Sign in to follow this  
Followers 0
aismov

AVG antivirus telling me 1.20.1 has "downloader.agent.AQN" Trojan Horse

46 posts in this topic

EVISERO says if you update AVG antivirus it will fix the problem!

Thought I was up to date but I was not, updated AVG and tried to intall the patch again and its working like a charm, thanks!

Share this post


Link to post
Share on other sites
I redownloaded and I don't get any virus messages now' date=' thanks.[/quote']

Ok, I redownloaded the thing reddog posted but that is a beta full install. Is there not a full install?

Share this post


Link to post
Share on other sites
Krenn' date=' what about the full install posted above?[/quote']

Gimme a few minutes, I'll grab and test it.

Share this post


Link to post
Share on other sites

The older beta patch is clean too.


[krenn@sls-db7p12 krenn]$ wget ftp://downloads.wwiionline.com/wwiiol0000120011.exe
--23:54:10-- ftp://downloads.wwiionline.com/wwiiol0000120011.exe
=> `wwiiol0000120011.exe'
Resolving downloads.wwiionline.com... done.
Connecting to downloads.wwiionline.com[66.28.224.233]:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD not needed.
==> PASV ... done. ==> RETR wwiiol0000120011.exe ... done.
Length: 312,129,092 (unauthoritative)

100%[====================================>] 312,129,092 781.53K/s ETA 00:00

00:00:41 (781.53 KB/s) - `wwiiol0000120011.exe' saved [312129092]

[krenn@sls-db7p12 krenn]$ clamscan wwiiol0000120011.exe
wwiiol0000120011.exe: OK

----------- SCAN SUMMARY -----------
Known viruses: 41232
Engine version: 0.87
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 297.67 MB
Time: 179.379 sec (2 m 59 s)
[krenn@sls-db7p12 krenn]$ /etc/iscan/vscan -v wwiiol0000120011.exe
Virus Scanner v3.1, VSAPI v7.510-1002
Trend Micro Inc. 1996,1997
Pattern version 937
Pattern number 113239
wwiiol0000120011.exe

==============================
Directory:
Searched : 0
File:
Searched : 1
Scan : 1
Infected : 0
Infected : 0(Include files been compressed)
Time:
Start : 11/10/05 00:09:02
Stop : 11/10/05 00:09:02
Used : 00:00

But as you say, this isn't the one you want. You should get the 000120 full install, then the patch.

I've always thought the beta patches should be moved into a subdirectory, but I believe it would require installer tweaks there aren't time for.

Share this post


Link to post
Share on other sites
The older beta patch is clean too.


[krenn@sls-db7p12 krenn]$ wget ftp://downloads.wwiionline.com/wwiiol0000120011.exe
--23:54:10-- ftp://downloads.wwiionline.com/wwiiol0000120011.exe
=> `wwiiol0000120011.exe'
Resolving downloads.wwiionline.com... done.
Connecting to downloads.wwiionline.com[66.28.224.233]:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD not needed.
==> PASV ... done. ==> RETR wwiiol0000120011.exe ... done.
Length: 312,129,092 (unauthoritative)

100%[====================================>] 312,129,092 781.53K/s ETA 00:00

00:00:41 (781.53 KB/s) - `wwiiol0000120011.exe' saved [312129092]

[krenn@sls-db7p12 krenn]$ clamscan wwiiol0000120011.exe
wwiiol0000120011.exe: OK

----------- SCAN SUMMARY -----------
Known viruses: 41232
Engine version: 0.87
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 297.67 MB
Time: 179.379 sec (2 m 59 s)
[krenn@sls-db7p12 krenn]$ /etc/iscan/vscan -v wwiiol0000120011.exe
Virus Scanner v3.1, VSAPI v7.510-1002
Trend Micro Inc. 1996,1997
Pattern version 937
Pattern number 113239
wwiiol0000120011.exe

==============================
Directory:
Searched : 0
File:
Searched : 1
Scan : 1
Infected : 0
Infected : 0(Include files been compressed)
Time:
Start : 11/10/05 00:09:02
Stop : 11/10/05 00:09:02
Used : 00:00

But as you say, this isn't the one you want. You should get the 000120 full install, then the patch.

