Page 1 of 1

trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Wed Jul 07, 2010 1:50 am
by Rainer12345
yesterday my scanner (avira) found trojan TR/PSW.Nilage.hhl in lua51.dll.

I got my copy of micromacro from this site some weeks ago and never got a warning. everything works fine. I deleted the file and tried a new download from here. same result.

here is the log from virustotal.com

Datei micromacro.zip empfangen 2010.07.04 22:54:18 (UTC)
Status: Beendet
Ergebnis: 8/41 (19.51%)
Filter Filter
Drucken der Ergebnisse Drucken der Ergebnisse
Antivirus Version letzte aktualisierung Ergebnis
a-squared 5.0.0.31 2010.07.04 Trojan-GameThief.Win32.Nilage!IK
AhnLab-V3 2010.07.03.00 2010.07.03 -
AntiVir 8.2.4.2 2010.07.04 -
Antiy-AVL 2.0.3.7 2010.07.02 -
Authentium 5.2.0.5 2010.07.04 -
Avast 4.8.1351.0 2010.07.04 -
Avast5 5.0.332.0 2010.07.04 -
AVG 9.0.0.836 2010.07.04 -
BitDefender 7.2 2010.07.05 Trojan.Generic.4318767
CAT-QuickHeal 11.00 2010.06.30 -
ClamAV 0.96.0.3-git 2010.07.04 -
Comodo 5318 2010.07.04 -
DrWeb 5.0.2.03300 2010.07.04 -
eSafe 7.0.17.0 2010.07.04 -
eTrust-Vet 36.1.7684 2010.07.03 -
F-Prot 4.6.1.107 2010.07.04 -
F-Secure 9.0.15370.0 2010.07.04 Trojan.Generic.4318767
Fortinet 4.1.133.0 2010.07.04 -
GData 21 2010.07.05 Trojan.Generic.4318767
Ikarus T3.1.1.84.0 2010.07.04 Trojan-GameThief.Win32.Nilage
Jiangmin 13.0.900 2010.07.03 -
Kaspersky 7.0.0.125 2010.07.04 Trojan-GameThief.Win32.Nilage.hhl
McAfee 5.400.0.1158 2010.07.05 -
McAfee-GW-Edition 2010.1 2010.07.04 -
Microsoft 1.5902 2010.07.03 -
NOD32 5251 2010.07.04 -
Norman 6.05.10 2010.07.04 -
nProtect 2010-07-04.02 2010.07.04 -
Panda 10.0.2.7 2010.07.04 -
PCTools 7.0.3.5 2010.07.02 -
Prevx 3.0 2010.07.05 -
Rising 22.54.04.04 2010.07.02 -
Sophos 4.54.0 2010.07.05 -
Sunbelt 6543 2010.07.04 -
Symantec 20101.1.0.89 2010.07.04 -
TheHacker 6.5.2.1.307 2010.07.04 -
TrendMicro 9.120.0.1004 2010.07.04 PAK_Generic.001
TrendMicro-HouseCall 9.120.0.1004 2010.07.05 -
VBA32 3.12.12.5 2010.07.02 Trojan-GameThief.Win32.Nilage.hhl
ViRobot 2010.7.3.3920 2010.07.04 -
VirusBuster 5.0.27.0 2010.07.04 -
weitere Informationen
File size: 389994 bytes
MD5 : b3cf8137a930f903a346a0aa22a80838
SHA1 : f2f40799e85786611c61bc26bad232aeaa07f43c
SHA256: 475a58f138b1cd38ef4807b0891d1a202c6857663bcfec1897 d34f664c03b065
TrID : File type identification
ZIP compressed archive (99.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
Symantec reputation: Suspicious.Insight
ssdeep: 6144:l6l2d8MV9fYpPOanQAQtp60EWV5Qp4gXRXexC7yCplExa wxVU5OeXTcQL+mI/wZ:l6lLc9QnfQtpRpdghexVC8xa+QO7w+zi
sigcheck: publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch.UPX, UPX
packers (F-Prot): UPX
packers (Authentium): UPX
RDS : NSRL Reference Data Set


I really like this bot, but in this case I wont use it anymore.

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Wed Jul 07, 2010 2:30 am
by rock5
Might have something to do with the fact that the bot writes to memory.

