[Please Try FPS] Partikel Engine
Community Forums/Showcase/[Please Try FPS] Partikel Engine
| ||
| Hello, i am working at the moment on a new Partikel Engine for my new Jump and Run Game. So please look how the max. fps to play it and with witch Hardware? Thank you for all Trys! [Edit - link removed] |
| ||
with "witch" Hardware? Well, my PC box is not enchanted yet, but it still runs. XP SP2, AMD Athlon 2.6GHz, GeForce 8500, always 60FPS |
| ||
| 60 fps (vsync?) also with "big" shots. Intel X3100 /Dualcore 1.6 cu |
| ||
| 60 with 1000 particles. Turn off the vertical sync. |
| ||
| pushing the space bar 9 or 10 times in quick succession results in frame rate dropping off. otherwise is 60fps |
| ||
| ***Warning*** We suspect this file may have contained a trojan program, capturing user's log-in details. If you downloaded and ran this program, please change your password and also delete this program, and consider performing a clean install of your system. |
| ||
| Thanks! *changes the password* |
| ||
| F***, i found a trojan in my windows folder in 3 files. I have killed them with Antivir after a restart. (Bitdefender has found nothing) Here the files: Virus or unwanted program 'TR/Unpacked.Gen [trojan]' detected in file 'C:\WINDOWS\Temp\tmp00003504\tmp00003ae5. Action performed: Delete file Virus or unwanted program 'TR/Unpacked.Gen [trojan]' detected in file 'C:\WINDOWS\Temp\tmp00003504\tmp000035e3. Action performed: Delete file Virus or unwanted program 'TR/Unpacked.Gen [trojan]' detected in file 'C:\WINDOWS\Temp\tmp00003504\tmp0000350f. Action performed: Delete file bye & thanks for the info simonh |
| ||
| I am still looking for the trojan - however, I have yet to make any keypresses as prompted by the program. I have run multiple-passes on the file, then on the file unpacked, then on the file having launched. Have now got to wait for full scans to finish before I run it live and also using the keys. |
| ||
| I am downloaded a lot in the last weeks, I can't remember the name of the file, could anyone write the program name here please ? |
| ||
| the original download was _fps_techdemo.rar |
| ||
| spielerrei.exe The folder name was fps_techdemo Interestingly, I think the file name was meant to be spielerei which translates to gimmick in English. 1. an ingenious or novel device, scheme, or stratagem, esp. one designed to attract attention or increase appeal. 2. a concealed, usually devious aspect or feature of something, as a plan or deal: An offer that good must have a gimmick in it somewhere. 3. a hidden mechanical device by which a magician works a trick or a gambler controls a game of chance. 4. Electronics Informal. a capacitor formed by intertwining two insulated wires. –verb (used with object) 5. to equip or embellish with unnecessary features, esp. in order to increase salability, acceptance, etc. (often fol. by up): to gimmick up a sports car with chrome and racing stripes. –verb (used without object) 6. to resort to gimmickry, esp. habitually. |
| ||
| Incidentally, the virus was called SHeur2.GAN *EDIT* this may help those who think they've been infected: http://uk.answers.yahoo.com/question/index?qid=20081119031947AAPI0gs |
| ||
| McAfee hasnt detected any threats :\ I also searched for these: "Virus or unwanted program 'TR/Unpacked.Gen [trojan]' detected in file 'C:\WINDOWS\Temp\tmp00003504\tmp00003ae5. Action performed: Delete file Virus or unwanted program 'TR/Unpacked.Gen [trojan]' detected in file 'C:\WINDOWS\Temp\tmp00003504\tmp000035e3. Action performed: Delete file Virus or unwanted program 'TR/Unpacked.Gen [trojan]' detected in file 'C:\WINDOWS\Temp\tmp00003504\tmp0000350f. Action performed: Delete file" and nothing was found. |
| ||
| Well, I dont' remember if I downloaded and run the program, but in any case I scanned my system with AVG, Antivir & Spybot: nothing found. |
| ||
| I still haven't found anything, even when pressing the buttons for the application. However, I have yet to allow it to connect to the internet. "puki" ponders if "Abrexxes" already had the trojan prior to running this? I have run the file through Kaspersky AV, Nod32 AV, Spybot, AdAware, A-Squared and Malwarebytes - nothing detected. "puki" ponders that if the exe is the root of this problem, then the payload has to be incoming from outside the PC. It's the only thing I have yet to do. |
| ||
| Well, it don't have to be a virus, just a malicious code snippet can steal info (like cookie harvest, key logger etc). The EXE was packed and tried to fool the user, which is suspicious and need to investigate further. |
| ||
| I think it is fair to say it is dangerous and could potentially be stealing more than just Blitzbasic.com login info. |
| ||
