Virus shipped with my Acekard RPG !

Discussion in 'Acekard' started by GH0ST, Aug 13, 2008.

Aug 13, 2008
  1. GH0ST
    OP

    Member GH0ST Your Hero is a Ghost

    Joined:
    Dec 17, 2006
    Messages:
    924
    Location:
    I was here... before...
    Country:
    France
    As i mentionned it (... in the shout box ) few days ago a virus was embedded in the Nand memory of my ACEKARD RPG i just bought few days ago at assentek.com

    Hopefully i had first run the ACE from my nintendo ( just coming back from Nintendo Services ) with a clean brand new 4 Go SDHC card and check the option to see all files and i notice a suspicious o.exe ( 0.vir renamed ) and a strange autorun.inf at root of the card.

    After renaming i submit these files to an online check ( virustotal.com )... positive .... and here is the full report made from threatexpert :

    http://www.threatexpert.com/report.aspx?md...765ac939959a2ab
    File MD5: 0x92A4F4A3138BA16CB765AC939959A2AB
    File size: 118,501 bytes

    I delete / reformat from linux the four partitions found on the drive and every thing is fine now ... Hopefully !!!

    What do you think about that ? i wonder if somebody else encouters the same thing
     
  2. Smiths

    Member Smiths AKAIO Person of Interest

    Joined:
    Feb 24, 2003
    Messages:
    1,318
    Location:
    The land of Dairy Queen
    Country:
    United States
    you sure that's not a virus on your computer that automatically put the files on any USB device attached to it? hooking up the RPG to a computer technically just gives you a 1GB flash drive.
     
  3. dib

    Member dib GBAtemp Advanced Maniac

    Joined:
    May 1, 2004
    Messages:
    1,561
    Country:
    United States
    Good point. Although it is also feasible that the retailer received it under RMA or as a return then resold it. This happened to me when I purchased my DS-X way back, it arrived with a rom and some mp3s already stored.
     
  4. IOwnAndPwnU

    Member IOwnAndPwnU GBAtemp Maniac

    Joined:
    Jul 31, 2008
    Messages:
    1,123
    Country:
    Canada
    WOW!

    Ask them why the fuc* there was a virus on the NAND.
    Thumbs down for the site ... probably.
     
  5. Joey90

    Member Joey90 Not around any more

    Joined:
    Apr 21, 2007
    Messages:
    703
    Location:
    UK
    Country:
    United Kingdom
    It says it has the ability to copy itself onto any USB drives, so either you, or the person that tested it has the virus. I don't think it is intentional though...

    Basically, if it appears again then you should be worried about your computer, otherwise you could try emailing the shop, though I don't know if they would care...
     
  6. IOwnAndPwnU

    Member IOwnAndPwnU GBAtemp Maniac

    Joined:
    Jul 31, 2008
    Messages:
    1,123
    Country:
    Canada
    Email them or whatever. Ask them why the fuc* you got a virus on the AKRPG. If they don't respond, or say they did it purposely (yeah right), it's probably not a good choice to buy from them anymore.
     
  7. GH0ST
    OP

    Member GH0ST Your Hero is a Ghost

    Joined:
    Dec 17, 2006
    Messages:
    924
    Location:
    I was here... before...
    Country:
    France
    I leaved a message in their forums and they just answered ( they said they investigate this with acekard team ... but they doubt it is a virus ... so i copy paste the report ... http://forum.assentek.com/index.php?topic=566.0 )

    The acekard was NOT connected to any of my computers at this time ... also i do not allow autorun on removable units so i am 100 % sure the 0.exe file and the autorun.inf were on the nand when i've got my card.

    The package was not sealed and akmenu409_release_20080227.rar (09/04/2008) was present on the root of the card : it was even installed (dated 27/7/2008 purchase date 6th of august )
     
  8. Bri

    Member Bri GBAtemp Psycho!

    Joined:
    Dec 25, 2007
    Messages:
    3,413
    Country:
    United States
    So does the store you bought it from test the carts before they send them out? If so, why would they need to investigate it with the Acekard team? If not, why was your package opened and how was the .rar file placed on the card only a few days before you purchased it? Maybe they sold you a returned cart but don't want to admit it.

