trojan TR/PSW.Nilage.hhl in lua51.dll

Runes of Magic/Radiant Arcana (http://www.runesofmagic.com)
Post Reply
Message
Author
Rainer12345
Posts: 8
Joined: Wed Jul 07, 2010 1:42 am

trojan TR/PSW.Nilage.hhl in lua51.dll

#1 Post by Rainer12345 » Wed Jul 07, 2010 1:50 am

yesterday my scanner (avira) found trojan TR/PSW.Nilage.hhl in lua51.dll.

I got my copy of micromacro from this site some weeks ago and never got a warning. everything works fine. I deleted the file and tried a new download from here. same result.

here is the log from virustotal.com

Datei micromacro.zip empfangen 2010.07.04 22:54:18 (UTC)
Status: Beendet
Ergebnis: 8/41 (19.51%)
Filter Filter
Drucken der Ergebnisse Drucken der Ergebnisse
Antivirus Version letzte aktualisierung Ergebnis
a-squared 5.0.0.31 2010.07.04 Trojan-GameThief.Win32.Nilage!IK
AhnLab-V3 2010.07.03.00 2010.07.03 -
AntiVir 8.2.4.2 2010.07.04 -
Antiy-AVL 2.0.3.7 2010.07.02 -
Authentium 5.2.0.5 2010.07.04 -
Avast 4.8.1351.0 2010.07.04 -
Avast5 5.0.332.0 2010.07.04 -
AVG 9.0.0.836 2010.07.04 -
BitDefender 7.2 2010.07.05 Trojan.Generic.4318767
CAT-QuickHeal 11.00 2010.06.30 -
ClamAV 0.96.0.3-git 2010.07.04 -
Comodo 5318 2010.07.04 -
DrWeb 5.0.2.03300 2010.07.04 -
eSafe 7.0.17.0 2010.07.04 -
eTrust-Vet 36.1.7684 2010.07.03 -
F-Prot 4.6.1.107 2010.07.04 -
F-Secure 9.0.15370.0 2010.07.04 Trojan.Generic.4318767
Fortinet 4.1.133.0 2010.07.04 -
GData 21 2010.07.05 Trojan.Generic.4318767
Ikarus T3.1.1.84.0 2010.07.04 Trojan-GameThief.Win32.Nilage
Jiangmin 13.0.900 2010.07.03 -
Kaspersky 7.0.0.125 2010.07.04 Trojan-GameThief.Win32.Nilage.hhl
McAfee 5.400.0.1158 2010.07.05 -
McAfee-GW-Edition 2010.1 2010.07.04 -
Microsoft 1.5902 2010.07.03 -
NOD32 5251 2010.07.04 -
Norman 6.05.10 2010.07.04 -
nProtect 2010-07-04.02 2010.07.04 -
Panda 10.0.2.7 2010.07.04 -
PCTools 7.0.3.5 2010.07.02 -
Prevx 3.0 2010.07.05 -
Rising 22.54.04.04 2010.07.02 -
Sophos 4.54.0 2010.07.05 -
Sunbelt 6543 2010.07.04 -
Symantec 20101.1.0.89 2010.07.04 -
TheHacker 6.5.2.1.307 2010.07.04 -
TrendMicro 9.120.0.1004 2010.07.04 PAK_Generic.001
TrendMicro-HouseCall 9.120.0.1004 2010.07.05 -
VBA32 3.12.12.5 2010.07.02 Trojan-GameThief.Win32.Nilage.hhl
ViRobot 2010.7.3.3920 2010.07.04 -
VirusBuster 5.0.27.0 2010.07.04 -
weitere Informationen
File size: 389994 bytes
MD5 : b3cf8137a930f903a346a0aa22a80838
SHA1 : f2f40799e85786611c61bc26bad232aeaa07f43c
SHA256: 475a58f138b1cd38ef4807b0891d1a202c6857663bcfec1897 d34f664c03b065
TrID : File type identification
ZIP compressed archive (99.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
Symantec reputation: Suspicious.Insight
ssdeep: 6144:l6l2d8MV9fYpPOanQAQtp60EWV5Qp4gXRXexC7yCplExa wxVU5OeXTcQL+mI/wZ:l6lLc9QnfQtpRpdghexVC8xa+QO7w+zi
sigcheck: publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch.UPX, UPX
packers (F-Prot): UPX
packers (Authentium): UPX
RDS : NSRL Reference Data Set


I really like this bot, but in this case I wont use it anymore.

