I’ve just downloaded a free game (from one of our local servers - Area 51, by Midway Entertainment).

AFAIK, this is a legit game (its not pirated and it wasnt off P2P), and was just released to the public. However, if it is infected, I may have to send an email to the people who maintain this server I downloaded it from, so they can remove it

The file is about 3.67 MB (its a BIG install file - 1.9 GB).

Avast picked this up

Event Type: Warning
Event Source: avast!
Event Category: Client
Event ID: 90
Date: 3/10/2008
Time: 8:26:45 p.m.
User: N/A
Computer: PJ
Description:
Sign of “Win32:JunkPoly [Cryp]” has been found in “C:\Program Files\Midway Home Entertainment\AREA-51\A51” file.

This popped up, AFTER I had installed this game. I thought it was the main executable file (it isnt). It hasnt got an extension to it, but its 3.67 MB.

I’ve been to Virustotal, and it says this

AhnLab-V3 2008.10.3.0 2008.10.02 -
AntiVir 7.8.1.34 2008.10.02 -
Authentium 5.1.0.4 2008.10.02 -
Avast 4.8.1248.0 2008.10.02 Win32:JunkPoly
AVG 8.0.0.161 2008.10.03 -
BitDefender 7.2 2008.10.03 -
CAT-QuickHeal 9.50 2008.10.03 -
ClamAV 0.93.1 2008.10.02 -
DrWeb 4.44.0.09170 2008.10.03 -
eSafe 7.0.17.0 2008.10.02 -
eTrust-Vet 31.6.6126 2008.10.03 -
Ewido 4.0 2008.10.02 -
F-Prot 4.4.4.56 2008.10.02 -
F-Secure 8.0.14332.0 2008.10.03 -
Fortinet 3.113.0.0 2008.10.03 -
GData 19 2008.10.03 Win32:JunkPoly
Ikarus T3.1.1.34.0 2008.10.03 -
K7AntiVirus 7.10.481 2008.10.02 -
McAfee 5397 2008.10.02 -
Microsoft 1.4005 2008.10.03 -
NOD32 3491 2008.10.03 -
Norman 5.80.02 2008.10.02 -
Panda 9.0.0.4 2008.10.03 -
PCTools 4.4.2.0 2008.10.02 -
Prevx1 V2 2008.10.03 -
Rising 20.63.62.00 2008.09.28 -
SecureWeb-Gateway 6.7.6 2008.10.03 Virus.Win32.FileInfector.gen!90 (suspicious)
Sophos 4.34.0 2008.10.03 Sus/UnkPacker
Sunbelt 3.1.1675.1 2008.09.27 -
Symantec 10 2008.10.03 -
TheHacker 6.3.1.0.099 2008.10.03 -
TrendMicro 8.700.0.1004 2008.10.03 -
VBA32 3.12.8.6 2008.10.02 -
ViRobot 2008.10.3.1405 2008.10.03 -
VirusBuster 4.5.11.0 2008.10.02 -
Additional information
File size: 3854336 bytes
MD5…: 218ed4dfbab6b9c2400a4ba37bc1254d
SHA1…: cf3dab24d4f35713634c3df38a6669652de615aa
SHA256: dfed9648a690af681aea773c9488df5b35e8153019e9b9cea0ee02d559bb26d5
SHA512: 4a542d1e529304907c019a798c39e0d576b36cb8b13aef23cbc427c177f9cb67
b6678d80f830e93bf1d838e9fe8b885dc731085e7d44ec4f6435111b5ff6f06d
PEiD…: -
TrID…: File type identification
Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x98e000
timedatestamp…: 0x42e94038 (Thu Jul 28 20:29:44 2005)
machinetype…: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2ea000 0x2ea000 6.56 6798ec064dc817d52adffe6f2d362ab9
.rdata 0x2eb000 0x59000 0x59000 5.63 3e5ed8926f95b3e9e8f4900696f0a34e
.data 0x344000 0x21e000 0x3c000 2.70 cb477ff74f0a38173fe87a134664907f
.rsrc 0x562000 0x2b000 0x2b000 6.42 997f03175dfbffc5e358af80ab570ee8
.idfs 0x58d000 0x1000 0x1000 0.42 bedefcf3c8e297fc1da2e185072be243
.dfcsep 0x58e000 0x1000 0x1000 2.76 71a9e5da525abe7fada349b26a5cc719

( 12 imports )

