Curse

Snograt · May 13, 2008, 10:57 PM // 22:57

I am one of three people in my far-flung family who's virus checker has detected the PWS Lineage trojan recently. It was originally designed to steal passwords from Lineage , but over the years has gradually been altered to gather logins from several other games - see here http://vil.nai.com/vil/content/v_130590.htm

Usual advice applies - make sure you have a good virus checker installed and that it's definitions are up to date. And let the bugger finish its scan - I know how annoying virus scans can be, but they're a necessary evil.

Apologies if this is the texmod false-positive again - it's a possibility, but it's better to be safe than sorry, Especially with all the recent account thefts.

The trojan was detected by AVG 8.0 - not sure where mine was, but my cousin-in-law's was in her GW folder

tommarrow · May 13, 2008, 11:01 PM // 23:01

Thanks for the heads up Snograt.

Darkobra · May 13, 2008, 11:06 PM // 23:06

The more security awareness, the better. Now I have a specific target to look for.

fusa · May 13, 2008, 11:09 PM // 23:09

Which virus scanner did you use? What files were infected?

Sarevok Thordin · May 13, 2008, 11:13 PM // 23:13

How does infection take place.

NoXiFy · May 13, 2008, 11:14 PM // 23:14

keyloggers suck

Dylananimus · May 13, 2008, 11:47 PM // 23:47

I got that virus the other week, on a brand new comp that was fully protected :/

I had to reformat just to be on the safe side.

AVG picked it up, and quarantined it. I couldn't see that it had escaped the Temp folder and done anything to the registry, but that's apparently what it would have done if undetected.

I scan twice a day now, both Virus and Spyware programs.

And no...I didn't have Textmod on the comp.

Taurus · May 14, 2008, 12:12 AM // 00:12

Looks like the only reasonable explanation for all the "hacking" goin' around.

Snograt · May 14, 2008, 12:35 AM // 00:35

Edited the OP with more info - detected by AVG 8.0 and in one instance in the GW folder.

I am unaware what specific file was involved - probably PWS-Lineage.dll, according to online databases. I think that, like Dylananimus, mine was in my Temp folder, which would be typical of this particular Trojan.

crazybanshee · May 14, 2008, 12:39 AM // 00:39

Wow, I used to play lineage, nowadays you probably couldn't give your US account away since nobody plays it anymore. Guess I'll go update my AVG.

MisterB · May 14, 2008, 01:00 AM // 01:00

I just ran a scan with AVG 7.5, and turned up a report for PWS Lineage, but I'm fairly certain it's a false positive in my case. The file was wtf(#).tmp in my local temp folder, where (#) was a number I don't remember. I use TexMod, hence my suspicion it was a false positive. None of the other files associated with PWS Lineage were found in the scan. Updating to AVG 8.0 now.

Zehnchu · May 14, 2008, 03:32 AM // 03:32

Trojan Horse PSW.Linage.AGX

View your scan history in AVG 8.0
Computer Scanner->Scan History->any blue colored scheduled scan (will indicate which scans have infections.)->Infections

Location
C:\Users\Name Of User\AppData\Local\Temp\
Files It's been named
wtfD8D6.tmp
wtf1BAE.tmp
wtf2091.tmp
wtf41A1.tmp
wtf2E5.tmp
wtf674B.tmp
wtf715A.tmp
wtfA2CA.tmp
wtfDF75.tmp
Wtf9686.tmp
Wtf8A03.tmp
Wtf7A41.tmp
wtf6831.tmp
WtfEBEB.tmp

And it's only been found in the Temp folder. I ran a texmod a few ways then scanned the temp folder and Guild Wars folders and found nothing. But I'll Keep an eye on it.

fenix · May 14, 2008, 03:35 AM // 03:35

Has anyone detected this with an anti-virus that ISN'T AVG? I know it shows some false-positives...but this is ridiculous. Someone try with NOD32 or something decent.

Snograt · May 14, 2008, 04:01 AM // 04:01

Good point.

Incidentally, my AVG found wtf# files too - forgot until Zehnchu mentioned it.

[edit] hmm, this may well be a TexMod false-positive after all

Quote:

everytime i use texmod (dl'd with the link in guildwiki), i get this trojan called wtf#.tmp
#=some random number

Is it a dangerous trojan?

http://www.guildwarsguru.com/forum/s...7&postcount=14

Maybe when AVG updated from 7.x to 8 it started to falsely tag TexMod again - I've had it installed for ages and AVG's never been bothered before.

pamelf · May 14, 2008, 04:04 AM // 04:04

i'm updating to AVG 8.0 as we speak, so if I have it, hopefully it will be picked up. Thanks for the heads up.

fenix · May 14, 2008, 04:13 AM // 04:13

I downloaded it, and scanned the .zip with NOD32, detected nothing. Considering the zip comes with Texmod.exe and Readme.txt, I decided just to leave it zipped, and no extract or anything, since there wasn't a reason to (already have it on the computer).

AVG fails?

Edit: Scanned my Temp files and found nothing also. <3 NOD32

Lykan · May 14, 2008, 04:39 AM // 04:39

I only have the free Avg 7.5, can it be updated to 8.0?

Shakti · May 14, 2008, 05:19 AM // 05:19

OK now I'm worried about textmod. My hubby DLed Textmod a month or so ago (I think from the "safe" link here but I'll check when he gets home) so I could do cartographer.

I use McAffee SecurityCenter among other scans, and after reading this and the other threads, ran the scan just on the Textmod.exe file itself. It came up with a trojan

New Malware.aj to be exact. Seems to be a 2006 Heuristic trojan (wtf ?)

Crap.

Snograt · May 14, 2008, 05:28 AM // 05:28

Don't worry yet - because of TexMod's nature of intercepting system calls, a lot of virus scanners have falsely identified it as a virus/trojan. I think that the AV companies can be reassured of a program's validity and virus definitions can be updated to ignore it.

Shakti · May 14, 2008, 05:34 AM // 05:34

Snog, do you mean it may not be this New Malware.aj thing at all, just that McAffee is getting mixed up by TexMod's nature and falsely IDing it as that trojan? If so you just made my night...