Millions could be infected: ProAgent @ Knight Online updates!

Discussion in 'malware problems & news' started by Kommix, Jun 4, 2007.

Thread Status:
Not open for further replies.
  1. Kommix

    Kommix Registered Member

    Joined:
    Jun 11, 2006
    Posts:
    3
    This might be urgent.

    According to jotti results, the KO client downloaded from Download.com had a big, irritating trojan named ProAgent actually in one file: KnightOnline.exe. Here's the result from Jotti:

    http://picasaweb.google.com/doctusblog/KnightOnline/photo#5072110716280488354

    Then we downloaded the client from the second location that KnightOnlineWorld.com offers to download, GameDaily.com. That was clean:

    http://picasaweb.google.com/doctusblog/KnightOnline/photo#5072110716280488370

    Then one of our forum members (forgot to mention, we are a Turkish Security platform named Doctus) suggested to update the client and then send it to Jotti again. The result was terrifying:

    http://picasaweb.google.com/doctusblog/KnightOnline/photo#5072273444001399234

    From the results, I suppose we understand two things:
    1. One or more of the updates of Knight Online game are infected with the ProAgent trojan.
    2. Download.com offers us the latest updated versions of software :D

    Related Doctus Blog article:
    http://blog.doctus.net/2007/06/04/millions-could-be-infected-proagent-knight-online-updates/

    The Digg entry for the article (you'll Digg it, right? :)):
    http://www.digg.com/security/Millions_could_be_infected_ProAgent_Trojan_Knight_Online

    Have a good evening,
    Kommix @ Doctus

    PS: Sorry that I could not post any images directly, as far as I see, PicasaWeb does not let me.
     
  2. sahan91

    sahan91 Registered Member

    Joined:
    Jun 19, 2006
    Posts:
    2
    Location:
    Turkeey
    Really most important a bug. Really millions could be infected.
     
    Last edited: Jun 4, 2007
  3. Kommix

    Kommix Registered Member

    Joined:
    Jun 11, 2006
    Posts:
    3
    I see that the Knight Online team claims that these warning are just false positives.

    I also see that in the forums of Knight online, they have already found the infected update: the update no.1472.

    If anyone can test it in a virtual machine and write whether it is a false positive or real, I'll be glad. I'd do it myself but I do not have a proper environment to run a virtual machine.
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Another safe alternative is to test this out in a limited user account and see whether your AV generates any alerts.
    I'll try this out.

    Scanned with Mcafee Virusscan Enterprise 8.5i. DAT version 5046.0000


    Patch 1472
     

    Attached Files:

    Last edited: Jun 6, 2007
  5. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Hmm... I submitted the file to PC Tools' Threat Expert (a sort of a sandbox), and the file seems to not do much. Most likely it is a harmless file, i.e. false positive.
     
  6. Kommix

    Kommix Registered Member

    Joined:
    Jun 11, 2006
    Posts:
    3
    Thanks for the answers :) It's still weird that nearly all the anti-viruses give false positives - but not with their proactive detection systems.
     
  7. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Avira confirmed this is a FP and it will be removed from their detection.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.