User avatar
rock5
Posts: 12173
Joined: Tue Jan 05, 2010 3:30 am
Location: Australia

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#2 Post by rock5 » Wed Jul 07, 2010 2:30 am

Might have something to do with the fact that the bot writes to memory.
  • Please consider making a small donation to me to support my continued contributions to the bot and this forum. Thank you. Donate
  • I check all posts before reading PMs. So if you want a fast reply, don't PM me but post a topic instead. PM me for private or personal topics only.
  • How to: copy and paste in micromacro
    ________________________
    Quote:
    • “They say hard work never hurt anybody, but I figure, why take the chance.”
          • Ronald Reagan

romvn
Posts: 16
Joined: Tue May 04, 2010 10:22 pm

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#3 Post by romvn » Wed Jul 07, 2010 3:26 am

Well, it's been a while my Kaspersky always deletes it. I believe there's no reason for development team of this cool bot try to steal your account.

Anyway, some explanations from Admin?
Proud to be the GREATEST botter in Chúa Tể Phục Sinh (RoM Vietnamese version)

Rainer12345
Posts: 8
Joined: Wed Jul 07, 2010 1:42 am

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#4 Post by Rainer12345 » Wed Jul 07, 2010 5:06 am

Thats why I post this stuff.

I really like this bot, but an explanantion would be nice. If you look in the german forum you can see that Im not the only one with this warning. The other one also from yesterday.

http://www.elitepvpers.de/forum/rom-hac ... t-154.html

User avatar
3cmSailorfuku
Posts: 354
Joined: Mon Jan 21, 2008 6:25 pm

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#5 Post by 3cmSailorfuku » Wed Jul 07, 2010 6:28 am

Unpack the files with UPX. If you scan only Lua51 on VirusTotal, then only Avira will notify you that it's a trojan, otherwise apparently if you pack the files into a zip or rar it just get worse on VirusTotal and you'll get more false alarms.

User avatar
Administrator
Site Admin
Posts: 5313
Joined: Sat Jan 05, 2008 4:21 pm

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#6 Post by Administrator » Wed Jul 07, 2010 9:15 am

I think that due to the fact that it's not the official Lua DLL (it has been patched to allow for yielding across co-routined) and that it was UPX packed is what was causing this. It's typically installed with games so an unfamiliar copy like this might trigger an anti-virus software to consider it a virus. That's my best guess.

I can start releasing it without being UPX packed. In fact, you can download the latest copy with unpacked Lua51.dll (but still UPX packed micromacro.exe; virustotal sees it as clean, so it should be fine) from here.

Rainer12345
Posts: 8
Joined: Wed Jul 07, 2010 1:42 am

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#7 Post by Rainer12345 » Wed Jul 07, 2010 11:13 am

Uhm ... the new (experimental) version of micromacro makes avira very excited. I cant fast enough click away the trojan-warnings ...

Virustotal thinks its not really clean ...

