Microsoft Anti-Spyware just found trojan.backdoor.small.fb - Page 8

El Diablo · #71 02-02-2006, 04:16 PM

All,

If this is a false positive, why are there a ton of people who play Party and use MAS but haven't seen this? Something seems v. fishy.

Pinga · #72 02-02-2006, 04:25 PM

Because party copies a bunch of things, both text and program, to the temp folder. You will only alert if there is a program with the name of 34.tmp.

Sometimes 34.tmp has a text file or the name is just not there.

It's random.

ddubois · #73 02-02-2006, 04:30 PM

[ QUOTE ]
If this is a false positive, why are there a ton of people who play Party and use MAS but haven't seen this?

[/ QUOTE ]
Hypothesis: Because the party software isn't exclusively using an unfortunate "34.tmp" name, but rather is generating a name from within a range/set that incudes 34.tmp as one of the possibilities, and only this specific name triggers MAS.

jba · #74 02-02-2006, 04:31 PM

[ QUOTE ]
All,

If this is a false positive, why are there a ton of people who play Party and use MAS but haven't seen this? Something seems v. fishy.

[/ QUOTE ]

El D. -

once upon a time, someone wrote a virus which among other things created a file called 34.tmp in your Temp directory. This maybe have been yesterday or three years ago, by a virus author that has maybe never heard of internet poker.

MAS is looking out for this virus. Anytime it finds any file in the Temp directory called 34.tmp, it says you have a virus.

meanwhile, Party Poker is [censored] random files into your Temp directory. here's some of them:

3.tmp 313.tmp 336.tmp 355.tmp 370.tmp 395.tmp 3B2.tmp 3D.tmp 3hp7DD.tmp
30.tmp 317.tmp 33E.tmp 359.tmp 376.tmp 397.tmp 3B5.tmp 3DE.tmp 3i91E9C.tmp
302.tmp 31E.tmp 34.tmp 35A.tmp 377.tmp 398.tmp 3B6.tmp 3E.tmp 3j8B5.tmp
303.tmp 32.tmp 341.tmp 35D.tmp 37E.tmp 39E.tmp 3B7.tmp 3EC.tmp 3je1E76.tmp
305.tmp 32B.tmp 343.tmp 35E.tmp 37F.tmp 39F.tmp 3BC.tmp 3F.tmp 3s71EE9.tmp
309.tmp 32E.tmp 346.tmp 35F.tmp 38.tmp 3A.tmp 3C.tmp 3F0.tmp 3sa1E98.tmp
30A.tmp 32F.tmp 348.tmp 35w1F07.tmp 388.tmp 3A5.tmp 3C4.tmp 3F8.tmp 3sv1EA7.tmp
30C.tmp 33.tmp 34B.tmp 36.tmp 38C.tmp 3A6.tmp 3C9.tmp 3F9.tmp 3wn1B65.tmp
30E.tmp 333.tmp 34D.tmp 363.tmp 38F.tmp 3AD.tmp 3CB.tmp 3FC.tmp 3wn9E2.tmp
30F.tmp 3331A71.tmp 35.tmp 36D.tmp 38r1BEC.tmp 3AE.tmp 3CD.tmp 3fp1AC0.tmp
31.tmp 334.tmp 354.tmp 37.tmp 39.tmp 3B.tmp 3CF.tmp 3gs171E.tmp

they're all the same size, and there's a bunch of different names that Party gives them. If you're not getting the alert, it's perhaps because Party hasn't gone around to [censored] specifically 34.tmp into this directory yet.

goodguy_1 · #75 02-02-2006, 04:43 PM

you would think the software developers at Party who should be attuned to trojans past or present would now that 34.tmp could trigger a false positive..MAS shows the trojan as a part of a family of trojans that attacked lsass vulnerabilty that Microsoft patched in the last year or so.

El Diablo · #76 02-02-2006, 05:45 PM

Pinga, jba, others,

Thanks, that makes a ton of sense. Savage saw different file formats copied there w/ the same name, but that's because Party just uses 34.tmp (and other names) as a placeholder for copying all sorts of different crap there. That makes sense. Thanks for the explanation.

KaneKungFu123 · #77 02-03-2006, 12:19 AM

Props.

Computer Science seems so boring, but you guys are very important to a functioning society!

BluffTHIS! · #78 02-03-2006, 08:55 AM

[ QUOTE ]
All,

If this is a false positive, why are there a ton of people who play Party and use MAS but haven't seen this? Something seems v. fishy.

[/ QUOTE ]

El D,

Remember that party was started from the profits of an online porn biz. So obviously these files are being created on the computers of users who spend a lot of time on porn sites in an effort to identify customers for their other businesses. It's called cross-marketing.

KaneKungFu123 · #79 02-03-2006, 09:13 AM

[ QUOTE ]
[ QUOTE ]
All,

If this is a false positive, why are there a ton of people who play Party and use MAS but haven't seen this? Something seems v. fishy.

[/ QUOTE ]

El D,

Remember that party was started from the profits of an online porn biz. So obviously these files are being created on the computers of users who spend a lot of time on porn sites in an effort to identify customers for their other businesses. It's called cross-marketing.

[/ QUOTE ]

What are you talking about?

whittiphil · #80 02-06-2006, 04:01 AM

Just found this thing. I haven't opened PP in months, I play on absolute... could absolute have made the file?

I'm disconcerted that I don't have the same explanation as you guys (that party creates a file that creates a false positive)