False Positive: Win.Trojan.Ramnit-6084 FOUND :: Age of Empires II (2013) Support

Shopseite

Age of Empires II (2013)

Alle Diskussionen Screenshots Artworks Übertragungen Videos Workshop Neuigkeiten Guides Rezensionen

Age of Empires II (2013) > Support > Themendetails

Gruni

10. Okt. 2015 um 11:18

False Positive: Win.Trojan.Ramnit-6084 FOUND

Well, what can I say? My dad just wrote me an email earlier today, after checking his PC with ClamWin. His Scanlog consisted of 2 infected files:

C:\Program Files (x86)\Steam\steamapps\common\Age2HD\libeay32-ttv.dll: Win.Trojan.Ramnit-5976 FOUND
C:\Program Files (x86)\Steam\steamapps\common\Age2HD\twitchdll\libeay32-ttv.dll: Win.Trojan.Ramnit-5976 FOUND

While laughing about it at first, giving him some suggestions, he told me that he deleted those files, started the game, had a small update (obviously reloading these files) and they were back, another scan showed that they have been infected as well.

I then decided to pump up Steam in my Windows VMWare as well (since I neither live at my parents house, nor use Windows on a regular basis) and I downloaded a complete, fresh install of the game via Steam. And guess what? I've got the exact same issue as well!

C:\Program Files\Steam\steamapps\common\Age2HD\libeay32-ttv.dll: Win.Trojan.Ramnit-5976 FOUND
C:\Program Files\Steam\steamapps\common\Age2HD\twitchdll\libeay32-ttv.dll: Win.Trojan.Ramnit-5976 FOUND

edit: It appears to be a false positive solely found with ClamWin / ClamXav

Zuletzt bearbeitet von Gruni; 10. Okt. 2015 um 13:05

< >

Beiträge 1–11 von 11

Laptop

10. Okt. 2015 um 11:28

Your Anti-Virus is detecting it as a false positive, the last patch was months ago, do you honestly think a virus would somehow make its way into the game files and not be detected all this time?

mmmcheesywaffles besitzt Age of Empires II (2013)

10. Okt. 2015 um 12:38

Before you even ask others online the first step you take when you even think there might be a virus or trojan is to run another one or even two respectable Anti Virus utilities.

There are several with free to use AV either online or to install. Also look at installing an AntiSpyware program too.

I'd recommend Avast and MalwareBytes. Make sure you download them from the authors sites.

As Laptop indicated if any trojan had managed to slip by the Devs [EXTREMELY unlikely] plewnty of us would have found it by now. Even a day is a long time when a game has the number of players AoE has.

If your dad wants a reliable paid for AV and Antispyware I recommned MalwareBytes. It started out as shareware only and has built up a massive userbase including many professionals. Just add .org to the end of the name for the authors site.

Laptop

10. Okt. 2015 um 12:44

Malwarebytes is malware only, a good Anti-Virus in addition is Kaspersky.

wowegoo

10. Okt. 2015 um 12:55

Ursprünglich geschrieben von Laptop65:
Malwarebytes is malware only, a good Anti-Virus in addition is Kaspersky.

Gruni

10. Okt. 2015 um 13:04

Ursprünglich geschrieben von mmmcheesywaffles:
Before you even ask others online the first step you take when you even think there might be a virus or trojan is to run another one or even two respectable Anti Virus utilities.

There are several with free to use AV either online or to install. Also look at installing an AntiSpyware program too.

I'd recommend Avast and MalwareBytes. Make sure you download them from the authors sites.

As Laptop indicated if any trojan had managed to slip by the Devs [EXTREMELY unlikely] plewnty of us would have found it by now. Even a day is a long time when a game has the number of players AoE has.

If your dad wants a reliable paid for AV and Antispyware I recommned MalwareBytes. It started out as shareware only and has built up a massive userbase including many professionals. Just add .org to the end of the name for the authors site.

My first way was to check his assumption: Downloading the game on a separate system (Windows 10 solely used for one Application that doesn't run on Mac OS X) within a different network (as I am living in another place) and checking it. The fact, that I got the same files and the same results on a basically quarantined system in a VMWare made me rush over here, as those files came 100% straight from Steam.

In the meantime, it looks like it is actually a false positive from ClamWin, however the only files that are being shown are still part of AoE2 HD Edition.

Checks with 5 different scanners support the assumption of a false positive, so I'd consider this case closed.

ktperry

10. Okt. 2015 um 13:26

https://www.virustotal.com/en/file/20d2c20b4246b2fefb8d7ae30bbb9cbf855da916a5dcf8dc4912ed5eaf5a064f/analysis/1444508617/

False positive.

Laptop

10. Okt. 2015 um 13:33

Of course it's a false positive...

bekieark 5. Feb. 2016 um 10:17

Ursprünglich geschrieben von drop | Gruni:
[...] His Scanlog consisted of 2 infected files:

C:\Program Files (x86)\Steam\steamapps\common\Age2HD\libeay32-ttv.dll: Win.Trojan.Ramnit-5976 FOUND
C:\Program Files (x86)\Steam\steamapps\common\Age2HD\twitchdll\libeay32-ttv.dll: Win.Trojan.Ramnit-5976 FOUND
[...]
edit: It appears to be a false positive solely found with ClamWin / ClamXav

I allow myself to comment a bit on this thread, being aware that it is now 3+ months old. Reaction of user "Gruni" was entirely justified and he did what he should have done. This particular botnet and its variants were especially targeting Steam users, just as me and you:

https://community.spiceworks.com/topic/375147-new-variant-of-ramnit-embezzles-data-of-steam-users

https://community.spiceworks.com/topic/814752-europol-takedown-of-ramnit-botnet-frees-3-2-million-pcs-from-cybercriminals

https://community.spiceworks.com/topic/816700-india-biggest-victim-of-ramnit-bug-symantec

IMHO it is entirely justified to at least rise one's eyebrows when encountered a warning like this. It is, subsequently, not 100% correct to write along the lines of: "do you honestly think a virus would somehow make its way into the game files and not be detected all this time" , as things like this sometimes DO happen. Just to mention the recent Apple issue from Autumn 2015, where thousands of iTunes AppStore applications were infected and downloaded in millions, before the threat was detected:

http://www.bbc.com/news/technology-34338362

To conclude: Gruni - if in future you will have similar doubts, just go to https://www.virustotal.com/en and submit suspected file(s) for a scan. If you get something around 1 hit per 50 Anti-Virus programs checked, you know that - most probably - you have a false positive. But sometimes it is just not the case. I have witnessed just too many botnets and lost data in my career, to believe it is otherwise.

Zuletzt bearbeitet von bekieark; 6. Feb. 2016 um 9:01

Nash Smasher besitzt Age of Empires II (2013)

16. Mai 2016 um 17:14

As a IT professional for over 28 years I would totally agree with the above post. You should double check if any AV finds a problem. I remember when Creative Labs shipped Driver disks with a virus. Sony installed root kits without users permissions. So yes it is totally possible for a company or developer to accidentally or purposely ship something with a virus. One of the reasons I prefer iPhone over Android is that it goes through a little more scrutiny and is sand boxed better than the Android. Always question when your utilities find something.