| >Well, I dont' remember if I downloaded and run the program, but in any case I scanned my system with AVG, Antivir & Spybot: nothing found. Same here... I can't recall if I did or not... And that's what worries me. I changed my password just in case though. |
| ||
| THIS THING APPEARS HIGHLY DANGEROUS After spielerrie.exe was allowed an internet connection it created Compiler.exe (548 KB) in the Window's System32 folder; along with attack_normal.exe (871 KB) - Attack_normal.exe appears to be a Bmax.exe Compiler.exe also appears in Local Settings\Temp as tmp112.exe Spielerrei.exe, attack_normal and compiler.exe go into Windows' Prefetch Now we are into Local Settings\Temp - I see it probably trying to steal Windows Messenger log-ins - or maybe attempting to use Messenger. Next it is in my ISP dialler. Next it attempts the Blitzbasic login. All of that happened at the same time when I granted it internet access. There are .tmp files left behind 4 Minutes later I see the Firefox signons being accessed, but not sure if that was just me using Firefox. Basically, FF signons is a list of all your websites and passwords. So, it would be advisable to start changing passwords on everything in there. However, I am not totally sure if this thing did access it. On another PC, where it was refused internet access, it did not create any files in System32 and I do not see any temporary files being created in Local Settings\Temp. |
| ||
| Makes me think about this http://www.blitzbasic.com/Community/posts.php?topic=82007 |
| ||
| Puki, are you using Filemon to monitor the file accesses, or do you have something more sophisticated? I'm always looking for better system tools under Windows. SpaceAce |
| ||
| It would be interesting to see if anyone has any of the tmp files in their Local Settings \ Temp folder. They will be sequential, probably with an exe called tmpXXX.exe - the XXX being a numerical value - the file size will be 584 KB - the tmp files will probably be 1 KB. On my system, it accessed them in this order - these are edited copies of the contents of the tmp/txt files: ================================================== Software : Windows Live Messenger Protocol : MSN Messenger User : your e-mail address Password : your Messenger password ================================================== ================================================== Entry Name : Your ISP dialler Phone / Host : User Name : Password : Domain : Owner : System User Profile : Whatever ================================================== ================================================== Entry Name : the name of the dialler Phone / Host : MSDUN User Name : Password : password Domain : Owner : System User Profile : Whatever ================================================== ================================================== Entry Name : http://www.blitzbasic.com/account/login.php Type : AutoComplete Stored In : Registry User Name : puki Password : ================================================== The tmp file for the Blitz one did not have my password filled in- it was null - either it failed to get the password or it did this separately. |
| ||
| It may try to grab more than this - this is just all I found. Possibly, it did not clean up properly after itself. It could be set to sweep for other log-ins such as Blitzbasic.de, gmail, hotmail, whatever. I don't use gmail, hotmail or have a Blitzbasic.de account (as far as I remember), so it may just skip these and not create blank files. Which is why I am hoping other people who ran it can check their Temp folder for any traces of what it tried to harvest. |
| ||
| After spielerrie.exe was allowed an internet connection it created Compiler.exe (548 KB) in the Window's System32 folder; along with attack_normal.exe (871 KB) - Attack_normal.exe appears to be a Bmax.exe Compiler.exe also appears in Local Settings\Temp as tmp112.exe Spielerrei.exe, attack_normal and compiler.exe go into Windows' Prefetch Unfortunately I have found both Compiler.exe and attack_normal.exe on my computer. I didn't found anything in settings\temp (maybe CCleaner destroied the files...) I deleted both the files, and changed ALL the password... I'm still worring about AVG / Antivir and Spybot...they didn't find any warn on my system...no good! Thank to Puki for the deep analisys and checking. |
| ||
| I found both of those files in my window's folder as well how do I delete files in the prefetch? And how do I check for rouge connections from germany? :[ |
| ||
| @SpaceAce Puki, are you using Filemon to monitor the file accesses, or do you have something more sophisticated? I'm always looking for better system tools under Windows. Upgrade to Process Monitor. Filemon is a bit out dated. |
| ||