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Wed Jul 07, 2010 3:26 am
by romvn
Well, it's been a while my Kaspersky always deletes it. I believe there's no reason for development team of this cool bot try to steal your account.

Anyway, some explanations from Admin?

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Wed Jul 07, 2010 5:06 am
by Rainer12345
Thats why I post this stuff.

I really like this bot, but an explanantion would be nice. If you look in the german forum you can see that Im not the only one with this warning. The other one also from yesterday.

http://www.elitepvpers.de/forum/rom-hac ... t-154.html

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Wed Jul 07, 2010 6:28 am
by 3cmSailorfuku
Unpack the files with UPX. If you scan only Lua51 on VirusTotal, then only Avira will notify you that it's a trojan, otherwise apparently if you pack the files into a zip or rar it just get worse on VirusTotal and you'll get more false alarms.

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Wed Jul 07, 2010 9:15 am
by Administrator
I think that due to the fact that it's not the official Lua DLL (it has been patched to allow for yielding across co-routined) and that it was UPX packed is what was causing this. It's typically installed with games so an unfamiliar copy like this might trigger an anti-virus software to consider it a virus. That's my best guess.

I can start releasing it without being UPX packed. In fact, you can download the latest copy with unpacked Lua51.dll (but still UPX packed micromacro.exe; virustotal sees it as clean, so it should be fine) from here.

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Wed Jul 07, 2010 11:13 am
by Rainer12345
Uhm ... the new (experimental) version of micromacro makes avira very excited. I cant fast enough click away the trojan-warnings ...

Virustotal thinks its not really clean ...

Antivirus Version letzte aktualisierung Ergebnis
a-squared 5.0.0.31 2010.07.07 Trojan-GameThief.Win32.Nilage!IK
AhnLab-V3 2010.07.07.01 2010.07.07 -
AntiVir 8.2.4.10 2010.07.07 TR/PSW.Nilage.hhl
Antiy-AVL 2.0.3.7 2010.07.07 -
Authentium 5.2.0.5 2010.07.07 -
Avast 4.8.1351.0 2010.07.07 -
Avast5 5.0.332.0 2010.07.07 -
AVG 9.0.0.836 2010.07.07 -
BitDefender 7.2 2010.07.07 Trojan.Generic.4318767
CAT-QuickHeal 11.00 2010.07.07 -
ClamAV 0.96.0.3-git 2010.07.07 -
Comodo 5350 2010.07.07 -
DrWeb 5.0.2.03300 2010.07.07 -
eSafe 7.0.17.0 2010.07.07 -
eTrust-Vet 36.1.7690 2010.07.07 -
F-Prot 4.6.1.107 2010.07.07 -
F-Secure 9.0.15370.0 2010.07.07 Trojan.Generic.4318767
Fortinet 4.1.133.0 2010.07.07 -
GData 21 2010.07.07 Trojan.Generic.4318767
Ikarus T3.1.1.84.0 2010.07.07 Trojan-GameThief.Win32.Nilage
Jiangmin 13.0.900 2010.07.07 -
Kaspersky 7.0.0.125 2010.07.07 Trojan-GameThief.Win32.Nilage.hhl
McAfee 5.400.0.1158 2010.07.07 -
McAfee-GW-Edition 2010.1 2010.07.05 -
Microsoft 1.5902 2010.07.07 -
NOD32 5259 2010.07.07 -
Norman 6.05.11 2010.07.07 -
nProtect 2010-07-07.02 2010.07.07 -
Panda 10.0.2.7 2010.07.07 -
PCTools 7.0.3.5 2010.07.07 -
Prevx 3.0 2010.07.07 -
Rising 22.55.02.04 2010.07.07 -
Sophos 4.54.0 2010.07.07 -
Sunbelt 6556 2010.07.07 Trojan.Win32.Generic!BT
Symantec 20101.1.0.89 2010.07.07 -
TheHacker 6.5.2.1.309 2010.07.06 -
TrendMicro 9.120.0.1004 2010.07.07 PAK_Generic.001
TrendMicro-HouseCall 9.120.0.1004 2010.07.07 -
VBA32 3.12.12.6 2010.07.07 Trojan-GameThief.Win32.Nilage.hhl
ViRobot 2010.6.29.3912 2010.07.07 -
VirusBuster 5.0.27.0 2010.07.06 -
weitere Informationen
File size: 648669 bytes
MD5...: 7ef5a6bc34b0fb2ccd18aa352c650838
SHA1..: aeb60db6537b2a1d16ea014dbd810f47ca619f83
SHA256: 2f5e14d426a97487e68c122f7438d4cba46c8080c1c863cc6018a3331c0d18f8
ssdeep: 12288:h0q6lLc9QnhQtpRMa6lLc9QnyzknOo4rjQWPjcCRrMLvtgbT3CfY8z46gx
6:h0q65cMa65DnMXQIjML1gbT3Cnzfgo
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: ZIP compressed archive (99.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_respon ... 23-0550-99
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

