W32/HPPL.PHILIS.I

Discussion in 'NOD32 version 2 Forum' started by blaine, Sep 29, 2006.

Thread Status:
Not open for further replies.
  1. blaine

    blaine Registered Member

    Joined:
    Mar 1, 2006
    Posts:
    38
    can you add this to the database. An online game I play acciently put a virus in their last game update. Mcafee is the only thing detecting it atm. It got past Nod32.

    Here is a link and what the game site says:


    "We regret to announce that there was a virus found in the last CO patch 4321. As a result, many of our players' computers may have been affected. The virus shows up in the form of a _desktop.ini file in the Conquer 2.0 folder, under C3/0003/611 and c3/0003/741. In other words, if you look at your CO directory and see a file named C3/0003/611/_desktop.ini or C3/0003/741/_desktop.ini, you are confirmed to have been infected. The file may be hidden so you need to turn off the 'hide hidden file' option under Tools->Folder Options-> View

    Unfortunately, most of the current anti-virus programs including Norton and Kasparsky etc, failed to catch this virus. This is how the virus has slipped through our QA's detection. The only confirmed tool to catch this virus so far is McAfee VirusScan Plus. This is a very malicious virus, so please follow the procedures below to delete this virus as soon as possible.

    1. Install McAfee on your computer. Make sure you uninstall any current antivirus program before you install McAfee. Otherwise there will be conflict between the 2 antivirus programs. You may download a trial version of McAfee at http://us.McAfee.com/root/downloads.asp
    2. Get the latest update of McAfee online.
    3. Run McAfee to catch and delete the virus. We recommend you to restart your computer in the Safe Mode before you run McAfee. To enter Safe Mode, reboot your computer, and press F8 constantly and select Safe mode before window comes up.
    4. Place the following bat program in your C drive, and run the bat program. This will clean up the residuals of this virus.

    We apologize for this mistake, and is currently running an internal investigation on the cause of such mistake.

    Thank you for your support and understanding."

    http://article.91.com/englishnews/c/2006_9/N200692916044187931.Htm
    :(
     
    Last edited: Sep 29, 2006
  2. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    They didn't provide a name? ..
    Sounds very 'fishy' to me actually ..

    Don't mind my blindness... Topic title did actually provide a name .. :)
     
    Last edited: Sep 29, 2006
  3. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Which game?
     
  4. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Here is a link ... http://article.91.com/englishnews/c/2006_9/N200692916044187931.Htm

    The bat file provided to clean up only removes every file named '_desktop.ini'

    NOD32 already detects a lot of w32/Philis since at least 2 and a half years.
    Marcos will know for certain if NOD32 detects this particular variant but I think it should already.

    In any case please send all samples not detected by NOD32 via email to samples @ eset.com and include a link to this thread.

    Cheers :)

    edit: Some aliases for PHILIS.I are: LOOKED, VIKING and STRATION so now I am almost certain NOD32 will detect this.
     
    Last edited: Sep 30, 2006
  5. blaine

    blaine Registered Member

    Joined:
    Mar 1, 2006
    Posts:
    38
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I've got an archive with a bunch of text files which is flagged by McAfee, just trying to narrow it down to the particular text file that triggers the false positive.
     
  7. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    It is a false positive?
    From what I understand McAfee is reacting to an INI file (_desktop.ini)? All I see in this file is what looks like a date ("2006/9/4")? Seems fairly harmless to me?

    EDIT: Flagged as "W32/HLLP.Philis.ini" not "W32/HPPL.Philis.I" as the topic says.
     
    Last edited: Sep 30, 2006
  8. proll

    proll Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    55
    Kaspersky named the virus "Viking"


    I have varieties samples of the Viking.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    NOD32 detects Viking with a generic signature without the need to update, but this is not the case, we're talking about something completely different here.
     
  10. blaine

    blaine Registered Member

    Joined:
    Mar 1, 2006
    Posts:
    38
    yey hopefully it was just a false positive. Note, I ran a webscan with bitdefender, nod32 (the one on my computer) windows live scanner, kaspersky, and the only thing that found it (supposedly) was the mcafee online scan.
     
Thread Status:
Not open for further replies.