Curse

Chthon · May 14, 2008, 04:42 PM // 16:42

Quote:

Originally Posted by Shakti

OK now I'm worried about textmod. My hubby DLed Textmod a month or so ago (I think from the "safe" link here but I'll check when he gets home) so I could do cartographer.

I use McAffee SecurityCenter among other scans, and after reading this and the other threads, ran the scan just on the Textmod.exe file itself. It came up with a trojan

New Malware.aj to be exact. Seems to be a 2006 Heuristic trojan (wtf ?)

Crap.

"Heurisitc" means that it was flagged by a set of rules that pick out things that look virus-ish, but it didn't match any known virus in the definitions. Heuristic detection has a very high false-positive rate.

jackerduud · May 14, 2008, 04:47 PM // 16:47

On a slightly weirder note, PlayNC Launcher seems to be sure i have Lineage II Installed, although i have never done so.

pamelf · May 15, 2008, 11:32 AM // 11:32

Updated to 8.0 and I'm clean. *phew*

Sjeng · May 15, 2008, 03:00 PM // 15:00

Hmm I've seen this lineage trojan message too ni AVG. it claimed to have quarantined it, but tonight I'm double checking and changing my pass yet again...

StormDragonZ · May 15, 2008, 09:41 PM // 21:41

This morning, while sitting through the morning computer scan with AVG, the PWS Lineage Trojan had come on to say hello.

Now I haven't downloaded anything EXCEPT TexMod and the three mods for Cartography Made Easy. I've used these for about a month now, and seeing it comes now of all times... just confuses me.

That's my two cents.

Snograt · May 15, 2008, 10:16 PM // 22:16

Maybe something we have generates a wtf# file in TEMP and AVG tags it as PWS.Lineage?

Is there any way to examine one of these wtf# files and find out what created it?

I suspect googling wtf would be a bad idea ^^

[edit] Don't mind me - it's just senility setting in. From a previous TexMod thread:

Quote:

Originally Posted by Antheus

wtf = Windows Temporary File
.tmp = temporary file extension
The number is a random hex number

These files aren't trojans, they are just temporary file used by texmod. The ability to create these files is part of Windows, and any application can do that. These files should be automatically deleted if you properly close the GW and texmod. If not, you can safely delete them.

See official document.

So yes, it's TexMod and it certainly appears benign. I'm sticking with my assumption that the AVG8 update has brought this one up again. Then again, what if the creator of TexMod buried this trojan in it from the start and just waited until thousands of us had it installed before reaping the benefits?

Conspiracy theory again?

FeroxC · May 15, 2008, 11:02 PM // 23:02

.tmp files could be anything don't trust it.

Ive packet sniffed TexMod and listened in on API calls it doesn't seem to be sending any data or creating any hidden log files.

However theoretically it could be using Guild Wars to pm people(bypassing firewalls) so I won't give it the all clear

I remember a very popular 3rd party program for Diablo 2 that was fully functional but also sent the player login data to the developers database.
I realy hope this isn't the case with TexMod.

The Meth · May 15, 2008, 11:25 PM // 23:25

You shouldn't have to worry about password stealers with texmod, seeing how Texmod was AFAIK originally made for modding Tomb Raider and was then later used for Guild Wars, but I know for certain it wasn't made for Guild Wars. Its inconceivable that the creator had released texmod with code for stealing passwords from another game. And since it has been used for years without people reporting problems you will be safe as long as you aren't downloading a different version.

sykoone · May 16, 2008, 01:10 AM // 01:10

Quote:

Originally Posted by The Meth

You shouldn't have to worry about password stealers with texmod, seeing how Texmod was AFAIK originally made for modding Tomb Raider and was then later used for Guild Wars, but I know for certain it wasn't made for Guild Wars. Its inconceivable that the creator had released texmod with code for stealing passwords from another game. And since it has been used for years without people reporting problems you will be safe as long as you aren't downloading a different version.

Correct. Texmod was use for modding Tomb Raider, and has been floating around for quite a while. In fact, the main place to get a copy of Texmod is from the Tomb Raider website that started it all.

pumpkin pie · May 16, 2008, 02:12 PM // 14:12

Hey, anyone good at these virus protection thing? I found these and thought its quite useful, something that does not involve typing - that you can use to key in infomation. is it safe to use?

"Transaction Guard is FREE software that protects you against spyware while performing sensitive online tasks on a public computer, like Internet banking or other financial transactions. Transaction Guard has two components:

* Spyware Monitor – Monitors for spyware and notifies you of any intrusions.
* Password ClipBoard – An on-screen keyboard for securely entering user names and passwords.

http://www.trendsecure.com/portal/en...nsaction_guard

Taki · May 16, 2008, 06:46 PM // 18:46

Quote:

Originally Posted by Dylananimus

I got that virus the other week, on a brand new comp that was fully protected :/

I had to reformat just to be on the safe side.