if you think its only because the packed files ... maybe you cant post the correct dll unpacket? i tried the lua51.dll in my micromacro directory ... didnt work ...

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Wed Jul 07, 2010 11:21 am
by Administrator
Are you sure you overwrote the file? This is what I'm seeing for the current lua51.dll: http://www.virustotal.com/analisis/d345 ... 1278511789

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Wed Jul 07, 2010 6:48 pm
by WhiteTiger
In my case, I dont care if theres a virus, this is the fucking best bot ever <3 :P

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Thu Jul 08, 2010 2:55 am
by Rainer12345
Administrator wrote:Are you sure you overwrote the file? This is what I'm seeing for the current lua51.dll: http://www.virustotal.com/analisis/d345 ... 1278511789

No Im not sure :). I never unpacked it :).

I played all the evening with this problem. Here is my "solution"...

I downloaded 3 different versions of micromacro from different sources. Every zip-file made Avira blinking like a christmastree. All zip-files in virustotal were checked and not clean.

I unpacked it and let avira delete the dll. Then I downloaded the unpacked dll from Lua binaries. Result: no trojans ... but windows-errors.

In the end I took my old notebook with nothing but the OS installed and deaktivated Avira. The unziped dll is clean for avira and virustotal. I copied this file to my main-pc and checked full system with 4 different scanners. No trojans.

Thanks for your help.

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Thu Jul 08, 2010 7:39 am
by Administrator
I must have made a mistake when I uploaded the file. You are correct. That was still showing false positives from multiple anti-virus softwares.

Go ahead and redownload from the first post here. That should do the trick.

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Sun Jul 18, 2010 12:21 pm
by Wary
I sent an email to kaspersky today, notifying them about the false positive and they fixed it in the newest signature update.

It is hot here today, so I didn't really want to search the email addresses of other vendors too. If you own another AV, that sees a virus here, maybe send it to them.
For Kaspersky, you just have to send a message to newvirus AT kaspersky.com subject: False positive
(not for this file, obviously, because I already did. If your Kaspersky Anti Virus still detects this, update it!)

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Sun Jul 18, 2010 1:12 pm
by Administrator
Thanks for taking the time to do this. I have, however, already went ahead and unpacked that DLL for the latest release. It shouldn't be giving any virus warnings from any (respectable) anti-virus software, but if it does, please let me know.

lua51.dll trojan

Posted: Thu Jul 29, 2010 6:10 pm
by gamergk
this bot is the best i've used in a long time, though 2 day ago my agv antivirus v9.0 brought up a msg

saying "Infection" Trojan horse PSW.OnlineGames3.ARDD in lua51.dll


i used this bot a for while already and guess agv antivirus detected as a threat, i used winrar to extract it, agv quickly detected it as a virus, also used 7zip same results


yea i know this bot is safe, i've used it alot, though would be good to get this issue fixed and bot once more heh

running win7 64bit in case if you guys are wondering

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Thu Jul 29, 2010 7:23 pm
by MiesterMan
I think someone mentioned this happens because the lua dll has been modified for this bot. Maybe renaming the dll with a revision at the end would fix this (I don't know if that's possible cause I don't know how programs use dlls)?

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Thu Jul 29, 2010 8:45 pm
by gamergk
if i'm right, dlls are like the gears that makes the program run, not sure, just guessing lol

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Thu Jul 29, 2010 8:46 pm
by Administrator
Renaming the DLLs is not a good idea, nor would it help.


As I've already posted multiple times today, just disable Resident Shield.

Re: trojan TR/PSW.Nilage.hhl in lua51.dll

Posted: Thu Jul 29, 2010 9:26 pm
by gamergk
niiice thanks for the help, also sry tried finding a solution to the problem through the forums, no luck though, anywhom its fix, again many thanks