Gamespy Arcade Win32/TrojanDownloader.SpyGame.A

Discussion in 'NOD32 version 2 Forum' started by phasechange, Jan 9, 2005.

Thread Status:
Not open for further replies.
  1. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    Help!

    I am a registered GameSpy Arcade user and am happy with them gathering summary stats on my gaming. However when trying to use their Arena service for counterstrike:

    http://www.liquidizer.net/GSA0.png

    I get this virus warning:

    http://www.liquidizer.net/GSA.png

    Is it a real threat? What does Win32/TrojanDownloader.SpyGame.A do?

    Thanks,
    Fairy
     
    Last edited: Jan 9, 2005
  2. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    anyone know?
     
  3. Atangel

    Atangel Registered Member

    Joined:
    Aug 29, 2004
    Posts:
    53
    Looks like a pest...

    http://www3.ca.com/securityadvisor/pest/Pest.aspx?id=453073352

    Glad NOD32 caught it myself :) Not sure how you would exclude it through IMON, though if you disable IMON you could probably exlcude it through AMON........... Though as a trojan dowloader you'll likely (ok, I suspect) get more than you bargained for in the user agreement.

    I don't know much about Gamespy... Did you pay for the honor of being spied on and having statistics gathered or is this a free option and how they make their money back?
     
  4. quexx88

    quexx88 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    235
    Location:
    Radnor, Pennsylvania
    I too am a registered GSA user, and have the latest NOD32 with AH and all the other bells and whistles turned on.

    A little while ago, NOD32 would flag Aphex.exe as a trojan, but this is obviously not so. A few updates later, it stopped. I would not be surprised if this is another false positive.

    What I would do is submit the file NOD32 is picking up to something like Jotti's malware scanner to confirm that it is indeed clean. If it checks out, submit the file to Eset as a false positive, and see if they correct it from there.

    If all else fails, use The All-Seeing Eye :ninja:

    EDIT: I scanned the GSA directory and it came up clean.
     
  5. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    I'll try submitting it I've got it in Quarentine.

    There is a free version of GSA, I subscribe to get member benefits. I reckon this trojan was just a script that would launch GSA. This I reckon confused NOD32. I have read the CA thing before but to be honest displaying banner ads and gathering stats on the most played games (which they only use at a summary level) is not something I find worrying. One of the problems with this Spyware thing is that the boundaries are blurry and debatable. I reckon the tools should focus where possible on the seriously troublesome stuff.

    Fairy
     
  6. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    File: alaunch.cab
    Status:
    INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain in the ass -, results will not be stored in the database.)
    Packers detected:
    None

    AntiVir
    No viruses found (0.15 seconds taken)
    Avast
    No viruses found (1.51 seconds taken)
    BitDefender
    No viruses found (0.34 seconds taken)
    ClamAV
    No viruses found (0.43 seconds taken)
    Dr.Web
    No viruses found (0.54 seconds taken)
    F-Prot Antivirus
    No viruses found (0.07 seconds taken)
    Kaspersky Anti-Virus
    not-a-virus:RiskWare.Downloader.SpyGame (0.65 seconds taken)
    mks_vir
    No viruses found (0.20 seconds taken)
    NOD32
    Win32/TrojanDownloader.SpyGame.A (0.38 seconds taken)
    Norman Virus Control
    No viruses found (0.13 seconds taken)

    Kapersky says this:

    not-a-virus:RiskWare.Downloader.SpyGame

    "Currently there is no description available for this malicious program."

    (ESET are no more informative)
    in general for this type of riskware they say:
    "Downloaders

    Even legal downloading utilities can be dangerous, since they are usually programmed to function in background regime, without direct intervention from the user. It is easy for a hacker to substitute links to infected resources for safe download sites, leading to malware being downloaded to the victim machine without the user's knowledge."

    I guess this thing is probably not very dangerous but not 100% risk free as it doesn't give me any additional functionality I just terminated it.

    Fairy
     
  7. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Extract the file in question, because there're some AV that aren't able to scan within CAB packages. So, extract the file in question and submit it again. Maybe more AV will detect that. Please, post the results.

     
Thread Status:
Not open for further replies.