aceKard RPG. What is o.exe?

Discussion in 'Acekard' started by f3l1x, Aug 16, 2008.

Aug 16, 2008

aceKard RPG. What is o.exe? by f3l1x at 6:52 PM (2,530 Views / 0 Likes) 18 replies

  1. f3l1x
    OP

    Newcomer f3l1x Member

    Joined:
    May 14, 2008
    Messages:
    19
    Country:
    United States
    My original acekard didn't come with this executable and I cannot see anything about it in any docs.

    I ran it through olly debugger and IDA pro and its trying to access some service controls but It will take more time to figure out if its malicious. Instead of going through all that, I figured I'd just ask.

    What does o.exe do? It's not uncommon for the Chinese to intercept flash devices and store little presents on the ones destined to the US, but I don't want to jump to any conclusions or anything since it could be some kind of util ive always just overlooked.



    So, yea. What is o.exe?

    (its auto loaded by the autorun.inf on the card... so it was meant to be run.)

    Again, I don't remember seeing this on my other acekard RPG.


    Thanks in advance... hopefully it's something harmless.
     
  2. Minox

    Supervisor Minox Spytech Employee

    Joined:
    Aug 27, 2007
    Messages:
    5,617
    Country:
    Sweden
  3. IOwnAndPwnU

    Member IOwnAndPwnU GBAtemp Maniac

    Joined:
    Jul 31, 2008
    Messages:
    1,123
    Country:
    Canada
    Looks like a virus. [​IMG]
     
  4. f3l1x
    OP

    Newcomer f3l1x Member

    Joined:
    May 14, 2008
    Messages:
    19
    Country:
    United States
    Yea... I searched but it looks like that one was 0.exe (as in zero).... the one shipped with mine is o.exe.

    I came back just to tell everyone that I finished up some sections in the debugger and it IS a malicious but noticed your posts.. thanks for the quick response.

    Purchased form deal extreme BTW. This is not uncommon with these kinds of items coming from China, but I wanted to make sure before i went all alarmist.

    So yea watch out people. format your nand as soon as you get your cards or anything other kind of non-volitile memory. oh.. AND DISABLE AUTORUN FOR GODS SAKE! http://www.engadget.com/2004/06/29/how-to-...run-on-windows/

    any who.. thanks for the thread link. I'm not surprised at all though that I'm the only one.
     
  5. Diffusion

    Member Diffusion GBAtemp Advanced Fan

    Joined:
    Jul 14, 2007
    Messages:
    701
    Country:
    United States
    Wow. RPGs shipping with viruses. [​IMG]

    I'll make sure to format the nand and disable autorun when I get mine from DX. [​IMG]
     
  6. ROM Troll

    Member ROM Troll GBAtemp Regular

    Joined:
    Jun 29, 2008
    Messages:
    100
    Country:
    United States
    You're not the only one, now two owners have noticed a malicious file.
     
  7. IOwnAndPwnU

    Member IOwnAndPwnU GBAtemp Maniac

    Joined:
    Jul 31, 2008
    Messages:
    1,123
    Country:
    Canada
    RPG is starting to show it's disadvantages. [​IMG]
     
  8. f3l1x
    OP

    Newcomer f3l1x Member

    Joined:
    May 14, 2008
    Messages:
    19
    Country:
    United States
    What? are you kidding? There are downsides to the RPG but this ISNT one of them.

    iPods shipped with viruses at one point (out of china)... seagate hard drives shipped with viruses(out of china)... digital photo frames and flash cards ship with viruses and trojans loaded on them. It really has nothing to do with acekard specifically... it has to do with china and/or sleazy fabs. this happens to various products more than you realize. look it up.
     
  9. GH0ST

    Member GH0ST Your Hero is a Ghost

    Joined:
    Dec 17, 2006
    Messages:
    924
    Location:
    I was here... before...
    Country:
    France
    I update my previous thread since it was effectively o.exe ( i mistakely rename it as 0.vir but the archive i made had o.exe) ... it looks like it spreads with different names also.

    I don't think it is intentional ... i saw more and more infected computers all around... not only in China.

    You may use this fix if you've got infected by Kavo variants : http://net-studio.org/application/kavo-variants.php

    Here is a link to another post with some details on various tools you can use to prevent / clean such trojans : http://www.theeldergeek.com/forum/index.php?showtopic=30506

    To prevent further actions you can add this line to your HOSTS file
    # Kavo virus tries to connect this site ( 127.0.0.1 resolve the adress to your localhost ... not to mention this site is know for other threats DON'T TRY to ACCESS it )
     
  10. IOwnAndPwnU

    Member IOwnAndPwnU GBAtemp Maniac

    Joined:
    Jul 31, 2008
    Messages:
    1,123
    Country:
    Canada
    I never knew that. Maybe because it's from CHINA. I bet it doesn't happen if you buy from like Best Buy or something like that.
     
  11. Raqib12

    Member Raqib12 GBAtemp Regular

    Joined:
    May 6, 2007
    Messages:
    170
    Country:
    United States
     
  12. Sephi

    Member Sephi fool

    Joined:
    Jan 21, 2008
    Messages:
    1,850
    Location:
    Rhode Island
    Country:
    United States
     
  13. GH0ST

    Member GH0ST Your Hero is a Ghost

    Joined:
    Dec 17, 2006
    Messages:
    924
    Location:
    I was here... before...
    Country:
    France
    You can buy it in your town or online it came from China anyway ;-)
     
  14. Urza

    Member Urza hi

    Joined:
    Jul 18, 2007
    Messages:
    6,493
    Country:
    United States
    It doesn't matter where you buy the electronics. They're manufactured at the same location.
     
  15. arctic_flame

    Member arctic_flame GBAtemp ATMEGA8 Fan

    Joined:
    Nov 4, 2006
    Messages:
    2,840
    Location:
    England land
    Country:
    United Kingdom
    Also, virus laden products have come out of big stores, causing hilarity/red faced managers.

    Also, Windows doesn't autorun anything except CDs. However, the entry does appear in the "What would you like to do with this removable drive" window.

    Also, holding Shift while inserting media bypasses autorun.

    Also, use a real operating system.

    Also, also.
     
  16. GH0ST

    Member GH0ST Your Hero is a Ghost

    Joined:
    Dec 17, 2006
    Messages:
    924
    Location:
    I was here... before...
    Country:
    France
    Also please Professionals please don't ship virus/trojan/rootkit! with your products ! Please ;-)
     
  17. f3l1x
    OP

    Newcomer f3l1x Member

    Joined:
    May 14, 2008
    Messages:
    19
    Country:
    United States
    Also, you can also call up the bbb also known as the Better Business Bureaus, and also tell them you also pirate your all so needed nds games. also, i went out on a limb also using "all so" instead of "also".

    Yea, I also went there, also.

    Furthermore...[​IMG]... My transflash card had some nasty stuff on it. just format any storage media you dont trust. know that things can be storage media whether you know it or not (ie photo frames/some cameras ).

    also.... ahem. also, to be safe, places you cannot trust include everywhere outside of your possesion and sometimes places within your posession if some peice has been comprimised. So if the chain of custody cannot be trusted... FORMAT. (hint: china cannot be trusted, but damn do they have the cheapest fabs!)
     
  18. ROM Troll

    Member ROM Troll GBAtemp Regular

    Joined:
    Jun 29, 2008
    Messages:
    100
    Country:
    United States
    Oh I see a career in diplomacy for you, maybe a short one but if clowns like Bush and Obama can become president, why not you! [​IMG]
     
  19. o RedSheLL x

    Member o RedSheLL x GBAtemp Regular

    Joined:
    Jul 5, 2008
    Messages:
    172
    Location:
    Houston TX
    Country:
    United States
    Hmm, I just got my Acekard RPG from DX (only had 67 bucks at the time exactly :DDDDDD, card owns btw!) and I had that too. I just formatted my card righ when I got it, I guess the memory got infected when they were putting the firmware on the card, because maybe it spread.
     

Share This Page