aceKard RPG. What is o.exe?

Discussion in 'Acekard' started by f3l1x, Aug 16, 2008.

  1. f3l1x
    OP

    f3l1x Member

    Newcomer
    19
    0
    May 14, 2008
    United States
    My original acekard didn't come with this executable and I cannot see anything about it in any docs.

    I ran it through olly debugger and IDA pro and its trying to access some service controls but It will take more time to figure out if its malicious. Instead of going through all that, I figured I'd just ask.

    What does o.exe do? It's not uncommon for the Chinese to intercept flash devices and store little presents on the ones destined to the US, but I don't want to jump to any conclusions or anything since it could be some kind of util ive always just overlooked.



    So, yea. What is o.exe?

    (its auto loaded by the autorun.inf on the card... so it was meant to be run.)

    Again, I don't remember seeing this on my other acekard RPG.


    Thanks in advance... hopefully it's something harmless.
     
  2. Minox

    Minox I did it

    Supervisor
    6,112
    2,965
    Aug 27, 2007
    Sweden
  3. IOwnAndPwnU

    IOwnAndPwnU GBAtemp Maniac

    Member
    1,123
    0
    Jul 31, 2008
    Canada
    Looks like a virus. [​IMG]
     
  4. f3l1x
    OP

    f3l1x Member

    Newcomer
    19
    0
    May 14, 2008
    United States
    Yea... I searched but it looks like that one was 0.exe (as in zero).... the one shipped with mine is o.exe.

    I came back just to tell everyone that I finished up some sections in the debugger and it IS a malicious but noticed your posts.. thanks for the quick response.

    Purchased form deal extreme BTW. This is not uncommon with these kinds of items coming from China, but I wanted to make sure before i went all alarmist.

    So yea watch out people. format your nand as soon as you get your cards or anything other kind of non-volitile memory. oh.. AND DISABLE AUTORUN FOR GODS SAKE! http://www.engadget.com/2004/06/29/how-to-...run-on-windows/

    any who.. thanks for the thread link. I'm not surprised at all though that I'm the only one.
     
  5. Diffusion

    Diffusion GBAtemp Advanced Fan

    Member
    701
    1
    Jul 14, 2007
    United States
    Wow. RPGs shipping with viruses. [​IMG]

    I'll make sure to format the nand and disable autorun when I get mine from DX. [​IMG]
     
  6. ROM Troll

    ROM Troll GBAtemp Regular

    Member
    100
    0
    Jun 29, 2008
    United States
    You're not the only one, now two owners have noticed a malicious file.
     
  7. IOwnAndPwnU

    IOwnAndPwnU GBAtemp Maniac

    Member
    1,123
    0
    Jul 31, 2008
    Canada
    RPG is starting to show it's disadvantages. [​IMG]
     
  8. f3l1x
    OP

    f3l1x Member

    Newcomer
    19
    0
    May 14, 2008
    United States
    What? are you kidding? There are downsides to the RPG but this ISNT one of them.

    iPods shipped with viruses at one point (out of china)... seagate hard drives shipped with viruses(out of china)... digital photo frames and flash cards ship with viruses and trojans loaded on them. It really has nothing to do with acekard specifically... it has to do with china and/or sleazy fabs. this happens to various products more than you realize. look it up.
     
  9. GH0ST

    GH0ST Your Hero is a Ghost

    Member
    924
    1
    Dec 17, 2006
    France
    I was here... before...
    I update my previous thread since it was effectively o.exe ( i mistakely rename it as 0.vir but the archive i made had o.exe) ... it looks like it spreads with different names also.

    I don't think it is intentional ... i saw more and more infected computers all around... not only in China.

    You may use this fix if you've got infected by Kavo variants : http://net-studio.org/application/kavo-variants.php

    Here is a link to another post with some details on various tools you can use to prevent / clean such trojans : http://www.theeldergeek.com/forum/index.php?showtopic=30506

    To prevent further actions you can add this line to your HOSTS file
    # Kavo virus tries to connect this site ( 127.0.0.1 resolve the adress to your localhost ... not to mention this site is know for other threats DON'T TRY to ACCESS it )
     
  10. IOwnAndPwnU

    IOwnAndPwnU GBAtemp Maniac

    Member
    1,123
    0
    Jul 31, 2008
    Canada
    I never knew that. Maybe because it's from CHINA. I bet it doesn't happen if you buy from like Best Buy or something like that.
     
  11. Raqib12

    Raqib12 GBAtemp Regular

    Member
    170
    0
    May 6, 2007
    United States
     
  12. Sephi

    Sephi fool

    Member
    1,850
    5
    Jan 21, 2008
    United States
    Rhode Island
     
  13. GH0ST

    GH0ST Your Hero is a Ghost

    Member
    924
    1
    Dec 17, 2006
    France
    I was here... before...
    You can buy it in your town or online it came from China anyway ;-)
     
  14. Urza

    Urza hi

    Member
    6,493
    89
    Jul 18, 2007
    United States
    It doesn't matter where you buy the electronics. They're manufactured at the same location.
     
  15. arctic_flame

    arctic_flame GBAtemp ATMEGA8 Fan

    Member
    2,840
    0
    Nov 4, 2006
    England land
    Also, virus laden products have come out of big stores, causing hilarity/red faced managers.

    Also, Windows doesn't autorun anything except CDs. However, the entry does appear in the "What would you like to do with this removable drive" window.

    Also, holding Shift while inserting media bypasses autorun.

    Also, use a real operating system.

    Also, also.
     
  16. GH0ST

    GH0ST Your Hero is a Ghost

    Member
    924
    1
    Dec 17, 2006
    France
    I was here... before...
    Also please Professionals please don't ship virus/trojan/rootkit! with your products ! Please ;-)
     
  17. f3l1x
    OP

    f3l1x Member

    Newcomer
    19
    0
    May 14, 2008
    United States
    Also, you can also call up the bbb also known as the Better Business Bureaus, and also tell them you also pirate your all so needed nds games. also, i went out on a limb also using "all so" instead of "also".

    Yea, I also went there, also.

    Furthermore...[​IMG]... My transflash card had some nasty stuff on it. just format any storage media you dont trust. know that things can be storage media whether you know it or not (ie photo frames/some cameras ).

    also.... ahem. also, to be safe, places you cannot trust include everywhere outside of your possesion and sometimes places within your posession if some peice has been comprimised. So if the chain of custody cannot be trusted... FORMAT. (hint: china cannot be trusted, but damn do they have the cheapest fabs!)
     
  18. ROM Troll

    ROM Troll GBAtemp Regular

    Member
    100
    0
    Jun 29, 2008
    United States
    Oh I see a career in diplomacy for you, maybe a short one but if clowns like Bush and Obama can become president, why not you! [​IMG]
     
  19. o RedSheLL x

    o RedSheLL x GBAtemp Regular

    Member
    172
    0
    Jul 5, 2008
    United States
    Houston TX
    Hmm, I just got my Acekard RPG from DX (only had 67 bucks at the time exactly :DDDDDD, card owns btw!) and I had that too. I just formatted my card righ when I got it, I guess the memory got infected when they were putting the firmware on the card, because maybe it spread.