antivirus detects steam localization files as trojans

Todas las discusiones > Foros de Steam > Help and Tips > Detalles del tema

Vaja Vajush 8 JUN 2023 a las 9:05 a. m.

hello,
Windows Defender found trojans (specifically Trojan:Script/Wacatac.B!ml and Trojan:Script/ObfusScript.A!ml) in this steam path: C:\xy\Steam\steamui\localization\ and then files shared_koreana-json.js, shared_thai-json.js, and shared_vietnamese-json.js

I clicked to "remove" these files in the WD, but i gotta confess, i didnt get any malicious files in a long time and im not exactly sure how that works. Should I do something manually now to be safer or does that count as solved?
And also, the bigger topic on my mind why i decided to write on this forum, how did it get there? is it a false positive? When i googled my exact problem as im writing here i didnt get any answers, and when i googled the specific malware names, i found that those can be the very dangerous malwares people get scammed with, like in emails or when downloading anything, but i swear i did not encounter any suspicious messages nor did i download anything in the recent days (the windows defender notified me 3 hours ago)

El autor de este tema ha marcado una publicación como la respuesta a su pregunta.
Haz clic aquí para ir a esa publicación.

Publicado originalmente por Havok:

shared_koreana-json.js - https://www.virustotal.com/gui/file/c9feabd87f1220e88721bd4df2328049031a0adb99d9f2fcc03cd77fc6d2b55c?nocache=1

shared_thai-json.js - https://www.virustotal.com/gui/file/ef4add00a650ddb3a7036bc30310ee0755eb9b6b00e65606c5252b6578093036?nocache=1

shared_vietnamese-json.js - https://www.virustotal.com/gui/file/feef83316000ce09fe7e6f9e55b9309898d5dc101af5b91d053b95a424beca20?nocache=1

Non Beta Branch

It is not unheard of for AVs to pick them up. Steam, every once in a while, the steam.exe, steamwebhelper.exe and some of its bundled packages get flagged. If you upload your file to VT, then you can see exactly why it was detected.

This being said, 1/60, especially from some of the following (Zillya, Rising, Jiangmin, etc) are most certainly false positives. The only time it may not be, is if you are using the old "arg matey" and not getting your contents directly from steams website. Those 3 in particular are super prone to false positives with steam, and have been for years. So, if its those 3, which are garboware chinese AVs, simply report the files on the steam beta branch discussion forums, and it will get taken care of eventually

< >

Mostrando 1-13 de 13 comentarios

Silent ♋ 8 JUN 2023 a las 9:32 a. m.

Exactly like me but only detected shared_koreana, are you using the steam beta aswell?

Silent ♋ 8 JUN 2023 a las 9:37 a. m.

Publicado originalmente por Silent ♋:
Exactly like me but only detected shared_koreana, are you using the steam beta aswell?

I believe it is from the steam beta as I just opted out (without cleaning the trojan) and when you opt out steam cleans the files itself and now I dont have the trojan

Vaja Vajush 8 JUN 2023 a las 9:46 a. m.

Publicado originalmente por Silent ♋:
Exactly like me but only detected shared_koreana, are you using the steam beta aswell?

wow, I am also using the beta version! thank you so much!

𝑺𝑷𝑨𝑹𝑻𝑨𝑵 8 JUN 2023 a las 9:56 a. m.

Good morning,

Could you make a ticket to steam support to get an answer as soon as possible and give the news of the support you have to tell others about your experience?

THANKS.

https://help.steampowered.com/en/wizard/HelpWithSteamIssue?issueid=808
[support]

𝑺𝑷𝑨𝑹𝑻𝑨𝑵 8 JUN 2023 a las 9:58 a. m.

Publicado originalmente por nullable:
AV's aren't infallible. Are you aware of the possibility of false positives? https://en.wikipedia.org/wiki/False_positives_and_false_negatives

When your AV finds something you can choose to trust it blindly. But when the AV is flagging something you think may be incorrect, or is flagging something you trust, nothing is stopping you from doing some additional research to confirm or dismiss the result.

After all it's better for an AV to say something is a trojan and be wrong. Than it is to say something isn't a trojan and be wrong.

