TROJAN HORSE "TR/Dropper.gen" found in MPQdraft.exe

[Jadefang]

Dear CC community,

I have just recently updated my virus scanner (AVIRA version 8.1.00.295) and was alerted about the the trojan horse "TR/Dropper.gen" in the "MPQdraft.exe" file on my system. After scanning and cleaning my system, I have re-downloaded the current MPQdraft.exe version from the CC download section and was alerted about this trojan horse again. The same was true for all other versions I downloaded in other published campaigns that included the MPQdraft.exe file.

It is therefore possible that the MPQdraft file from CC is also infested, although it may be a secondary phenomenon of my system (still being?) infested in the first place. @Admin, and other authors also using the MPQdraft.exe, please check.

I have for the time being disabeled my own Campaign from download as it also has a potentially infested "MPQdraft.exe" included. Although I recognize I might violate double posting standards, I will CC this warning message to my own campaign thread.

Jadefang

[Lavarinth]

I'll have the file scanned- To my knowledge there have no instances of others noting a virus. I'll also look into the details of this trojan. (Note that some trojans actually are crafted on purpose since they have to manipulate your computer, such as a crack file, but I doubt this would be the case for this one.)

[Jadefang]

(Note that some trojans actually are crafted on purpose since they have to manipulate your computer, such as a crack file, but I doubt this would be the case for this one.)

That is very true.
However, I have tried another website as download source of MPQdraft (SourceForge.net) and did not have this particular virus reported. I will complete one more full system scan and draft a new version of my revised campain with the "clean" MPQdraft.exe for download later tonight.

I have the MPQdraft version from SourceForge that I found "clean" attached to this post.

[Lavarinth]

I'll go ahead an upload this to replace the current one- I just found it interesting since it was the creator who would of uploaded it.

[Jadefang]

So I downloaded MPQDraft off CC and scanned it with AVG 7.5 and it shows no viruses.

Note however that your virus scanner is likely to have made a false alarm since it's a program that was there for like forever and unless some server files were infested by a virus on the server side recently or that it was an old admin that re-uploaded the program infested long ago by accident or something, it should be safe.

Odds are if it was really infested, we would have heard of various people complaining that MPQDraft being infested, crashing computers and so on a long time ago.

EDIT :
Heck, I even downloaded it since it came with your campaign and used it. So far, 1 month later or so, there are no negative changes I noticed on my computer.

I see your point, Ricky. I also have not noted any adverse effects and used this particular version a few weeks longer before you downloaded it. The false alarm explanation makes sense.

What I don't understand though is why did the SourceForge version not provoke the TR/dropper.gen alert.

PS: Hardly worth mentioning, but I presume that your AVG 7.5 has TR/dropper.gen in its detection library.

[Lavarinth]

None-the-less, the program on CC was replaced with a newer more recent version as the previous was literally years old to my knowledge.

[Eredalis]

Hello to each of you!

I had two days ago exactly the same error message.
I use "Avira Antivir" nearly for about 3 years and up to two days there were also no problems.

Then, however, in the late Wednesday evening the same message which Jadefang has described here came suddenly.
Supposedly the Zip archive was concerned by MPQ-Draft, the exe file of Newrand Citadel and the exe files of the Bob Levels.
But this could not be at all, because I have this supposedly "affected" files quite for years on the computer, and there was never any problem with it.

Well, the heart hit nevertheless to me up to the neck.

I have likewise tried to repair the problem by an intensive system examination and a scan process, but anyhow Antivir has brought me, would you believe, 26 times the announcement about this Trojan horse.

After consultation with a good friend, who is an absolute computer specialist, I uninstalled Antivir and installed, instead, Kaspersky antivirus. Kaspersky Anti-Virus concluded his diagnosis with the fact that everything is in the best order and my computer is safe.

Strangely, or?

[chris]

haven't you people ever heard of a false positive?

The same happened with avast and utorrent a week ago. http://www.google.com/search?hl=en&q=Wi ... gle+Search

If you want to fix avira, go onto their forums and tell them about it.

[Jadefang]

haven't you people ever heard of a false positive?

Hi Chris,
I can live with my (free) virus scanner's potentially poor specificity. That is much better than the other way around I would say.

Also, as much as the assumption that the MPQDraft.exe was infested sounds reasonable in HINDSIGHT, when you see the warning popping up in the first place you sort of can become a little worried, particlulary if you offered a campaign made with the file for download, and felt it would be best to take these precautions.

And, if anything, the whole issue only helped updating CC's programs as we now have a newer MPQDraft.exe (strangely not tirggering the warning, by the way).

Cheers,

[ShadowFlare]

It is possible the false positive was triggered as a result of the exe compression that was applied to the binaries on the previous versions (called Petite, by Ian Luck, IIRC).  It was not applied on the newest version, partly I think to try to troubleshoot a bug I found back in 2006 related to incompatibility with Data Execution Prevention (which at the time, I had enabled for all programs on XP).  As a side effect of that bug hunting, it made it so that a version existed that would work on Vista out of the box before Vista had even been released.