Antivirus Version letzte aktualisierung Ergebnis
a-squared 5.0.0.31 2010.07.07 Trojan-GameThief.Win32.Nilage!IK
AhnLab-V3 2010.07.07.01 2010.07.07 -
AntiVir 8.2.4.10 2010.07.07 TR/PSW.Nilage.hhl
Antiy-AVL 2.0.3.7 2010.07.07 -
Authentium 5.2.0.5 2010.07.07 -
Avast 4.8.1351.0 2010.07.07 -
Avast5 5.0.332.0 2010.07.07 -
AVG 9.0.0.836 2010.07.07 -
BitDefender 7.2 2010.07.07 Trojan.Generic.4318767
CAT-QuickHeal 11.00 2010.07.07 -
ClamAV 0.96.0.3-git 2010.07.07 -
Comodo 5350 2010.07.07 -
DrWeb 5.0.2.03300 2010.07.07 -
eSafe 7.0.17.0 2010.07.07 -
eTrust-Vet 36.1.7690 2010.07.07 -
F-Prot 4.6.1.107 2010.07.07 -
F-Secure 9.0.15370.0 2010.07.07 Trojan.Generic.4318767
Fortinet 4.1.133.0 2010.07.07 -
GData 21 2010.07.07 Trojan.Generic.4318767
Ikarus T3.1.1.84.0 2010.07.07 Trojan-GameThief.Win32.Nilage
Jiangmin 13.0.900 2010.07.07 -
Kaspersky 7.0.0.125 2010.07.07 Trojan-GameThief.Win32.Nilage.hhl
McAfee 5.400.0.1158 2010.07.07 -
McAfee-GW-Edition 2010.1 2010.07.05 -
Microsoft 1.5902 2010.07.07 -
NOD32 5259 2010.07.07 -
Norman 6.05.11 2010.07.07 -
nProtect 2010-07-07.02 2010.07.07 -
Panda 10.0.2.7 2010.07.07 -
PCTools 7.0.3.5 2010.07.07 -
Prevx 3.0 2010.07.07 -
Rising 22.55.02.04 2010.07.07 -
Sophos 4.54.0 2010.07.07 -
Sunbelt 6556 2010.07.07 Trojan.Win32.Generic!BT
Symantec 20101.1.0.89 2010.07.07 -
TheHacker 6.5.2.1.309 2010.07.06 -
TrendMicro 9.120.0.1004 2010.07.07 PAK_Generic.001
TrendMicro-HouseCall 9.120.0.1004 2010.07.07 -
VBA32 3.12.12.6 2010.07.07 Trojan-GameThief.Win32.Nilage.hhl
ViRobot 2010.6.29.3912 2010.07.07 -
VirusBuster 5.0.27.0 2010.07.06 -
weitere Informationen
File size: 648669 bytes
MD5...: 7ef5a6bc34b0fb2ccd18aa352c650838
SHA1..: aeb60db6537b2a1d16ea014dbd810f47ca619f83
SHA256: 2f5e14d426a97487e68c122f7438d4cba46c8080c1c863cc6018a3331c0d18f8
ssdeep: 12288:h0q6lLc9QnhQtpRMa6lLc9QnyzknOo4rjQWPjcCRrMLvtgbT3CfY8z46gx
6:h0q65cMa65DnMXQIjML1gbT3Cnzfgo
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: ZIP compressed archive (99.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_respon ... 23-0550-99
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

if you think its only because the packed files ... maybe you cant post the correct dll unpacket? i tried the lua51.dll in my micromacro directory ... didnt work ...

User avatar
Administrator
Site Admin
Posts: 5313
Joined: Sat Jan 05, 2008 4:21 pm

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#8 Post by Administrator » Wed Jul 07, 2010 11:21 am

Are you sure you overwrote the file? This is what I'm seeing for the current lua51.dll: http://www.virustotal.com/analisis/d345 ... 1278511789

WhiteTiger
Posts: 84
Joined: Tue Jun 22, 2010 8:06 am

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#9 Post by WhiteTiger » Wed Jul 07, 2010 6:48 pm

In my case, I dont care if theres a virus, this is the fucking best bot ever <3 :P

Rainer12345
Posts: 8
Joined: Wed Jul 07, 2010 1:42 am

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#10 Post by Rainer12345 » Thu Jul 08, 2010 2:55 am

Administrator wrote:Are you sure you overwrote the file? This is what I'm seeing for the current lua51.dll: http://www.virustotal.com/analisis/d345 ... 1278511789

No Im not sure :). I never unpacked it :).

