Trojan.Downloader with ModMii?

Discussion in 'Wii - Hacking' started by youngrex, Jul 26, 2011.

  1. youngrex
    OP

    youngrex Advanced Member

    Newcomer
    99
    0
    Nov 10, 2010
    United States
    not sure if this is just false or not but my Malwarebytes' Anti-Malware 1.51.1.1800 picked this up http://prntscr.com/2feu0

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7255

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/26/2011 9:47:18 AM
    mbam-log-2011-07-26 (09-47-18).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 253281
    Time elapsed: 1 hour(s), 30 minute(s), 56 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\Owner\Desktop\ModMii\ModMii.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
     


  2. Krestent

    Krestent What to post?

    Member
    3,953
    33
    Mar 31, 2009
    United States
    One of two things are possible:
    1. It's a false alarm
    2. You downloaded ModMii from someplace else than the link in the ModMii thread.
     
  3. Nujui

    Nujui I need something to do.

    Member
    3,933
    129
    Aug 12, 2010
    United States
    Dreamland.
    It probably false, I've used modmii and I've never gotten any virus from it.
     
  4. FIX94

    FIX94 Global Moderator

    Global Moderator
    6,823
    8,179
    Dec 3, 2009
    Germany
    ???
    Some guy reported modmii as virus and now all programs are alerting. It's a false positive.
     
  5. youngrex
    OP

    youngrex Advanced Member

    Newcomer
    99
    0
    Nov 10, 2010
    United States
    thats what i was thinking because this is the first time anything ever came up
     
  6. game_rat

    game_rat Advanced Member

    Newcomer
    93
    8
    Feb 7, 2011
    United States
    Same thing happened to me over the weekend, I was trying to update my existing ModMii installation and McAfee went nuts.
     
  7. techboy

    techboy GBAtemp Advanced Maniac

    Member
    1,720
    21
    Mar 15, 2009
    United States
    Pennsylvania
    AVG isn't complaining for me, but a lot of others are...

    VirusTotal (15 of 43 are positive):
    Warning: Spoilers inside!
    Also of note: Unpacking the UPX on ModMii stops most of the false positives.
     
  8. G0dLiKe

    G0dLiKe who needs a title ;)

    Member
    1,674
    51
    Aug 2, 2009
    United States
    AVG is complaining for me...
     
  9. xfcrowman

    xfcrowman GBAtemp Fan

    Member
    431
    13
    Mar 14, 2009
    United States
    As others have said, it is a false positive and everyone should have their anti-virus programs ignore it.

    Modmii is safe and has always been safe.
     
  10. PsyBlade

    PsyBlade Snake Charmer

    Member
    2,204
    254
    Jul 30, 2009
    Gambia, The
    Sol III
    Has anyone of the people who say its a false positive actually analysed it?
    It wouldn't be the first tool infected with malware without its author knowing (or simply lying about it).
    And no checking the source does not cut it unless you can compile it to exactly the same binary.
    Even if you assume that its the real code it could be infected after or during compilation.
     
  11. djgarf

    djgarf I Am A Raver

    Former Staff
    2,955
    32
    Oct 24, 2002
    England U.K.
    its because the exe is upx packed and the way it calls other files (like wget)
     
  12. JoostinOnline

    JoostinOnline Certified Crash Test Dummy

    Member
    10,918
    3,689
    Apr 2, 2011
    United States
    The Twilight Zone
    You aren't suggesting XFlak is lying about it, are you? He may be Canadian, but I trust him.
     
  13. loco365

    loco365 GBAtemp Guru

    Member
    5,458
    2,671
    Sep 1, 2010
    Avira's been giving me shit on it once in a while, but I'm pretty sure it's a false positive.
     
  14. PsyBlade

    PsyBlade Snake Charmer

    Member
    2,204
    254
    Jul 30, 2009
    Gambia, The
    Sol III
    I'm suggesting he MIGHT lie. I don't think he does but there is no way I could verify that.
    I think you should always be circumspect on the internet.
    Especially since malware is multi million dollar business nowadays.

    I only wanted to point out that people should be more cautious about what they claim if they can not verify that at least to some degree,
    potentially having your data stolen (cc, ssn, ...) is no easy matter.
     
  15. DGenerateKane

    DGenerateKane GBAtemp Fan

    Member
    357
    19
    Jul 18, 2009
    United States
    I'm curious why my copy of mbam with up to date definitions (It updates automatically several times a day) didn't flag it but when I updated to the latest version of the program it started bitching. I updated the program at least a week after the update was released, so I don't understand what could have changed.
     
  16. FIX94

    FIX94 Global Moderator

    Global Moderator
    6,823
    8,179
    Dec 3, 2009
    Germany
    ???
    After some more looking into the problem it seems like it could be a Virus.
    The File which is reported a virus is libWiiSharp.dll. XFlak's file list refers to Leathl's libWiiSharp version which is NOT detected as virus. So maybe the file was infected on his computer somehow.
     
  17. raptor5001

    raptor5001 Advanced Member

    Newcomer
    53
    0
    Aug 4, 2006
    United States
    According to Google, Trojan.Downloader and Win32/Agent.gen!I (both are malware names ModMii was detected as being) are generic detection names for, well, trojan downloaders (or malware whose only purpose is to download and set up other malware). These names are only used by a heuristics scan, which is used to scan for suspicious code in order to detect malware not yet added to the definitions.

    A sample:
    http://www.microsoft.com/security/portal/T...Agent.gen!I
    http://www.symantec.com/security_response/...-011710-3138-99

    So I'm going to guess that the heuristic scanners in some of these anti-malware products are picking up on code in ModMii that downloads many large files and also performs many file operations/manipulations with those files.

    TL;DR: False positive, most likely.
     
  18. DeadlyFoez

    DeadlyFoez Banned!

    Member
    5,363
    1,352
    Apr 12, 2009
    United States
    as a VERY personal friend of XFlaks, I know for a fact that he did not and will not ever do anything intentionally maliciously to someone. He is too good of a person and he have too great of a reputation to throw away for something so stupid. It is a false positive. All of the supporting apps have not been updated for a long time. Someone or some company (like nintendo possibly) reported these types of apps as being dangerous.

    Really, how many times have you downloaded a legit keygen and your antivirus went crazy over it while it really was safe? For me, it happened a lot a few years ago before I had the money to buy everything without dealing with warez.

    Now that XFlak is back in his hometown and done with his honeymoon, I am sure he will look into this and find ways to prevent this from happening anymore if it is in his power and possibility to do so.
     
  19. The_Lost_Sabre

    The_Lost_Sabre Naberius the Nauseous

    Member
    212
    49
    Jan 19, 2008
    Canada
    The Void
    I say it's false positives. XFlaks would never put any malicious code or download of any kind. Besides its a non-official program; its obvious that any sort of antivirus, antispyware, and/or antimalware would declare those kind of program as potentially dangerous as a precaution.

    You can just whitelist it so that whatever you're using will ignore it in the future.
     
  20. shortz1994

    shortz1994 GBAtemp Maniac

    Member
    1,341
    157
    Jan 21, 2011
    United States
    @ PsyBlade, even "suggesting" some one might lie, you are calling them a lier. as far as trusting xflak because he is "canadian" lol.. i trust him because he hasn't given me a reason NOT to trust him. i trust them(canadians) more the our own citizens here in the US.