Hacking Trojan.Downloader with ModMii?

Y

youngrex

Well-Known Member
OP
Newcomer
Level 2
Joined
Nov 10, 2010
Messages
99
Trophies
0
XP
133
Country
United States
not sure if this is just false or not but my Malwarebytes' Anti-Malware 1.51.1.1800 picked this up http://prntscr.com/2feu0

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7255

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/26/2011 9:47:18 AM
mbam-log-2011-07-26 (09-47-18).txt

Scan type: Full scan (C:\|)
Objects scanned: 253281
Time elapsed: 1 hour(s), 30 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\Desktop\ModMii\ModMii.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
 
Y

youngrex

Well-Known Member
OP
Newcomer
Level 2
Joined
Nov 10, 2010
Messages
99
Trophies
0
XP
133
Country
United States
Krestent said:
One of two things are possible:
1. It's a false alarm
2. You downloaded ModMii from someplace else than the link in the ModMii thread.

I've had modmii for a long time which was downloaded from the sticky months ago so option 2 is out the question

Posts merged

QUOTE(FIX94 @ Jul 26 2011, 03:51 PM) Some guy reported modmii as virus and now all programs are alerting. It's a false positive.
Click to expand...

thats what i was thinking because this is the first time anything ever came up
 
G

game_rat

Well-Known Member
Newcomer
Level 2
Joined
Feb 7, 2011
Messages
96
Trophies
0
XP
187
Country
United States
Same thing happened to me over the weekend, I was trying to update my existing ModMii installation and McAfee went nuts.
 
T

techboy

Well-Known Member
Member
Level 3
Joined
Mar 15, 2009
Messages
1,720
Trophies
0
Age
31
Location
Pennsylvania
Website
Visit site
XP
306
Country
United States
AVG isn't complaining for me, but a lot of others are...

VirusTotal (15 of 43 are positive):
AhnLab-V3 2011.07.26.06 2011.07.26 Downloader/Win32.Delf
AntiVir 7.11.12.128 2011.07.26 -
Antiy-AVL 2.0.3.7 2011.07.26 Trojan/win32.agent.gen
Avast 4.8.1351.0 2011.07.26 -
Avast5 5.0.677.0 2011.07.26 -
AVG 10.0.0.1190 2011.07.26 -
BitDefender 7.2 2011.07.26 -
CAT-QuickHeal 11.00 2011.07.26 -
ClamAV 0.97.0.0 2011.07.26 -
Commtouch 5.3.2.6 2011.07.26 -
Comodo 9519 2011.07.26 -
DrWeb 5.0.2.03300 2011.07.26 -
Emsisoft 5.1.0.8 2011.07.26 Trojan-Downloader.Win32.Delf!IK
eSafe 7.0.17.0 2011.07.26 Win32.TRDldr.Delf.Hd
eTrust-Vet 36.1.8465 2011.07.26 -
F-Prot 4.6.2.117 2011.07.25 -
F-Secure 9.0.16440.0 2011.07.26 -
Fortinet 4.2.257.0 2011.07.26 W32/Delf.HDVM!tr.dldr
GData 22 2011.07.26 -
Ikarus T3.1.1.104.0 2011.07.26 Trojan-Downloader.Win32.Delf
Jiangmin 13.0.900 2011.07.26 -
K7AntiVirus 9.108.4950 2011.07.26 Trojan-Downloader
Kaspersky 9.0.0.837 2011.07.26 Trojan-Downloader.Win32.Delf.hdvm
McAfee 5.400.0.1158 2011.07.26 Artemis!130C3353BC6B
McAfee-GW-Edition 2010.1D 2011.07.26 Artemis!130C3353BC6B
Microsoft 1.7104 2011.07.26 -
NOD32 6326 2011.07.26 -
Norman 6.07.10 2011.07.26 W32/DLoader.AOIYT
nProtect 2011-07-26.02 2011.07.26 Trojan-Downloader/W32.Agent.3469312
Panda 10.0.3.5 2011.07.26 Trj/CI.A
PCTools 8.0.0.5 2011.07.26 -
Prevx 3.0 2011.07.26 -
Rising 23.68.00.05 2011.07.25 Suspicious
Sophos 4.67.0 2011.07.26 -
SUPERAntiSpyware 4.40.0.1006 2011.07.26 -
Symantec 20111.1.0.186 2011.07.26 -
TheHacker 6.7.0.1.263 2011.07.26 -
TrendMicro 9.200.0.1012 2011.07.26 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.26 -
VBA32 3.12.16.4 2011.07.26 TrojanDownloader.Delf.hdvm
VIPRE 9972 2011.07.26 -
ViRobot 2011.7.26.4589 2011.07.26 -
VirusBuster 14.0.140.0 2011.07.26 -
Also of note: Unpacking the UPX on ModMii stops most of the false positives.
 