| When you run tmp112.exe, it creates a file called pwfile.log in your temp folder. That only last for a few seconds then gets deleted. It contains all your passwords. |
| ||
| "killerX" - did you take a look inside pwfile.log? Any idea of the amount of passwords it contained and the scope of various log-ins that it captured (ie. website/forums, etc)? |
| ||
| ******************************************** *************Firefox Passwords************ ******************************************** Removed by KillerX ******************************************** ****************CD-Key Pack***************** ******************************************** Microsoft Windows Product ID CD Key: (Removed by KillerX) Microsoft Windows XP CD Key: Removed by KillerX Microsoft Office Standard Edition 2003 CD Key: Removed by KillerX ******************************************** **********Messanger Passwort Pack*********** ******************************************** ******************************************** *************Mail Passwort Pack************* ******************************************** ================================================== Name : Removed by KillerX Application : Outlook Express Email : Removed by KillerX Server : Removed by KillerX Type : POP3 User : Removed by KillerX Password : Removed by KillerX Profile : ================================================== ================================================== Name : Removed by KillerX Application : Outlook Express Email : Removed by KillerX Server : Removed by KillerX Type : SMTP User : Removed by KillerX Password : Removed by KillerX Profile : ================================================== ================================================== Name : Removed by KillerX Application : MS Outlook Email : Removed by KillerX Server : Removed by KillerX Type : POP3 User : Removed by KillerX Password : Profile : ================================================== ================================================== Name : Removed by KillerX Application : MS Outlook Email : Removed by KillerX Server : Removed by KillerX Type : SMTP User : Removed by KillerX Password : Profile : ================================================== ================================================== Name : Removed by KillerX Application : MS Outlook Email : Removed by KillerX Server : Removed by KillerX Type : POP3 User : Removed by KillerX Password : Profile : ================================================== ================================================== Name : Removed by KillerX Application : MS Outlook Email : Removed by KillerX Server : Removed by KillerX Type : SMTP User : Removed by KillerX Password : Profile : ================================================== ================================================== Name : Removed by KillerX Application : MS Outlook Email : Removed by KillerX Server : Removed by KillerX Type : POP3 User : Removed by KillerX Password : Profile : ================================================== ================================================== Name : Removed by KillerX Application : MS Outlook Email : Removed by KillerX Server : Removed by KillerX Type : SMTP User : Removed by KillerX Password : Profile : ================================================== ******************************************** *************ProtectetStore Pack*********** ******************************************** ================================================== Entry Name : Removed by KillerX Type : Password-Protected Web Site Stored In : Credentials File User Name : Removed by KillerX Password : Removed by KillerX ================================================== ================================================== Entry Name : Removed by KillerX Type : Password-Protected Web Site Stored In : Credentials File User Name : Removed by KillerX Password : Removed by KillerX ================================================== ******************************************** ***********Network Passwort Pack************ ******************************************** ================================================== Entry Name : Removed by KillerX Phone / Host : Removed by KillerX User Name : Removed by KillerX Password : Removed by KillerX Domain : Owner : System User Profile : Removed by KillerX ================================================== ******************************************** ************Remote Desktop Pack************* ******************************************** ================================================== Item Name : Removed by KillerX Type : Generic User : Removed by KillerX Password : Removed by KillerX Last Written : 26/12/2008 11:26:53 PM Alias : Comment : Persist : Enterprise ================================================== ================================================== Item Name : Removed by KillerX Type : Generic User : Removed by KillerX Password : Removed by KillerX Last Written : 15/12/2008 1:07:12 PM Alias : Comment : Persist : Enterprise ================================================== ================================================== Item Name : Passport.Net\* Type : .NET Passport User : Removed by KillerX Password : Last Written : 25/09/2008 9:58:36 PM Alias : Comment : Persist : Enterprise ================================================== ================================================== Item Name : Removed by KillerX Type : .NET Passport User : Removed by KillerX Password : Last Written : 25/09/2008 9:58:36 PM Alias : Comment : Persist : Enterprise ================================================== ================================================== Item Name : Removed by KillerX Type : .NET Passport User : Removed by KillerX Password : Last Written : 22/09/2008 2:54:46 PM Alias : Comment : Persist : Enterprise ================================================== ================================================== Item Name : Type : Autologon Password User : Password : Removed by KillerX Last Written : N / A Alias : Comment : Persist : ================================================== I remove the personal information and replaced it with"Removed by KillerX" but where its blank, it was blank in the file as well. |
| ||
| I was suspicious of this as I could see the access to the FF signons file about 4 minutes later. |
| ||
| Can someone tell me WHY this is a sticky? |
| ||
| Because the author of the program submitted a file that steals log-ins and passwords from the user's system. It steals banking log-ins and everything else it can get. BRL are taking this seriously - it is one of two 'sticky' threads regarding the same matter. |
| ||
| found tmp112 in my local settings/temp folder. Deleted that F**ker. And get this I had a text file that had been generated as described, thankfully just with our ionternet logon details. Changing that now. So, now that I've spent an hour finding out that this T**T has harvested passwords - how do I make a formal complaint and who to ? Thanks in advance, strangely my blitzbasic was not listed in the textfile. Cheers Puki for the good gen. Last time I try something out, jeez. |
| ||
| The pwfile will probably not remain - that is the one that is probably sent to the culprit or possibly deleted if it cannot send. I assume the exe should clean up after itself - I never actually spotted the pwfile on my system. |
| ||
| pwfile gets deleted almost immediately. |
| ||
| well I've deleted the tmp112 & renamed the file that successfully harvested a couple of redundant ish passwords - it was on a creaky old laptop hardly used - thankfully. compiler.exe was also in thw win32 foler - deleted that atacknormal.exe also was in the win32 folder (872KB) - deleted that Anything else I should do ? |
| ||
| Not as far as I know. It seems to be a one-time only threat (each time it is run). I don't think it remains a constant threat after it has run. |
| ||
| haven't found spielerrie.exe yet though... this must be on my laptop somewhere - is there a default path for it ? |
| ||
| spielerrie.exe is the original file (that is inside the archive) - it is the first exe that you would have to launch - you possibly already deleted it. It would automatically unpack into a folder called 'fps_techdemo'. |
| ||
| Puki, what programs did you use to analyze the virus? I believe it was a one-time attack aswell. But I'm not sure what damage has been done. I've changed all of my passwords... And nothing was out of place thus far. Unfortunatly my firewall was set to allow all outbounding connections (my pc -> internet) I thought it was otherwise. The payload must be coming from the program. Maybe after an attempt to connect to the internet the result is tested in a classic "IF" statement? And if it's true then unpack the payload? Because as I said my firewall will ask promision for inbound connections, and doing a port test all my ports are in "stealth mode". So... as far as what the virus does, you found: 1. The user starts this seemingly harmless particle demo 2. The program checks for internet connection then if true unpacks a couple dangerous files(compiler.exe and attack_normal.exe in system32) 3. Compiler.exe and attack_normal.exe work together to harvest passwords, drop them in a log file, ship them off to germany, then delete the log file? Is it not possible to see where the pwfile.log is being sent to? |
| ||
| Is it not possible to see where the pwfile.log is being sent to? make your firewall keep a log and you'll get the IP. |
| ||
