Millions could be infected: ProAgent @ Knight Online updates!

Discussion in 'malware problems & news' started by Kommix, Jun 4, 2007.

Thread Status:
Not open for further replies.
  1. Kommix

    Kommix Registered Member

    Joined:
    Jun 11, 2006
    Posts:
    3
    This might be urgent.

    According to jotti results, the KO client downloaded from Download.com had a big, irritating trojan named ProAgent actually in one file: KnightOnline.exe. Here's the result from Jotti:

    http://picasaweb.google.com/doctusblog/KnightOnline/photo#5072110716280488354

    Then we downloaded the client from the second location that KnightOnlineWorld.com offers to download, GameDaily.com. That was clean:

    http://picasaweb.google.com/doctusblog/KnightOnline/photo#5072110716280488370

    Then one of our forum members (forgot to mention, we are a Turkish Security platform named Doctus) suggested to update the client and then send it to Jotti again. The result was terrifying:

    http://picasaweb.google.com/doctusblog/KnightOnline/photo#5072273444001399234

    From the results, I suppose we understand two things:
    1. One or more of the updates of Knight Online game are infected with the ProAgent trojan.
    2. Download.com offers us the latest updated versions of software :D

    Related Doctus Blog article:
    http://blog.doctus.net/2007/06/04/millions-could-be-infected-proagent-knight-online-updates/

    The Digg entry for the article (you'll Digg it, right? :)):
    http://www.digg.com/security/Millions_could_be_infected_ProAgent_Trojan_Knight_Online

    Have a good evening,
    Kommix @ Doctus

    PS: Sorry that I could not post any images directly, as far as I see, PicasaWeb does not let me.
     
  2. sahan91

    sahan91 Registered Member

    Joined:
    Jun 19, 2006
    Posts:
    2
    Location:
    Turkeey
    Really most important a bug. Really millions could be infected.
     
    Last edited: Jun 4, 2007
  3. Kommix

    Kommix Registered Member

    Joined:
    Jun 11, 2006
    Posts:
    3
    I see that the Knight Online team claims that these warning are just false positives.

    I also see that in the forums of Knight online, they have already found the infected update: the update no.1472.

    If anyone can test it in a virtual machine and write whether it is a false positive or real, I'll be glad. I'd do it myself but I do not have a proper environment to run a virtual machine.
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Another safe alternative is to test this out in a limited user account and see whether your AV generates any alerts.
    I'll try this out.

    Scanned with Mcafee Virusscan Enterprise 8.5i. DAT version 5046.0000


    Patch 1472
     

    Attached Files:

    Last edited: Jun 6, 2007
  5. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Hmm... I submitted the file to PC Tools' Threat Expert (a sort of a sandbox), and the file seems to not do much. Most likely it is a harmless file, i.e. false positive.
     
  6. Kommix

    Kommix Registered Member

    Joined:
    Jun 11, 2006
    Posts:
    3
    Thanks for the answers :) It's still weird that nearly all the anti-viruses give false positives - but not with their proactive detection systems.
     
  7. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Avira confirmed this is a FP and it will be removed from their detection.
     
Loading...
Thread Status:
Not open for further replies.