xfcrowman

xfcrowman

Well-Known Member
Member
Level 2
Joined
Mar 14, 2009
Messages
431
Trophies
0
XP
205
Country
United States
As others have said, it is a false positive and everyone should have their anti-virus programs ignore it.

Modmii is safe and has always been safe.
 
PsyBlade

PsyBlade

Snake Charmer
Member
Level 4
Joined
Jul 30, 2009
Messages
2,204
Trophies
0
Location
Sol III
XP
458
Country
Gambia, The
Has anyone of the people who say its a false positive actually analysed it?
It wouldn't be the first tool infected with malware without its author knowing (or simply lying about it).
And no checking the source does not cut it unless you can compile it to exactly the same binary.
Even if you assume that its the real code it could be infected after or during compilation.
 
JoostinOnline

JoostinOnline

Certified Crash Test Dummy
Member
Level 14
Joined
Apr 2, 2011
Messages
11,005
Trophies
1
Location
The Twilight Zone
Website
www.hacksden.com
XP
4,339
Country
United States
PsyBlade said:
Has anyone of the people who say its a false positive actually analysed it?
It wouldn't be the first tool infected with malware without its author knowing (or simply lying about it).
And no checking the source does not cut it unless you can compile it to exactly the same binary.
Even if you assume that its the real code it could be infected after or during compilation.
Click to expand...
You aren't suggesting XFlak is lying about it, are you? He may be Canadian, but I trust him.
 
PsyBlade

PsyBlade

Snake Charmer
Member
Level 4
Joined
Jul 30, 2009
Messages
2,204
Trophies
0
Location
Sol III
XP
458
Country
Gambia, The
JoostinOnline said:
PsyBlade said:
Has anyone of the people who say its a false positive actually analysed it?
It wouldn't be the first tool infected with malware without its author knowing (or simply lying about it).
And no checking the source does not cut it unless you can compile it to exactly the same binary.
Even if you assume that its the real code it could be infected after or during compilation.
Click to expand...
You aren't suggesting XFlak is lying about it, are you? He may be Canadian, but I trust him.
Click to expand...
I'm suggesting he MIGHT lie. I don't think he does but there is no way I could verify that.
I think you should always be circumspect on the internet.
Especially since malware is multi million dollar business nowadays.

I only wanted to point out that people should be more cautious about what they claim if they can not verify that at least to some degree,
potentially having your data stolen (cc, ssn, ...) is no easy matter.
 
DGenerateKane

DGenerateKane

Well-Known Member
Member
Level 3
Joined
Jul 18, 2009
Messages
357
Trophies
0
XP
294
Country
United States
I'm curious why my copy of mbam with up to date definitions (It updates automatically several times a day) didn't flag it but when I updated to the latest version of the program it started bitching. I updated the program at least a week after the update was released, so I don't understand what could have changed.
 