| How would the file get blitz login passwords if it's not a keylogger? Would it search internet password storing files? (for those people who click "Remember Password"?) Yoko, I believe you were the only one that had his account stolen, did you store your password in the browser thingy? I'm considering running this file on a old crappy system with Xubuntu on it. But i'm not sure what to do about a firewall on an barebones linux OS. |
| ||
| I used nothing to analyse it - mainly because nothing I had could identify it. I basically manually watched it - on the basis that it was a suspected trojan. I made sure to watch where it was connecting to. I am going to hand the file over to various security sites for further analysis. This is simply not just a program that grabs your Blitzbasic log-in - it has to be classed as highly dangerous. Many other sites, such as Steam, etc will be interested in it - considering one Blitzer has already reported someone from Germany trying to hack their Steam account. I foresee a prison sentence for the culprit. |
| ||
| Yoko, what browser did you use? |
| ||
| Just checked with a fake password. It seems browser specific to Firefox. Maybe others as well, but not IE7. |
| ||
| I meant what did you use to check what it was connecting to, and where the new files were being created. Surely you didn't just use a explorer window. Something like that would come in handy next time I get hit by a virus :[. Do you still believe the payload was delivered from an outside source? |
| ||
| You can do it via just checking folders in date order to see what new files appear. Bare in mind that Windows has a powerful built-in search feature than can list files by when they were created or modified etc. Simple as that. |
| ||
| It acceses password manager. I emptied it, and some passwords dissappeared from pwfile.log. It also acceses outlook express and takes passwords from there. |
| ||
| The trojan may be based on this: Trojan steals passwords FireFox users http://www.guru3d.com/news/trojan-steals-passwords-firefox-users/ |
| ||
| ..i was nt affected by this issue since i havent download this crap, but it no really putting my trust under question regarding what people posting here..I mean, how this guy got initially log in details from RedShark and use it to post this trojan crap anyway?? From now on, just screenshots.. |
| ||
| From now on, just screenshots.. I agree (unfortunately). New to-do for 2009: trust none (yea! be positive!!!) |
| ||
| @ "Abrexxes" i found a trojan in my windows folder in 3 files. I have killed them with Antivir after a restart. (Bitdefender has found nothing) "Abrexxes" - just to clarify - are you saying that Avira AntiVir detected it? If so, was it the free version? Also, I assume you only found it after you had run the file? In the meantime, I am going to start submitting the file to various people to look at. |
| ||
| Can I suggest to BRL (simonh?) to make little changes in the forum to avoid similar situation in the future? I mean 1. add 'date of registration' near user name 2. add 'number of post' 3. limit the possibility to post to '.zip /.rar .exe or whatover' only to the user who has bought a BRL product (I dont' know if - at the moment - anyone can register this forum and post freely) Point 1 & 2 can be considered a simple indicator of frequency of the user on the forum (10 days from registration and 1000 post --> possible spam?) I dont' thing this is a 'heavy work' on the forum/php script (this - of course - doesnt' exclude my stupidity in executing the first program a user post...my error!) |
| ||
| #2 already exists |
| ||
| limit the possibility to post to '.zip /.rar .exe or whatover' only to the user who has bought a BRL product (I dont' know if - at the moment - anyone can register this forum and post freely) First, people need to own a BRL product to register to the forum. Second, if people can post, they can post a link to the other site to download from. I'm guessing date of registration could only be done for anybody new because of privacy laws, although it could be different in NZ I guess. |
| ||
| degac: TBH everything you suggested is in place, for me it would be down to me to check everything I download before using it. I think this is a lesson for everyone not to get complacent just because something is posted here doesnt mean that its 100% trustworthy. I scan everything that I download from anywhere including here, I never let anything connect to anything unless I know what it is. Paranoid probably but at least my computer is safe :) |
| ||
