L.C. Posted April 5, 2014 Report Posted April 5, 2014 Greetings, Recently I have been notified by someone that when they try to download a file from hlrse.net using Google Chrome it prevents them from downloading the file altogether citing that the website has been flagged for malware. Upon investigation, Google Webmaster Tools identifies three files: http://www.hlrse.net/Qwerty/ServerKit-Full.exehttp://www.hlrse.net/Qwerty/ServerKit-v2-Full.exehttp://www.hlrse.net/Qwerty/ServerKit-v3-Full.exe Upon further investigation, I found that the file responsible is dirserver.exe which is written by PriitK. You can find a VirusTotal scan at https://www.virustotal.com/en/file/9d9631ff6060ed1ea3d0326c189b9f4ff402d51ad0bd488c2a35bacfeae42a41/analysis/1396661078/. The ServerKit-v4-Full.exe and ServerKit-v5-Full.exe were not flagged because they contain a different dirserver.exe, in particular Snrrrub's directory server, which has a certain problem I forgot about that caused me to remove it and use PriitK's. I didn't use doc_flabby's directory server either because it also has/had a directory poisoning bug (spams up the list with dead entries). So here's the low-down:getcontinuum.com points to http://www.hlrse.net/subspace/Continuum040Setup.exeUsers with Chrome can't download it because website is flagged for malware because of PriitK's dirserver.exe in ServerKit-Full.exeWhat do I do? I would appreciate your advice and wisdom. Thanks! Sincerely,Joshua Szanto Quote
Cheese Posted April 5, 2014 Report Posted April 5, 2014 seeing as you are the only person who has had priits dir scan positive, i would normally suspect you were the origin, as i did 5 years ago when you first uploaded it solution: get another new unmodified copy and repackage Quote
L.C. Posted April 5, 2014 Author Report Posted April 5, 2014 (edited) Could someone kindly download http://www.minegoboom.com/cgi-bin/ryan/download.cgi?dirserver.zip and attach it here for me? I'm having problems downloading files from minegoboom.com / shanky.com EDIT: OK, even the original from MineGoBOOM.com/server is bad. dirserver.ziphttps://www.virustotal.com/en/file/ffa1867109a317541fdc720d8af4030e0e64e6669aa7a87d7a4e8751cefa4cce/analysis/1396667413/ DirServer.exehttps://www.virustotal.com/en/file/749ba95c066cbb19876101393595baaa823c123695ec0b32b185f09e9536eea3/analysis/1396667515/ Edited April 5, 2014 by L.C. Quote
L.C. Posted April 5, 2014 Author Report Posted April 5, 2014 dirserver03.ziphttps://www.virustotal.com/en/file/fb0a0286d0879abd14e764c10cb07e666099d425d1dab75077950723499cb813/analysis/1396730559/Nope, doesn't pass with at least 20 hits The DirServer.exe is the same SHA256 checksum as the DirServer.exe VirusTotal link I already posted. https://www.virustotal.com/en/file/9d9631ff6060ed1ea3d0326c189b9f4ff402d51ad0bd488c2a35bacfeae42a41/analysis/1396730583/21 hits in this one Quote
L.C. Posted April 8, 2014 Author Report Posted April 8, 2014 Well, I guess it just comes down to the only possible statement: we're all ... going ... to die. Quote
»doc flabby Posted April 29, 2014 Report Posted April 29, 2014 (edited) The solution is contact every av vendor on that list and get them to add an exclusion for the affected files. Its not an uncommon problem I have had to submit files before that have been incorrectly categorised. Edited April 29, 2014 by doc flabby Quote