FIX94

FIX94

Former Staff
Former Staff
Level 21
Joined
Dec 3, 2009
Messages
7,284
Trophies
0
Age
30
Location
???
XP
11,248
Country
Germany
After some more looking into the problem it seems like it could be a Virus.
The File which is reported a virus is libWiiSharp.dll. XFlak's file list refers to Leathl's libWiiSharp version which is NOT detected as virus. So maybe the file was infected on his computer somehow.
 
raptor5001

raptor5001

Well-Known Member
Newcomer
Level 4
Joined
Aug 4, 2006
Messages
58
Trophies
1
XP
370
Country
United States
According to Google, Trojan.Downloader and Win32/Agent.gen!I (both are malware names ModMii was detected as being) are generic detection names for, well, trojan downloaders (or malware whose only purpose is to download and set up other malware). These names are only used by a heuristics scan, which is used to scan for suspicious code in order to detect malware not yet added to the definitions.

A sample:
http://www.microsoft.com/security/portal/T...Agent.gen!I
http://www.symantec.com/security_response/...-011710-3138-99

So I'm going to guess that the heuristic scanners in some of these anti-malware products are picking up on code in ModMii that downloads many large files and also performs many file operations/manipulations with those files.

TL;DR: False positive, most likely.
 
DeadlyFoez

DeadlyFoez

XFlak Fanboy
Banned
Level 12
Joined
Apr 12, 2009
Messages
5,920
Trophies
0
Website
DeadlyFoez.zzl.org
XP
2,875
Country
United States
as a VERY personal friend of XFlaks, I know for a fact that he did not and will not ever do anything intentionally maliciously to someone. He is too good of a person and he have too great of a reputation to throw away for something so stupid. It is a false positive. All of the supporting apps have not been updated for a long time. Someone or some company (like nintendo possibly) reported these types of apps as being dangerous.

Really, how many times have you downloaded a legit keygen and your antivirus went crazy over it while it really was safe? For me, it happened a lot a few years ago before I had the money to buy everything without dealing with warez.

Now that XFlak is back in his hometown and done with his honeymoon, I am sure he will look into this and find ways to prevent this from happening anymore if it is in his power and possibility to do so.
 
TheLostSabre

TheLostSabre

Naberius the Nauseous
Member
Level 3
Joined
Jan 19, 2008
Messages
216
Trophies
1
Location
The Void
XP
345
Country
Canada
I say it's false positives. XFlaks would never put any malicious code or download of any kind. Besides its a non-official program; its obvious that any sort of antivirus, antispyware, and/or antimalware would declare those kind of program as potentially dangerous as a precaution.

You can just whitelist it so that whatever you're using will ignore it in the future.
 
shortz1994

shortz1994

Well-Known Member
Member
Level 3
Joined
Jan 21, 2011
Messages
1,340
Trophies
0
XP
369
Country
United States
PsyBlade said:
JoostinOnline said:
PsyBlade said:
Has anyone of the people who say its a false positive actually analysed it?
It wouldn't be the first tool infected with malware without its author knowing (or simply lying about it).
And no checking the source does not cut it unless you can compile it to exactly the same binary.
Even if you assume that its the real code it could be infected after or during compilation.
Click to expand...
You aren't suggesting XFlak is lying about it, are you? He may be Canadian, but I trust him.
Click to expand...
I'm suggesting he MIGHT lie. I don't think he does but there is no way I could verify that.
I think you should always be circumspect on the internet.
Especially since malware is multi million dollar business nowadays.

I only wanted to point out that people should be more cautious about what they claim if they can not verify that at least to some degree,
potentially having your data stolen (cc, ssn, ...) is no easy matter.
Click to expand...
@ PsyBlade, even "suggesting" some one might lie, you are calling them a lier. as far as trusting xflak because he is "canadian" lol.. i trust him because he hasn't given me a reason NOT to trust him. i trust them(canadians) more the our own citizens here in the US.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Tutorial Project  Wiiflow lite 5.5.4 , 10 themes in one pack 2024 - with extras

Hacking  Bricked Wii Family Edition

64DD on Wii?

Astebros doesn't work on GenPlusGx

Feedback  Hacking The Internet Channel. "Internet Channel Deluxe" ? [WIP]

NexTube - YouTube Channel Revival

All Channels Discussion

Hacking  Animal Crossing City Folk not working on any USBLoader

General chit-chat
Help Users
    BigOnYa @ BigOnYa: I haven't played my Switch n a month or so, just been playing Xbox, and just picked to play lil...