| @GaryV I know I can click on the user to see the number of his/her posts, but I mean a something like this image  @killerx I dind't know/remember people need to own a BRL product to access the forum. Good thing (but at this point I would really to know/hear RedShark position about this mess....) What I suggest there is a difference between my post (the image/file is in my OWN site) and a generic FileFront/Rapidservice or whatelse...[with WHOIS you can access to my personal info...with FileFront/RapidService I dont' know how/if it works.] @EdzUp I scan everything that I download from anywhere including here Same for me,but...I get the surprise. As I declared in my post before, I made a mistake downloading and running that program. Of course I havent' found any serious conseguencies until now - thanks God - (I can't access my GMAIL account, but everything else is safe; I spent some hours changing password...). I dont' want to became 'PARANOID' or look for the enemy in every post, I just suggested some precautions. |
| ||
| My guess is that RedShark does not know yet, or since his account has been stolen, he cannot get connected to post. More than likely he is an inactive member whose account has been stolen. |
| ||
| My guess is that RedShark does not know yet, or since his account has been stolen, he cannot get connected to post. More than likely he is an inactive member whose account has been stolen. http://www.blitzmax.com/Community/posts.php?topic=82337#928060 |
| ||
| I think this shows how easy it is to 'harvest' stuff from the Internet. As long as lessons are learned here then thats a good thing. I too would like to see when someone has joined BUT I dont see what baring this would have if the account is stolen, I could have joined in 1999 BUT if someone hijacks my account then they are posting from an account that was created in 1999. |
| ||
| So funny, somehow. I had a strange feeling about this one and decided to skip it, haha. It's A MIRACLE...lol I hate, naturally, that stuff like that can happen, because in every other way I consider this side nearly a refuge for peaceful exchange! If we get paranoid and don't share our exes, the bastards win, you know. Meaning that we can't enjoy what we're having together and life gets uglier again. Instead, let's find some way other way to control this! First of all there should be a warning habit, if anyone runs into trouble, describe what exactly happened to you and post your worries, but don't start a witchhunt. This stuff is getting easily out of control. I've had someone tell me my exe was a virus, which was naturally total nonsense and really put a dent in my release then. It took more than a week to calm everyone down again at least a little bit, but the damage was done. Again, I recommend not simply prohibiting everything, because one excremental piece came down the river! Guess that means: Sh*t happens! (yes, yes, it didn't happen to me this time, but I've had my share of experiences, trust me!) |
| ||
| And the new moto of the Blitz community shall be (if there ever was one). "The Price of Freedom is Eternal Vigilance". Yes sh*t happens and this must be the first time ever that I was caught out. The alarm bells started to ring when it tried to get internet access. I hope puki is right about that this piece of crap only did the dirty when net access was granted. |
| ||
| Puki Did you get an IP for where the pw file was being sent? |
| ||
| Ok, I agree user infos could not be an index of security...there will be ever an HOLE in the system. Maybe my parainoc status was too high... But what about this program SANDOXIE? Anyone has info? Anyone believe it could works? I will install the free version as soon as possible and check how it works (with MY programs :D) @Puki: what do you think of these type of program? Are quite sure? I red - years ago - Symantec or Norton would change their antivirus running the target-program in a sandbox and THEN check if its behaviour is abnormal... |
| ||
| Basically, I am linking the person(s) who posted the trojan file to these other incidents: ***Warning*** - Trojan File http://www.blitzbasic.com/Community/posts.php?topic=82341 [Please Try FPS] Partikel Engine - trojan posted here and Blitzbasic.de http://www.blitzbasic.com/Community/posts.php?topic=82136 My Blitz account was stolen.... http://www.blitzbasic.com/Community/posts.php?topic=82337 Steam account hack attempt - we know the IPs they used - they were all the same route http://www.blitzbasic.com/Community/posts.php?topic=82274 Spam Email from 'Mark Sibly' - We know a fake website was set up and the supsect was emailing http://www.blitzbasic.com/Community/posts.php?topic=82007 Can anyone think of anything else that is not covered here? This is especially aimed at Blitzers in different countries that have their own forums. We are aware of the trojan being posted on Blitzbasic.de; however, any further information from German Blitzers is welcomed. Bare in mind that it may not all be the same person(s). However, every single case has been via Germany so we have to class them as related. I would advise anyone who received e-mails, IP addresses, or has any information on the suspect(s), to keep the information safe. ALSO BE AWARE THAT THIS PERSON(S) CAN POSE (PRETEND) TO BE PEOPLE YOU KNOW. They have stolen email logins, ISP logins, Messenger logins, social networking logins and a lot more. |