I played all the evening with this problem. Here is my "solution"...

I downloaded 3 different versions of micromacro from different sources. Every zip-file made Avira blinking like a christmastree. All zip-files in virustotal were checked and not clean.

I unpacked it and let avira delete the dll. Then I downloaded the unpacked dll from Lua binaries. Result: no trojans ... but windows-errors.

In the end I took my old notebook with nothing but the OS installed and deaktivated Avira. The unziped dll is clean for avira and virustotal. I copied this file to my main-pc and checked full system with 4 different scanners. No trojans.

Thanks for your help.

User avatar
Administrator
Site Admin
Posts: 5313
Joined: Sat Jan 05, 2008 4:21 pm

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#11 Post by Administrator » Thu Jul 08, 2010 7:39 am

I must have made a mistake when I uploaded the file. You are correct. That was still showing false positives from multiple anti-virus softwares.

Go ahead and redownload from the first post here. That should do the trick.

Wary
Posts: 5
Joined: Sun Jul 18, 2010 12:18 pm

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#12 Post by Wary » Sun Jul 18, 2010 12:21 pm

I sent an email to kaspersky today, notifying them about the false positive and they fixed it in the newest signature update.

It is hot here today, so I didn't really want to search the email addresses of other vendors too. If you own another AV, that sees a virus here, maybe send it to them.
For Kaspersky, you just have to send a message to newvirus AT kaspersky.com subject: False positive
(not for this file, obviously, because I already did. If your Kaspersky Anti Virus still detects this, update it!)

User avatar
Administrator
Site Admin
Posts: 5313
Joined: Sat Jan 05, 2008 4:21 pm

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#13 Post by Administrator » Sun Jul 18, 2010 1:12 pm

Thanks for taking the time to do this. I have, however, already went ahead and unpacked that DLL for the latest release. It shouldn't be giving any virus warnings from any (respectable) anti-virus software, but if it does, please let me know.

gamergk
Posts: 3
Joined: Thu Jul 29, 2010 5:59 pm

lua51.dll trojan

#14 Post by gamergk » Thu Jul 29, 2010 6:10 pm

this bot is the best i've used in a long time, though 2 day ago my agv antivirus v9.0 brought up a msg

saying "Infection" Trojan horse PSW.OnlineGames3.ARDD in lua51.dll


i used this bot a for while already and guess agv antivirus detected as a threat, i used winrar to extract it, agv quickly detected it as a virus, also used 7zip same results


yea i know this bot is safe, i've used it alot, though would be good to get this issue fixed and bot once more heh

running win7 64bit in case if you guys are wondering

User avatar
MiesterMan
Posts: 543
Joined: Tue Jul 06, 2010 9:15 pm
Location: Between the Second and Third Circles of Hell

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#15 Post by MiesterMan » Thu Jul 29, 2010 7:23 pm

I think someone mentioned this happens because the lua dll has been modified for this bot. Maybe renaming the dll with a revision at the end would fix this (I don't know if that's possible cause I don't know how programs use dlls)?

gamergk
Posts: 3
Joined: Thu Jul 29, 2010 5:59 pm

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#16 Post by gamergk » Thu Jul 29, 2010 8:45 pm

if i'm right, dlls are like the gears that makes the program run, not sure, just guessing lol

User avatar
Administrator
Site Admin
Posts: 5313
Joined: Sat Jan 05, 2008 4:21 pm

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#17 Post by Administrator » Thu Jul 29, 2010 8:46 pm

Renaming the DLLs is not a good idea, nor would it help.


As I've already posted multiple times today, just disable Resident Shield.

gamergk
Posts: 3
Joined: Thu Jul 29, 2010 5:59 pm

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

#18 Post by gamergk » Thu Jul 29, 2010 9:26 pm

niiice thanks for the help, also sry tried finding a solution to the problem through the forums, no luck though, anywhom its fix, again many thanks

Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests