the new ones and then terminates... I guess to an outside program that could be deemed as suspicious.
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
[n00b]Adereth
Spamming!


Joined: 16 Jul 2005
Location: Oh god, what year is this?!

PostPosted: Tue Apr 17, 2007 12:45 pm    Post subject: Reply with quote

Well, yeah, there's that. Most worms operate by sneaking in fake system files, after all. The program is probably looking at the kinds of API calls ZSL Updat0r is using and saying "It's a trap!"
Back to top
View user's profile Send private message Visit poster's website AIM Address
Kilgore
Air Cavalry


Joined: 17 Jun 2003
Location: Up the river

PostPosted: Tue Apr 17, 2007 6:55 pm    Post subject: Reply with quote

You give AV programs far more credit than they deserve; you really think they go to the trouble of examining the API calls it makes? I don't know of any AV program that does that. If you further consider that it's rather easy to hide such calls (if you want to that is: ie., a virus writer will go to such trouble; a normal program author won't), then it's not even certain that an AV program should even try checking the API calls. As far as I know, they go by checking signatures (hashes) of known viruses. If a given program is so unlucky as to match one of those signatures, then that's all there is to it.
Back to top
View user's profile Send private message Visit poster's website
Cybershark
Spamming!


Joined: 05 Jan 2005
Location: off the grid, but still fighting for the users!

PostPosted: Tue Apr 17, 2007 9:43 pm    Post subject: Reply with quote

yeah, i mean i've sent maps... or rather, tried to send maps using Hotmail before and it refused because it didn't like the look of my WAD file Laughing
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    ZDaemon Forum Index -> ZDaemon Help & Chatter All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group