Trojan.Downloader with ModMii?

Discussion in 'Wii - Hacking' started by youngrex, Jul 26, 2011.

Jul 26, 2011
  1. youngrex
    OP

    Newcomer youngrex Advanced Member

    Joined:
    Nov 10, 2010
    Messages:
    99
    Country:
    United States
    not sure if this is just false or not but my Malwarebytes' Anti-Malware 1.51.1.1800 picked this up http://prntscr.com/2feu0

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7255

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/26/2011 9:47:18 AM
    mbam-log-2011-07-26 (09-47-18).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 253281
    Time elapsed: 1 hour(s), 30 minute(s), 56 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\Owner\Desktop\ModMii\ModMii.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
     


  2. Krestent

    Member Krestent What to post?

    Joined:
    Mar 31, 2009
    Messages:
    3,952
    Country:
    United States
    One of two things are possible:
    1. It's a false alarm
    2. You downloaded ModMii from someplace else than the link in the ModMii thread.
     
  3. Nujui

    Member Nujui I need something to do.

    Joined:
    Aug 12, 2010
    Messages:
    3,933
    Location:
    Dreamland.
    Country:
    United States
    It probably false, I've used modmii and I've never gotten any virus from it.
     
  4. FIX94

    Global Moderator FIX94 Global Moderator

    Joined:
    Dec 3, 2009
    Messages:
    6,572
    Location:
    ???
    Country:
    Germany
    Some guy reported modmii as virus and now all programs are alerting. It's a false positive.
     
  5. youngrex
    OP

    Newcomer youngrex Advanced Member

    Joined:
    Nov 10, 2010
    Messages:
    99
    Country:
    United States
    thats what i was thinking because this is the first time anything ever came up
     
  6. game_rat

    Newcomer game_rat Advanced Member

    Joined:
    Feb 7, 2011
    Messages:
    88
    Country:
    United States
    Same thing happened to me over the weekend, I was trying to update my existing ModMii installation and McAfee went nuts.
     
  7. techboy

    Member techboy GBAtemp Advanced Maniac

    Joined:
    Mar 15, 2009
    Messages:
    1,720
    Location:
    Pennsylvania
    Country:
    United States
    AVG isn't complaining for me, but a lot of others are...

    VirusTotal (15 of 43 are positive):
    Warning: Spoilers inside!
    Also of note: Unpacking the UPX on ModMii stops most of the false positives.
     
  8. G0dLiKe

    Member G0dLiKe who needs a title ;)

    Joined:
    Aug 2, 2009
    Messages:
    1,674
    Country:
    United States
    AVG is complaining for me...
     
  9. xfcrowman

    Member xfcrowman GBAtemp Fan

    Joined:
    Mar 14, 2009
    Messages:
    430
    Country:
    United States
    As others have said, it is a false positive and everyone should have their anti-virus programs ignore it.

    Modmii is safe and has always been safe.
     
  10. PsyBlade

    Member PsyBlade Snake Charmer

    Joined:
    Jul 30, 2009
    Messages:
    2,204
    Location:
    Sol III
    Country:
    Germany
    Has anyone of the people who say its a false positive actually analysed it?
    It wouldn't be the first tool infected with malware without its author knowing (or simply lying about it).
    And no checking the source does not cut it unless you can compile it to exactly the same binary.
    Even if you assume that its the real code it could be infected after or during compilation.
     
  11. djgarf

    Former Staff djgarf I Am A Raver

    Joined:
    Oct 24, 2002
    Messages:
    2,955
    Location:
    England U.K.
    Country:
    United Kingdom
    its because the exe is upx packed and the way it calls other files (like wget)
     
  12. JoostinOnline

    Member JoostinOnline Certified Crash Test Dummy

    Joined:
    Apr 2, 2011
    Messages:
    10,835
    Location:
    The Twilight Zone
    Country:
    United States
    You aren't suggesting XFlak is lying about it, are you? He may be Canadian, but I trust him.
     
  13. loco365

    Member loco365 GBAtemp Guru

    Joined:
    Sep 1, 2010
    Messages:
    5,459
    Avira's been giving me shit on it once in a while, but I'm pretty sure it's a false positive.
     
  14. PsyBlade

    Member PsyBlade Snake Charmer

    Joined:
    Jul 30, 2009
    Messages:
    2,204
    Location:
    Sol III
    Country:
    Germany
    I'm suggesting he MIGHT lie. I don't think he does but there is no way I could verify that.
    I think you should always be circumspect on the internet.
    Especially since malware is multi million dollar business nowadays.

    I only wanted to point out that people should be more cautious about what they claim if they can not verify that at least to some degree,
    potentially having your data stolen (cc, ssn, ...) is no easy matter.
     
  15. DGenerateKane

    Member DGenerateKane GBAtemp Fan

    Joined:
    Jul 18, 2009
    Messages:
    330
    Country:
    United States
    I'm curious why my copy of mbam with up to date definitions (It updates automatically several times a day) didn't flag it but when I updated to the latest version of the program it started bitching. I updated the program at least a week after the update was released, so I don't understand what could have changed.
     
  16. FIX94

    Global Moderator FIX94 Global Moderator

    Joined:
    Dec 3, 2009
    Messages:
    6,572
    Location:
    ???
    Country:
    Germany
    After some more looking into the problem it seems like it could be a Virus.
    The File which is reported a virus is libWiiSharp.dll. XFlak's file list refers to Leathl's libWiiSharp version which is NOT detected as virus. So maybe the file was infected on his computer somehow.
     
  17. raptor5001

    Newcomer raptor5001 Member

    Joined:
    Aug 4, 2006
    Messages:
    49
    Country:
    United States
    According to Google, Trojan.Downloader and Win32/Agent.gen!I (both are malware names ModMii was detected as being) are generic detection names for, well, trojan downloaders (or malware whose only purpose is to download and set up other malware). These names are only used by a heuristics scan, which is used to scan for suspicious code in order to detect malware not yet added to the definitions.

    A sample:
    http://www.microsoft.com/security/portal/T...Agent.gen!I
    http://www.symantec.com/security_response/...-011710-3138-99

    So I'm going to guess that the heuristic scanners in some of these anti-malware products are picking up on code in ModMii that downloads many large files and also performs many file operations/manipulations with those files.

    TL;DR: False positive, most likely.
     
  18. DeadlyFoez

    Member DeadlyFoez Banned

    Joined:
    Apr 12, 2009
    Messages:
    5,224
    Country:
    United States
    as a VERY personal friend of XFlaks, I know for a fact that he did not and will not ever do anything intentionally maliciously to someone. He is too good of a person and he have too great of a reputation to throw away for something so stupid. It is a false positive. All of the supporting apps have not been updated for a long time. Someone or some company (like nintendo possibly) reported these types of apps as being dangerous.

    Really, how many times have you downloaded a legit keygen and your antivirus went crazy over it while it really was safe? For me, it happened a lot a few years ago before I had the money to buy everything without dealing with warez.

    Now that XFlak is back in his hometown and done with his honeymoon, I am sure he will look into this and find ways to prevent this from happening anymore if it is in his power and possibility to do so.
     
  19. The_Lost_Sabre

    Member The_Lost_Sabre Naberius the Nauseous

    Joined:
    Jan 19, 2008
    Messages:
    212
    Location:
    The Void
    Country:
    Canada
    I say it's false positives. XFlaks would never put any malicious code or download of any kind. Besides its a non-official program; its obvious that any sort of antivirus, antispyware, and/or antimalware would declare those kind of program as potentially dangerous as a precaution.

    You can just whitelist it so that whatever you're using will ignore it in the future.
     
  20. shortz1994

    Member shortz1994 GBAtemp Maniac

    Joined:
    Jan 21, 2011
    Messages:
    1,341
    Country:
    United States
    @ PsyBlade, even "suggesting" some one might lie, you are calling them a lier. as far as trusting xflak because he is "canadian" lol.. i trust him because he hasn't given me a reason NOT to trust him. i trust them(canadians) more the our own citizens here in the US.
     

Share This Page