PDA

View Full Version : Problem with site: Your Dolphin Emulator Link Was a TROJAN Virus. What Kind of Site Is This?



TriStyle
March 30th, 2011, 05:52
I was infected by two TROJAN viruses after trying to download your dolphin emulator. Is your site being attacked, or are you actually trying to infect people?

I will report this in the proper channels very soon if i don't have a suitable reply.

Thanks for your time.

-Ari Rejtman
-Student, Programmer.

Lefteris_D
March 30th, 2011, 16:09
Thank you for taking the time to report this TriStyle.

I did run a check on the website using two well acknowledged online tools, you may see the results here:

VirusTotal:
http://www.virustotal.com/url-scan/report.html?id=8698a750b588581a59f8239d9676aee9-1301489456

AVG ThreatLabs: http://www.avgthreatlabs.com/sitereports/domain/emulator-zone.com

I also checked the file downloads available for Dolphin using Avira AntiVir (http://www.avira.com) and Microsoft Security Essentials (http://www.microsoft.com/en-us/security_essentials/default.aspx) to make sure that those were clear as well.

So far both of them come clear. If for any reason you believe that there may be an exploit affecting the website do speak up as that will cause problems not just to you, but for other people as well.

I will continue to monitor this and make sure to post something if a problem turns up at once. In any case we do not try to infect people with viruses, that would be stupid on our part :)

Thank you.

Edit: Slight update, I checked http://dolphin-emu.org as well with the same tools since we link to it.

http://www.virustotal.com/url-scan/report.html?id=20c93d26fa77ad4bd443c768bdaa6ef6-1301490948
http://www.avgthreatlabs.com/sitereports/domain/dolphin-emu.org

It's clear as well.

TriStyle
March 30th, 2011, 20:52
Thanks for checking the files. Did you make sure to extract the files using the extractor? The file i got by doing THAT was the Trojan.

Ill try downloading it again, since my virus protection handled it once, and i assume it can handle it again.

EDIT: Also, the link involved was the Dolphin 64 bit emulator link.

and i'm glad you're not trying to infect peeps. ^_^

Lefteris_D
March 30th, 2011, 21:05
I used both it's own extractor (they use 7zip (http://www.7-zip.org) self extractable I think) and my own program to extract it, then scan (32 and 64bit).

GHDpro
March 31st, 2011, 07:55
Here is another URL: http://www.google.com/safebrowsing/diagnostic?site=emulator-zone.com
(though 13 pages in the last 90 days isn't exactly a thorough test)

Anyway, I downloaded the file myself too (64-bit version only though) and ran it through Microsoft Security Essentials both extracted and as installer, which didn't find anything. I've also ran ClamAV (=Linux AV software) over the entire webroot (all files, all downloads) and it didn't find anything either:

/www.emulator-zone.com# clamscan --infected -r *

----------- SCAN SUMMARY -----------
Known viruses: 931971
Engine version: 0.97
Scanned directories: 549
Scanned files: 1807
Infected files: 0
Data scanned: 3980.91 MB
Data read: 1377.65 MB (ratio 2.89:1)
Time: 579.269 sec (9 m 39 s)

There is also the possibilitty the trojan infection came through one of our advertisers. However one of them is Google Adsense and I'd expect them to know better. The other company doing banner ads is Burst!Media, which has been around for years as well and is not some shady ad firm that could be duped by malware creators into hosting their stuff very easily (I think).

Then there are two companies (InfoLinks and Kontera) for those "hover over" links everybody likes (ahem). Now I'm not sure how those work, but I don't think they can even contain any malware, due to the nature of these ads not being as interactive as banners.

Now I did in fact get some warnings from a site called "Clean MX (http://support.clean-mx.de/clean-mx/viruses.php)" a little while ago, supposedly stating we were hosting viruses (=so somebody on the web is actually monitoring us for that). But the file in question turned out to be a false positive:
http://www.virustotal.com/file-scan/report.html?id=4775790054fc7b0e3e32870c47166ddb1d2 af1cee19960cf08b720d31fed3e92-1301554150
(yes, VT reports trouble, but the AV in question are pretty unknown and all hits are "heuristic", which doesn't have to mean anything)

But anyway, we're most definitely not trying to infect people's PCs with viruses, that I can tell you for sure.

Robert
March 31st, 2011, 09:55
I believe this site to be clean, although i block your advertisers as a matter of course (i block all ad sites). Either its a false positive or the OPs computer has something on it, imo.

Jale
April 6th, 2011, 00:22
It's a false positive.