| ||
| How about some volunteers? That will download files and scan them for viruses, and upload them to a free file site. I don't mind doing it. It may take longer for the files to appear on the forum, but at least you know they are safe to run. |
| ||
| The problem is that this file was only detectable by two applications - one of which is not even a common antivirus/malware product. This threat is still yet to be detected by the major players. The infection may have already been posted on the site as a previous download. More people may have been affected by this than is known - some people did not download this file; however, they may have downloaded something else posted recently. The detection rate of this trojan is virtually microscopic in the grand scheme of things. Possibly it is a custom-made trojan. |
| ||
| How about some volunteers? That will download files and scan them for viruses, and upload them to a free file site. I don't mind doing it. It may take longer for the files to appear on the forum, but at least you know they are safe to run. That would only work if the volunteers went through the source, otherwise, as puki said, the trojans could go undetected. |
| ||
| It also doesnt stop a program 'downloading' the trojan to your computer. |
| ||
| Hey look at this, http://www.blitzbasic.com/Community/posts.php?topic=82337#928060 RedShark, OP of this topic, posted three days ago that his account was stolen. Interesting, I'm not sure how significant that is though. Edit: Damn, didn't see that someone else already pointed this out. |
| ||
| Just a heads-up - Ad-Aware is now detecting the trojan in the 'spyware' catagory - 'Win.32.TrojanPWS.Mapper'. It has been givin a Threat Analysis Index rating of 10 - ie maximum. Most people have Ad-Aware (as it is free). So make sure you run an update and then scan your system. It also cleans System Volume Information infected by the trojan on other hard-drives/partions. |
| ||
| I recommend using virtual PC. For example start the virtual XP and test the executives that are some kinda of suspicious. |
| ||
| Wait a minute! I just realised that the first system I just ran it on has a registered version of Ad-Aware Plus. I am currently running a scan on another system with Ad-Aware Free to see if it picks up the trojan. The Plus version has anti-virus protection and extended threat detection. So the detection might be part of the built in AV, rather than the malware scan. I'll post back later if the Free version picks up the trojan. |
| ||
| Well, I have been sitting here running the scan for 5 hours and the freeware version of Ad-Aware found nothing. It could be that on this system, the trojan cleaned up after itself as this is the one that I gave it internet access; or, it could be that the freeware version of Ad-Aware does not yet detect the trojan. I've given up hours of sleep over several days with this trojan. Manouvering into prosecuting the trojan poster is proving difficult, due to the multi-national scope of this. However, it seems the easy way forward is via the FBI which is via The Internet Crime Complaint Center (IC3): http://www.ic3.gov/default.aspx I like their website and the whole complaint process seems easy and well explained. Technically, they seem to want the complainant (or the suspect(s)) to be a US citizen. However, they do not make this initially obvious - I found it in the FAQs: If one of the two parties involved is located within the United States, please feel free to file a complaint. However, we can probably get around this - more than likely there will be at least one US Blitzer who has been affected. Plus, baring in mind the scope of this, I think they will be interested in pursuing the case or at least advising us of who to contact. The point is, all the evidence is in the trojan. It is not a case of proving what the suspect(s) stole - we already know exactly what they attempted to steal from every single person that ran the file. This particular trojan doesn't just open up a back door whereby a hacker MAY come and visit and steal something - or it MAY upload something at a later date; it grabs everything it can straight away and sends it on its way. No contact will be made yet - this all just in the planning stage. I will not soldier on until various parties have been consulted. Baring in mind that some people may just want me to forget