Valve checks all the data published to it, and the number of legitimate issues of malicious files being served to users is pretty small. So to my mind it's much much more likely Windows Defender is being overly aggressive and conservative in this case. And rather than blindly trusting your AV in all cases, you're free to apply a bit more nuance and skepticism towards it.

I would also say the files you've listed are JSON files. JSON is a common and popular way to structure data to provide interoperability between languages and systems. It's just text and generally just contains data and it's pretty easy to look at the files and see if there's anything besides JSON in there. It's pretty easy to determine if those files contain suspicious code or not.

Even if looking at JSON is above your pay grade since JSON and Javascript are so popular it would be pretty trivial to get some reliable opinions about those files.

Vaja Vajush 8 JUN 2023 a las 10:34 a. m.

yes, yes! after i switched from the beta version to the regular one, the antivirus is detecting 0 threats, so it indeed was most likely a false positive of the beta version. I did not file a ticket at steam support as i got my help here and it was most likely just the AVs fault for being too agressive. Thank you for the quick and valuable responses, everyone!

Faust the Lizardman 8 JUN 2023 a las 11:43 a. m.

Got this too.

Windows Security detected:

Trojan:Win32/Phonzy.B!ml in Steam\steamui\localization\shared_vietnamese-json.js
Trojan:Script/Wacatac.B!ml in Steam\steamui\localization\shared_thai-json.js
Trojan:Script/ObfusScript.A!ml in Steam\steamui\localization\shared_koreana-json.js

I was also in Steam Beta so hopefully just a false positive.

Última edición por Faust the Lizardman; 8 JUN 2023 a las 11:43 a. m.

Timo 8 JUN 2023 a las 1:15 p. m.

same here

Windows Security detected:
Trojan:Win32/Phonzy.B!ml in Steam\steamui\localization\shared_vietnamese-json.js
Trojan:Script/Wacatac.B!ml in Steam\steamui\localization\shared_thai-json.js
Trojan:Script/ObfusScript.A!ml in Steam\steamui\localization\shared_koreana-json.js

vanni 8 JUN 2023 a las 2:41 p. m.

Got the same warning from Windows Defender and I’m using the beta client, too.

Found in Steam\steamui\localization\.

Trojan:Script/Wacatac.B!ml:
shared_koreana-json.js
shared_thai-json.js

Trojan:Script/Phonzy.B!ml:
shared_vietnamese-json.js

Última edición por vanni; 8 JUN 2023 a las 2:42 p. m.

magicISO Sweden 8 JUN 2023 a las 3:36 p. m.

Publicado originalmente por vanni:
Got the same warning from Windows Defender and I’m using the beta client, too.

Found in Steam\steamui\localization\.

Trojan:Script/Wacatac.B!ml:
shared_koreana-json.js
shared_thai-json.js

Trojan:Script/Phonzy.B!ml:
shared_vietnamese-json.js

false positive

#10

Lithurge 9 JUN 2023 a las 3:42 a. m.

If they're small enough in size you can upload them to Virustotal which runs them through multiple AV's for peace of mind.

#11

El autor de este hilo ha indicado que esta publicación responde al tema original.

Havok 9 JUN 2023 a las 5:41 a. m.

Última edición por Havok; 9 JUN 2023 a las 5:41 a. m.

#12

BugBear28 16 JUN 2023 a las 7:44 p. m.

Just updated Talisman today (Jun 16, 2023), and Windows Security (Windows 10) detected -
Trojan:Script/Wacatac.B!ml
in
file: C:\Program Files (x86)\Steam\steamapps\common\Talisman\Talisman.exe
Microsoft link at --
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AScript%2FWacatac.B!ml&threatid=2147735503
Any help appreciated

#13

< >

Mostrando 1-13 de 13 comentarios

Por página: 1530 50

Todas las discusiones > Foros de Steam > Help and Tips > Detalles del tema

Publicado el: 8 JUN 2023 a las 9:05 a. m.

Mensajes: 13

Comenzar una nueva discusión

Normas y directrices sobre discusión

Denunciar este mensaje