Win32:Virut , False alarm or the real deal?

[jmlima]

Gents,

I have a puzzling question. I recently tried to download an official patch for the 'Combat Mission 2' game. The patch files were downloaded from the official servers, and one of them is reported by Avast to be infected with the Win32:Virut virus.

The file is available at (amongst many other locations):

http://dlh.net/cgi-bin/dlp.cgi?lang=eng&sys=pc&file=cmbb103u.zip&ref=ps

The puzzling bit is that I ran the 'Bit Defender' online scan which reported no virus, and the Kaspersky online scan that reported the file as suspect since it was blocked and therefore it could not be scanned.

The patch is an exe file containing several files, amongst them the 'Combatmission.exe' which is the file that triggers the avast alarm.

I'm using Avast 4.7 home edition (always up to date) on an Win XP SP2 machine. I did a full system scan and it reported nothing, it's all clean, except for that patch file.

There is now no official support for the game.

Many thanks for any possible answer.

[DavidR]

DrWeb link checker doesn't find anything, but I don't think that is any guarantee although it checks the default page and any scripts on it I don't know if it would go to the extent of scanning the zip files linked.

I would have downloaded it and uploaded it to VirusTotal, but at 24MB on dial-up that isn't something I could do and there is also a 10MB upload limit at VirusTotal.

So I don't know what to suggest as Win32:Virut is a particularly virulent .exe infecter that if it get established often results in a format to completely get rid of it.

The detection would have been detected I believe by the Web Shield and that would have only given one option, abort connection, so there shouldn't be anything on your system.

The strange thing is that the Win32:Virut samples have only recently been added (months rather than years) and this patch is from June 2003 if that can be verified it may possibly be a false positive. That is the problem, verifying the patch/zip file content date and based on the fact there is no longer any official support that could be difficult, not to mention the high risk if it were correctly detected as Win32:Virut.

Hopefully one of the Alwil team will be able to check it out.

[Maxx_original]

i've fixed one type of FP with Win32:Virut detection (last friday), but i can't confirm, that the fixed detection is out already... the previous FP was related to some StarForce protected files... i'll try to tell you more soon, but i'm using my holiday and i can't do it immediately...

[jmlima]

i've fixed one type of FP with Win32:Virut detection (last friday), but i can't confirm, that the fixed detection is out already... the previous FP was related to some StarForce protected files... i'll try to tell you more soon, but i'm using my holiday and i can't do it immediately...

gents,

Thanks both for your help. I'll keep myself tuned for any possible updates on the situation from yourselves.

I meanwhile searched at google , and the game was released in Europe by CDV and in the US by Battlefront.
Battlefront on their forum have some insigth onto what's possibly happening:

The CDV version also has a copy-protection system that can struggle with some anti-virus programs or CD-players.

http://www.battlefront.com/discuss/ultimatebb.php?ubb=get_topic;f=23;t=004792

However , given the nature of the virut virus, I'll wait for more feedback from yourselves.

Thanks again.

[DavidR]

Your welcome.

Hopefully the Alwil team will get on it soon.

Welcome to the forums and a Merry Christmas.

[jmlima]

Guys.

Just bumping this in case anyone from the Alwil team has any news regarding it.

Thanks.

[Maxx_original]

i'll tell you tomorrow

[Lisandro]

i'll tell you tomorrow

Welcome back from vacations Maxx

[Maxx_original]

thx.. nice to see ya again

[Maxx_original]

the FP was fixed today... it will come out with next VPS hopefully..

[jmlima]

the FP was fixed today... it will come out with next VPS hopefully..

Once again , thanks for the quick reply!