about this whole thing and just let it go. What do we have to lose in turning in the suspect(s)? We cannot just lie down at let someone get away with this. It is not like we are telling tales or grassing on people - we are reporting serious crime(s) that have been carried out over many weeks. Soldiering on and reporting this is the right thing to do. I took the risk of running the trojan live to find out what it did for the benefit of the 40+ people who had already downloaded and run it and didn't know what kind of damage it had done. Looking at the FBI and US Department of Justice press releases, they are succesfully prosecuting people that spread trojans for criminal use. Under US law they have been putting them in prison. If someone can get people prosecuted for cyber-bullying in a chat-room, then we can win this case. |
| ||
| @puki/all - I suggest getting avast! at http://www.avast.com/, its really nice,get the avast pro trial schedule a scan on boot and let it run. |
| ||
| People should be aware that, if you are going to download another antivirus package to scan for the trojan then you are HIGHLY advised to uninstall your current AV package first. Sometimes this may not be as simple as just uninstalling it, due to the way that some AV products integrate into your system and file structure. You can usually install most anti-malware packages (Ad-Aware, Spybot, Malwarebytes, a-squared, etc) both in conjuntion with each other and also antivirus products. So you can add those to your computer without uninstalling your current AV or other anti-malware products. |
| ||
| Malwarebytes is another good one, any idea why site been down for days? |
| ||
| Unfortunately, Malwarebytes does not detect it - neither does Spybot or a-squared. It seems only a non-free version of Ad-Aware detects it. |
| ||
| Have you tried the F-Secure Online Scan? F-Secure is an european anti-virus software company, kind like the "Symantec" of those sides. The scan is completely secure, of course, and can detect some very nasty system rootkits and malwares. Solved my problem (not related to this one). Worth a try: http://support.f-secure.com/enu/home/ols.shtml |
| ||
| @puki/all - I suggest getting avast! at http://www.avast.com/, its really nice,get the avast pro trial schedule a scan on boot and let it run. Avast is crap! It thinks everything's a virus. |
| ||
| Ok, I agree user infos could not be an index of security...there will be ever an HOLE in the system. Maybe my parainoc status was too high... But what about this program SANDOXIE? Anyone has info? Anyone believe it could works? I will install the free version as soon as possible and check how it works (with MY programs :D) @Puki: what do you think of these type of program? Are quite sure? I red - years ago - Symantec or Norton would change their antivirus running the target-program in a sandbox and THEN check if its behaviour is abnormal... sandboxie is a great way to isolate untrusted programs (more importantly, internet browsers). but it DOES NOT stop a malicious program from 'sending off private data' if you allow that app internet access. |
| ||
| . |
| ||
| Holy ****, I was wondering if someone could write a virus in blitz, I guess we know now. You did say that it was written in BMax? I'm a white hat hacker, so this is of interest to me. I wonder if this program could be replicated in B+? You'd be amazed at what stupid old programs store in the windows registry, and there are ways of getting all sorts of information from the registry and other sources... B+ has TCP built in, so sending the information would be no problem. I'm concerned. |
| ||
| This was not a virus. This was just a form of malware. A virus can replicate and transmit itself to other machines. All this does is grab your passwords and send them to a host. You don't get "infected" you just get fooled in to running. |
| ||
| You don't get "infected" you just get fooled in to running. Which makes it a trojan horse. It pretends to be just one thing, but also has a more sneaky intention. |
| ||
| Never give a program net access when there is no obvious net functionality. But even then a program could modify other apps that are frequently allowed to access the web, eg. it may mod your browser to tunnel the firewall. So you should also frequently reinstall your browser etc. A good firewall is required. But the windows firewall even don't stops applications to access the web, at least in default settings, as far as I know. I'd suggest to read some firewall reviews and tests and then install a good one. And then don't tell people what firewall you're using :) What a sad thing. Now it's going to be hard to find somebody to test a demo release, especially eg. a multiplayer thing... |
   |