KERNEL32.dll: GetProcessHeap, UnmapViewOfFile, CreateFileW, CreateFileMappingA, MapViewOfFile, lstrcmpiA, GetFullPathNameA, InterlockedCompareExchange, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, SetEnvironmentVariableA, CompareStringW, GetModuleHandleA, CompareStringA, GetLocaleInfoW, SetEndOfFile, Sleep, OutputDebugStringA, IsBadReadPtr, GetTickCount, QueryPerformanceCounter, QueryPerformanceFrequency, CreateThread, InterlockedIncrement, InterlockedDecrement, SetConsoleCursorPosition, GetStdHandle, FindFirstFileA, FindClose, GetConsoleScreenBufferInfo, WaitForSingleObject, InitializeCriticalSection, LeaveCriticalSection, CreateSemaphoreA, ExitThread, SetThreadPriority, ReleaseSemaphore, EnterCriticalSection, GetCurrentThreadId, CloseHandle, ResumeThread, ExitProcess, SystemTimeToFileTime, MulDiv, FileTimeToSystemTime, CreateDirectoryA, GetLastError, GetLocalTime, CreateMutexA, CreateFileA, GetFileSize, SetFilePointer, WriteFile, ReadFile, RemoveDirectoryA, GetDiskFreeSpaceA, FindNextFileA, FileTimeToLocalFileTime, DeleteFileA, DeleteCriticalSection, GetProcAddress, TerminateProcess, GetCurrentProcess, GetStartupInfoA, GetCommandLineA, GetVersionExA, HeapAlloc, HeapFree, HeapReAlloc, GetModuleFileNameA, GetSystemTimeAsFileTime, GetFileInformationByHandle, PeekNamedPipe, GetFileType, HeapSize, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, TlsAlloc, SetLastError, TlsFree, TlsSetValue, TlsGetValue, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, LoadLibraryA, LCMapStringA, MultiByteToWideChar, LCMapStringW, VirtualProtect, GetSystemInfo, VirtualQuery, SetStdHandle, FlushFileBuffers, RtlUnwind, InterlockedExchange, GetACP, GetOEMCP, GetCPInfo, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, GetCurrentProcessId, GetTimeZoneInformation, RaiseException, IsBadCodePtr
USER32.dll: MessageBoxA, LoadStringA, GetMessageA, TranslateMessage, PeekMessageA, DispatchMessageA, DestroyWindow, SetCursor, GetWindowRect, SetActiveWindow, PostQuitMessage, SetForegroundWindow, GetClientRect, GetDC, SetWindowLongA, InvalidateRect, SetCursorPos, MapVirtualKeyExA, GetKeyboardLayout, GetKeyboardState, ToAsciiEx, MoveWindow, RegisterClassA, LoadCursorA, FindWindowA, UpdateWindow, SystemParametersInfoA, ShowWindow, GetCursorPos, SetWindowPos, DefWindowProcA, ReleaseDC, CreateWindowExA, GetWindowLongA
binkw32.dll: _BinkCopyToBuffer@28, _BinkSetVolume@12, _BinkNextFrame@4, _BinkWait@4, _BinkSetMemory@8, _BinkDoFrame@4, _BinkGoto@12, _BinkSetSoundTrack@8, _BinkOpen@8, _BinkClose@4, _BinkSetSoundSystem@8, _BinkOpenDirectSound@4
WSOCK32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
WINMM.dll: joyGetPosEx
DSOUND.dll: -
d3d9.dll: Direct3DCreate9
DINPUT8.dll: DirectInput8Create
WS2_32.dll: WSAIoctl, WSASocketA
GDI32.dll: ExtTextOutW, MoveToEx, ExtTextOutA, CreateCompatibleDC, SetMapMode, SetTextAlign, CreateFontIndirectW, CreateFontIndirectA, GetFontLanguageInfo, GetTextMetricsW, GetTextMetricsA, SetBkMode, SetBkColor, SetTextColor, GetCharacterPlacementW, GetCharacterPlacementA, SelectObject, DeleteObject, DeleteDC, CreateDIBSection, GetObjectW, GetObjectA, GetDeviceCaps, GetStockObject
ADVAPI32.dll: RegOpenKeyA, RegSetValueExA, RegCreateKeyExA, RegQueryValueExA, RegCloseKey, RegOpenKeyExA
DFRTIEngineStub.dll: _InitializeRTI@4

Should I email a copy to you to check this file?? I’ve uninstalled the game but made a copy of the infected file

Thanx

http://forum.avast.com/index.php?board=2;action=display;threadid=7779

Yes, please. Send it in a password protected zip to virus@avast.com. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Cool, done. Sending file as I reply to this

Anything back on this yet?? Whether its a FP or other?

The FP should already been corrected. Scan the file and see if it still detected.

Yup its still there, when you scan the install file

So, no, it hasnt been fixed

still unfixed

fixed internally, but it still has not been released due to a little communication misunderstanding between me and other viruslab guy… it will come out with the second VPS today…

Looks like its fixed now, just scanned the install file again. No warning this time !

Thanx guys.

Thanks for reporting back