L.C. Posted May 10, 2014 Author Report Posted May 10, 2014 Here is the letter I've drafted: Greetings,I need to have the following files whitelisted from your anti-virus/malware scanners because it thinks there is something wrong with these files but that is a false-positive result:http://www.hlrse.net/Qwerty/ServerKit-Full.exeSHA-256 checksum: c244262cd73cf2151c09e9fc0f7dc23128a0c01ce548451467e20ef0423d7c61File Download Scan: https://www.virustotal.com/en/file/c244262cd73cf2151c09e9fc0f7dc23128a0c01ce548451467e20ef0423d7c61/analysis/1396660887/URL Scan: https://www.virustotal.com/en/url/f041b2f9be37da1eee9277cb8fa74aa3fe596f0e5a4a47a013580d810a37b100/analysis/http://www.hlrse.net/Qwerty/ServerKit-v2-Full.exeSHA-256 checksum: 7be60c213366232b29dae724a29e88d9ead42c7561eeca9ae96a2fdefd327cf0File Download Scan: https://www.virustotal.com/en/file/7be60c213366232b29dae724a29e88d9ead42c7561eeca9ae96a2fdefd327cf0/analysis/1391519152/URL Scan: https://www.virustotal.com/en/url/fd507c73c6913abfdd89e079942f8973a0d12e8248c6723302b790a5dc5bb332/analysis/http://www.hlrse.net/Qwerty/ServerKit-v3-Full.exeSHA-256 checksum: a0bbe7f87c7f69799fe7206b249c5bd1c8632846fde5ee6950d3b45bdc992d4eFile Download Scan: https://www.virustotal.com/en/file/a0bbe7f87c7f69799fe7206b249c5bd1c8632846fde5ee6950d3b45bdc992d4e/analysis/1391519130/URL Scan: https://www.virustotal.com/en/url/48c87a0a9eb70082dcee78640117e8c290482599b501d7894e9ad5d88b21a2cd/analysis/These executables are self-extracting RAR archives put together using WinRAR. They contain a file "dirserver.exe" which is basically a "master server list" that gameservers for a game called SubSpace (see http://www.subspace.co/ or http://www.ssforum.net/) report their presence to so players see what gameservers are online and available to play in. Below are two versions of dirserver.exe that I need to have excluded from your scans as well: DirServer.exeSHA-256 checksum: 9d9631ff6060ed1ea3d0326c189b9f4ff402d51ad0bd488c2a35bacfeae42a41File Scan: https://www.virustotal.com/en/file/9d9631ff6060ed1ea3d0326c189b9f4ff402d51ad0bd488c2a35bacfeae42a41/analysis/ DirServer.exeSHA-256 checksum: 749ba95c066cbb19876101393595baaa823c123695ec0b32b185f09e9536eea3File Scan: https://www.virustotal.com/en/file/749ba95c066cbb19876101393595baaa823c123695ec0b32b185f09e9536eea3/analysis/1396667515/Please have these five files whitelisted and excluded from your scans as they are picking these up as false-positives. If you have any questions, please communicate with me. You can find all of my contact information at http://www.hlrse.net/ and if you need some proof of my identity I may be able to provide that as well. Sincerely,Joshua Szanto Quote
L.C. Posted May 10, 2014 Author Report Posted May 10, 2014 (edited) Greetings, I have sent e-mails, submitted forms, and sent communication to the following vendors: Ad-AwareAegisLabAgnitumAntiVirBitDefenderBkavByteHeroCAT-QuickHealCommtouch & F-ProtComodoEmsisoftF-SecureGDataIkarusK7AntiVirus & K7GWKingsoft (http://bbs.duba.net/thread-23171130-1-1.html)McAfee & McAfee-GW-EditionMicroWorld-eScanNormanQihoo-360SophosSymantecTrendMicro & TrendMicro-HouseCallVIPRE EDIT: I have also informed 2 people via e-mail regarding this status update so that they are aware I didn't push this off to the side and am in progress of getting this situation resolved Edited May 10, 2014 by L.C. Quote
L.C. Posted May 20, 2014 Author Report Posted May 20, 2014 Results improving, will check again in a week. Quote
L.C. Posted May 31, 2014 Author Report Posted May 31, 2014 Results have significantly improved. However, there are still a handful of vendors to re-contact or follow up with. As of now, all three URLs have only 2 false positives each (better than the original 12+). The files themselves have between 10-12 false positives; is improved but still needs work. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.