    -Bri
     
  9. Ferrariman

    Member Ferrariman Hip-Flop and cRap

    Joined:
    Dec 9, 2007
    Messages:
    3,357
    Location:
    Canader.
    Country:
    Canada
    lol the admin is all like, "it's not a virus..... ummm................................................. it's a video game!!!!!"
     
  10. GH0ST
    OP

    Member GH0ST Your Hero is a Ghost

    Joined:
    Dec 17, 2006
    Messages:
    924
    Location:
    I was here... before...
    Country:
    France
    Lol yes ... they finally change their mind ...


    I hope this will help newbies :

    - disable auto exec and auto play on USB keys and removable disks see by example http://afterlight.110mb.com/2007/06/30/worms-and-usb-flash-drives-gang-up-disable-auto-run/
    - Check if there is any .exe or autorun.inf at the root of the card before plugging to a PC ( from start menu settings : show all files and from advanced settings show hidden files ) delete them ( or rename to *.vir move & archive to a subfolder )

    I saw more and more professional and particular computers infected by various USB keys virii... since the autorun is enable by default on windows ... So... take care ;-)

    I guess so ... it was also the last one they had in stock dixit ^^ ... but now it is mine and it is clean ;-)
     
  11. NeSchn

    Member NeSchn GBAPimpdaddy.

    Joined:
    Oct 4, 2007
    Messages:
    3,533
    Location:
    Troy,New York PimpStatus: King
    Country:
    United States
    Thats odd, I am glad nothing happened to your computer or your card.
     
  12. IOwnAndPwnU

    Member IOwnAndPwnU GBAtemp Maniac

    Joined:
    Jul 31, 2008
    Messages:
    1,123
    Country:
    Canada
    Safe. Thanks for the link for "newbies." Was kinda interesting. [​IMG]
     
  13. f3l1x

    Newcomer f3l1x Member

    Joined:
    May 14, 2008
    Messages:
    19
    Country:
    United States
    Got it on one i just ordered from deal extreme. Mine was o.exe (not a zero) so i didn't see it when I searched here for it. I inadvertently stated a new thread... [​IMG]

    http://gbatemp.net/index.php?showtopic=100...p;#entry1345823

    So yea... I'm not surprised at all. This is kind of common with flash devices coming from china and has nothing to do with acekard specifically as my packaging was obviously rifled through (still could be unrelated). Any flash device (especially ones made in china) can and has had this happen to it. http://www.google.com/search?hl=en&q=s...ith+virus+china Also, acekards aren't sealed so its pretty easy to mess with en route.

    Worst case scenario, the fab or acekard (whoever loads the sw and tests each card) is infected and it IS an acekard issue.

    Be on the safe side and disable autorun (http://www.engadget.com/2004/06/29/how-to-tuesday-disable-autorun-on-windows/)
    ... and format anything flash related before you use it.
     
  14. GH0ST
    OP

    Member GH0ST Your Hero is a Ghost

    Joined:
    Dec 17, 2006
    Messages:
    924
    Location:
    I was here... before...
    Country:
    France
    Mine was o.exe (not a zero) too ... i mistakely rename the nasty thing to 0.vir but i just recheck the archive is effectively o.exe ( see Threatexpert report also )

    You can compare the MD5 sign and the size from my first post i guess it is the same thing.

    You may use this fix if you've got infected by Kavo variants : http://net-studio.org/application/kavo-variants.php

    Here is a link to another post with some details on various tools you can use to prevent / clean such trojans : http://www.theeldergeek.com/forum/index.php?showtopic=30506

    To prevent further actions you can add this line to your HOSTS file
    # Kavo virus tries to connect this site ( 127.0.0.1 resolve the adress to your localhost ... not to mention this site is know for other threats DON'T TRY to ACCESS it )
     
  15. Renegade_R

    Member Renegade_R Audio/Video Expert

    Joined:
    Apr 21, 2004
    Messages:
    1,654
    Location:
    Toronto, Ontario
    Country:
    Canada
    Most computers in China have viruses actually (I've been there and most computers are in bad shape) mostly because everyone in China uses Internet Explorer and installs tons of malware in the form of 'removal' programs.
     

Share This Page