I've always thought the beta patches should be moved into a subdirectory, but I believe it would require installer tweaks there aren't time for.

Thank you Krenn.

Share this post


Link to post
Share on other sites

This has top priority with us. I just got off the phone with MO and he is tracking down those he needs to help check into / fix this issue as soon as they walk into the door.

Thank you for all your help on this issue.

Share this post


Link to post
Share on other sites

Your virus scanner has ASSUMED because the program was beginning to download something that is was some sort of 'download agent' trojan.

That scanner is extra precautious, and it should be disabled during installs of WWIIOL.

Else, did you keep your receipt for that virus program, cause if so -- please return it and grab Symantec or even Panda instead of that one. That program has no clue what the heck is going on -- it sees a procedure (download), has no clue whats going on, and assigns whatever dbase entry it has that matches. The name of the trojan you saw is what is found, even though it probably ain't even close -- its simply 'guessing'.

Return that pos software....trust me....

Share this post


Link to post
Share on other sites

This does indeed appear to have been an issue with AVG incorrectly flagging the exe as a trojan. If anyone hears of an issue with any other Anti-Virus software,

Please let me know at krieger@playnet.com

We are currently in contact with AVG to determine what the cause of the problem was.

Share this post


Link to post
Share on other sites
Your virus scanner has ASSUMED because the program was beginning to download something that is was some sort of 'download agent' trojan.

That scanner is extra precautious, and it should be disabled during installs of WWIIOL.

Else, did you keep your receipt for that virus program, cause if so -- please return it and grab Symantec or even Panda instead of that one. That program has no clue what the heck is going on -- it sees a procedure (download), has no clue whats going on, and assigns whatever dbase entry it has that matches. The name of the trojan you saw is what is found, even though it probably ain't even close -- its simply 'guessing'.

Return that pos software....trust me....

Symatech never caught anything. I even downloaded a virus test file, scaned it with symatech and nothing. Avg caught it right away.

Share this post


Link to post
Share on other sites

False positives do occur, to some degree that can be the sign of a good AGGRESSIVE anti-virus scanner.

An example of such a well-known FALSE POSITIVE was with a version of TEAMSPEAK when scanned by several well-respected anti-virus programs about a year or two ago. So it happens. Usually the anti-virus maker and the software maker of the software in question get together , if needed, and find out what the issue is and then patch it.

In the case of TEAMSPEAK it was found to be a false positive, based on how many AV programs use "signatures" to detect viruses (virii). The idea is to look for patterns in the code of the possible offender that is similar to known or expected viruses telltale elements. Unfortunately, as more and more trojan horses in particular, have auto-generating downloading elements, more and more of the "signature" codes may overlap well-known ways of doing the same intended and desired downloading. More or less the issue here.

For what it is worth, AVG anti-virus is highly regarded and has beaten Symantec on numerous occasions as detecting more virii in various tests. It's also free, the professional version used by corporations. Earthlink Support often recommends it, I asked them on several occasions which ones they considered reliable, etc.

What you also should note is how quickly the fix from AVG anti-virus came out and in parallel how Krieger and others from the Devs quickly took the issue seriously and looked into it (you can assume that both had a part in the solution being so quick).

Note:

The key thing done by one of the posters in this thread, that was very smart, was to run a test on the other previous patches and see if they caused the same error. Having known that he had no security breaches up to then (a trojan horse breach would normally result in near instantaneous evil use of your information once they had it) and finding that the previous patches flunked now WHEN THEY HAD NOT FLUNKED AVG BEFORE ... suggested the new version of AVG was in error and generating FALSE POSITIVES.

So, now, we all have a great example of how to test any false positive in future. To that person I say well done.

I had AVG and did not get this warning, so the fix must have been pretty quick.

Share this post


Link to post
Share on other sites

AVG updates weekly by the way. Why the method the poster described (using it on the previous few patches and seeing is also generate a false positive ) was a good test for false positives.

Share this post


Link to post
Share on other sites

well.......i downloaded and ran avg to see if i had it...or anything, and came up clean.

avg appears to be a LOT easier and user friendly than panda, which is what i uninstalled to try avg.

anyone else know of panda and avg enough to compare them?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.