Windows Trojan.Win32.Delf.sih in Crying Damson 5 (0.3.5) Build

[zerosmoke]

Just a heads up, I'd thought this was a false positive when my KIS 2011 picked it up in the build I got from this site. Then I decided to send it to the analysts at Kaspersky Labs. I sent in a couple of the builds I got from this site, and otfans, and they confirmed that it was not a false positive after examining the code, and even though I sent it in again they informed me they didn't need the source code again to confirm it was indeed infected. I've since compiled my own build using the source files listed at http://otland.net/subversion and my build passes the Kaspersky scan without a red flag.

In conclusion, if your anti-virus flags the build you got as infected, send it to [email protected] in a password protected file with the password "virus" and it will be personally analyzed by one of their techs.

I've also uploaded my build(just the exe in a zip), fresh from compiling. Note: I had an error from status.cpp and tools.cpp (linker error) regarding xmlfree, so I removed references to it in those 2 files. That's the only change I've made to the build before compiling.

Edit: My build had a few bugs, one of which was the non-existence of loot, oddly enough. I've removed it so no one else ends up with the same problem.

 

[Korrex]

Yeah, nice try, however this is the wrong forum part, and I have my doubts that the link is a virus. Each "virus" found in a TFS release is a false positive if it was from OTLand or OTFans.
If you downloaded it from another site, other than OTLand or OTFans, ur just plain out dumb.
Remove the link.

 

[zerosmoke]

Nice try at ...?

If you've got an explanation for the reason it throws so many red flags with so many virus detection systems while my build only throws 3:
VirusTotal - Free Online Virus, Malware and URL Scanner

...I'm willing to hear it. Until then, I think I'll just quote you... "ur just plain out dumb" to make blanket assumptions about any and all media available through a website. Use your brain, use an anti-virus.

 

[Alyhide]

I got that too, Bit Defender detected it. It's a false negative I'm pretty sure, I've downloaded Crying Damson about 15 times lol

 

[zerosmoke]

My build passed the inspection by Bit Defender. All I'm saying is: If the build you got from any website throws red flags in a virus scan, get a second opinion, send it to virus analysts, or compile your own build. The "well if you got it here it was clean, if you got it anywhere else, you're dumb" blanket statement attitude is pretty much out in left field somewhere...not paying attention.

I'm not kidding around here, when I tried to have Kaspersky remove the 'infected' file, it started messing with the registry, removed my access to the Desktop, disabled the Task Manager, and sent "Bad Image File" errors from Windows when I was finally able to terminate some processes to manually delete it. Just do yourself a favor and don't ignore all detections by passing them off as false positives, especially when virus analysts, who stake their personal name and reputation on every report they check out (who I'll trust over some anonymous person on Otland.net), verify malicious code in the sample.

I don't think I'd be wrong in asserting that the course of action I detailed would not be discouraged by any moderators here.

 

[Korrex]

And you used TFS 0.3.5, downloaded from OTland, the thought of it yielding any virus is absurd.
Also, I checked, the binaries for 0.3.5 cannot be downloaded from OTLand, so you must've downloaded it from some other site.