fire.dll

[lineager]

Hi guys, I need some help. I'm devoted Lineage 2 player and I spent a lot of time playing the game on a famous server. A week ago the developers of server implemented a hack defence and since to log in the game you should download a file named "fire.dll" My avast! Home edition version 4.8 shows that this file is a malware.

My friends that I play with assured me this is not a malware but a program checking the game features. I would like to know if this is malware or not.

http://i.imagehost.org/0825/fire_virus.jpg

[.: L' arc :.]

Hi lineager and welcome to the forums,

 You may submit fire.dll to VirusTotal for further analysis. Please give us a link to the results. Thank you.

[Sirmer]

Hi,welcome to the forum.
you can send it at virus@avast.com(zipped with pasword in email) or report it as false positive from avast.

[lineager]

the results: http://www.virustotal.com/analisis/552a8eb0936dc67e461b8cf50bf58fbac6a0ab3b7213d0cccee6d821a4f852ca-1256883373

I'll also sent it to virus@avast.com as .rar archive if it is ok

[polonus]

Hi lineager,

This could be flagged by various generic scanners because Themida file protection was used, which is also a method used by malcreants to evade malware scanners.

I'm a developer in Oreans Technologies and we have developed Themida to protect applications against cracking. We are receiving many complaints from our clients saying that NOD32 and other av scanners report their applications as potential threat (Win32/Packed.Themida)
 

This is why McAfee treats Themida protected software as malware:

After a lot of research we have definitely got a Themida protected virus. A version of Opanki that is named WINSONY.EXE.

Themida is preventing McAFee from stopping it.

We have determined that Themida is too dangerous to our environment to allow any product protected by Themida on the network. We can not have 27,000 nodes exposed to such a threat.

The only string in the infected executables that can be detected is "themida"

So we have asked McAfee to treat any executable with the Themida string as a virus.

Just like we can't blame the gun manufactures for the people that use guns to commit crimes we can not blame the writes of Themida.

However, we do have a company policy where guns are not allowed, So the same will now go for Themida as well.

It is my opinion that the writers of Themida have a responsibility to collaborate with the Anti-Virus companies to come up with a solution that allows for their legitimately protected clients to operate while allowing the Virus Scan tools to destroy evilware.

Also read this: http://isc.sans.org/diary.html?storyid=1871

You could analyse the file at Wepawet:  http://wepawet.cs.ucsb.edu/  , if not malicious you can exclude the file from being flagged...

This DLL is Protected by Themida Software Protector.

Themida Consists in Many Protections, such as Code Splicing, Code Virtualization, Memory Isolation, Debugger Blocking, IP Redirection, Import Redirection and other obscure methods to protect a file (not counting encryption).

It can be unpacked ? Yep, but this will take much time tho, and not sure if this will be even worth the time to back engineer.

Fire.dll is a dll created by Hint (TheTester) in postpacific, at least (the old one) was TheTester...

His dll connects to his authd, using some addons to the original protocol where he gonna protect your server using that parallel protocol, which can be emulated or copied, but thats another story and is taking us off-topic. So I leave it at this, you have got the full picture by now, I guess,

polonus (malware fighter)

[lineager]

L'arc, Sirmer, Polonus, thank you for helping me.

Polonus http://wepawet.cs.ucsb.edu/ is analysing only flash and java/pdf files. Could you recomend me some other engine for virus analyses, thank you.

[nmb]

Could you recomend me some other engine for virus analyses, thank you.

http://anubis.iseclab.org/

http://www.norman.com/security_center/security_tools/submit_file/en-us

nmb

[lineager]

thank you nmb

[nmb]

thank you nmb

always welcome.

nmb