[snip]

I scan twice a day now, both Virus and Spyware programs.

And no...I didn't have Textmod on the comp.

In your haste towards reassurance apparently you guys completely miss this post where it was found on a pc without textmod? Not once was it mentioned. GJ

Chthon · May 16, 2008, 07:14 PM // 19:14

Quote:

Originally Posted by pumpkin pie

Hey, anyone good at these virus protection thing? I found these and thought its quite useful, something that does not involve typing - that you can use to key in infomation. is it safe to use?

"Transaction Guard is FREE software that protects you against spyware while performing sensitive online tasks on a public computer, like Internet banking or other financial transactions. Transaction Guard has two components:

* Spyware Monitor – Monitors for spyware and notifies you of any intrusions.
* Password ClipBoard – An on-screen keyboard for securely entering user names and passwords.

http://www.trendsecure.com/portal/en...nsaction_guard

1. I generally do not trust free software that offers to manage your passwords. All too often, free password managers are in fact password thieves. I would only trust (1) password managers you compile yourself (presuming you know enough about programming to be able to read and understand the code you are compiling), or (2) password managers from reputable corporations that have a vested interest in maintaining their reputation. Trend Micro probably falls into category (2), so it's probably safe to use something downloaded directly from their official site.

2. I'm not sure how much protection this program really offers. Mouse positions can be captured the same way keystrokes can. All an attacker's program would have to do would be wait until the virtual keyboard program started up, then log mouse positions and send them to the attacker. Unless the virtual keyboard randomly moves around the screen or randomly changes the positions of keys as you type, it should be trivially easy to guess where the virtual keyboard window was positioned and derive your password from there. That's not terribly much harder to write than a keylogger, so the only "protection" the program gives you is the "protection through scarcity" that not many attackers are including mouseloggers with their keyloggers (yet).

I also have a bad feeling that this program uses the windows clipboard to transfer the password to the program you want to feed it to, which means that an attack directed at recovering the windows clipboard contents would completely bypass any security provided by this program.

Commander Ryker · May 20, 2008, 01:26 PM // 13:26

Quote:

Originally Posted by StormDragonZ

This morning, while sitting through the morning computer scan with AVG, the PWS Lineage Trojan had come on to say hello.

Now I haven't downloaded anything EXCEPT TexMod and the three mods for Cartography Made Easy. I've used these for about a month now, and seeing it comes now of all times... just confuses me.

That's my two cents.

My AVG is running right now and that trojan was picked up. I'd like to know where were all getting this from. I am so careful, I just don't understand it.

jackers1234 · May 20, 2008, 01:30 PM // 13:30

i seem to remember something to do with texmod and AVG picking up a false positive for this trojan when it scans texmod.

Dylananimus · May 20, 2008, 03:30 PM // 15:30

Quote:

Originally Posted by jackers1234

i seem to remember something to do with texmod and AVG picking up a false positive for this trojan when it scans texmod.

It's probably a good idea if people don't just put this down to textmod though, as I didn't have textmod on my comp when my scan found the trojan :/ It was a new comp.

Still gotta be careful.

Snograt · May 20, 2008, 03:39 PM // 15:39

Here's a thought for you:

Has anyone detected this trojan with anything other than AVG?

BuD · May 20, 2008, 03:39 PM // 15:39

My AVG is picking it up every time I use TexMod.

I didnt use TexMod for 4 days, no flags on my scans. I used TexMod yesterday & my scan found it this morning. So I fired up TexMod this morning & low & behold it creates a wtf2A.tmp file. AVG sees this temp file as the PSW.Lineage Trojan.

It creates it in C:\Documents and Settings\User\Local Settings\Temp\

pumpkin pie · May 20, 2008, 03:54 PM // 15:54

thank you Chthon for the analysis.

appreciated.

gone · May 20, 2008, 04:09 PM // 16:09

http://www.virustotal.com/analisis/d...5aaf9b1c68cc43

and a scan from here(see link below) came up with this: now i'm not saying it's all texmod, but this is the one I have. and yes it was d/l'd from wiki.
http://virusscan.jotti.org/

POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)

MD5:3a561b80cfba394a810d528d4c05dc7e
Packers detected:
PE_PATCH, NSPACK, ASPACK

Scan taken on 20 May 2008 16:01:11 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found Trojan-PWS.Win32.Agent.BU
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Cyric The Liar · May 26, 2008, 06:43 PM // 18:43

Quote:

Originally Posted by Snograt

Here's a thought for you:

Has anyone detected this trojan with anything other than AVG?

Yes, Avast detects it too, it creates a *.tmp file.