Exult Forum

http://eqfellowship.freewebspace.com/images/wth-3.gif

How could this have happened?

by a mistake of your scanner software. Didn't know it affected NAV as well...
The other possibility is that your computer is infected.
Which version of NAV is it and are your Virus definitions up to date?

It's NAV 2002 and yes, it is up to date. This trojan is new to Symantec.

Wierd I have AVG and it dosen't detect any virus

Achile

I received a similar warning today.

I screen captured it here: http://eriru.com/images/ExultVirus.gif

Some poor anti-virus software still continue to falsly detect any self extracting files created with SFX Maker as been a trojan. Just ignore the warning, the warning is only given for self extracting file itself and not the files inside.
I use Vet anti-virus myself, which is updated almost daily and never had virus reported on my snapshots.

i just have just downloaded the latest norton anti virus definitions and it discovered exult v1.00 is infected with the "backdoor.IRC.Dr" virus which has been detected as a new theat by symantec but not much info is described about it.
i have NAV 2002 and it's one of the best virus scanners out there.
this may be a bug in NAV that may get corrected soon but i'm not takeing any chances.

but NAV has before detected, such as important system files saying its a virus when actually it was just a bug in the virus scanner that was fixed in the next update

Okay, all together now:
THERE IS NO VIRUS IN THE WIN32 PACKAGE FOR EXULT!
(repeat 5 times, if still in doubt, repeat it another 50 times)

Just read what Kirben wrote. He is the snapshot and release package provider.
If you still don't believe him, download SFX Maker and make an SFX (elf extracting) package yourself. Then let NAV run on it.
You'll se you have another "virus".
If you are still hestitant, download winzip, winace or winrar and extract the package manually. This way a virus in the exe can not get executed (if you still believe there is a virus repeat the above another 100 times).

a suggestion why some Anti-Virus programs claim that exult got infected with a virus:
Anti-Virus programs search for a certain pattern to tell if a file got infected. Unfortunately that new virus seems to have a similar pattern like self-extracting archives made with sfx-maker.
No other explanation fits as it is just not likely that a program that was uploaded half a year ago got infected with a very new virus.

actually dominus, any files can be infected at any time if the server or computer has an active virus on it. but i seriously doubt thats the case. norton has been known to constantly misread files because of the new definition files constantly being downloaded. and you are right on the patterns, like if a program is made that has a built in send mail function for smtp or interacting with another type of mail service, it will be picked up as a password stealer trojan by any virus detector unless the programmer took steps to make sure it wasnt mistaken as one. its amazing how one person being paranoid over a file can cause such a problem..

I don't think that being careful equals being paranoid... It's just that when you pay fon a supposedly good antivirus program, you tend to believe it when it warns you about a virus. Anyway, it's good that this has been made clear.

BTW, has anyone written to symantec about this?

I believe E_Jim's solution is the best one. Even send the file to them and ask them if it's really infected!

Just follow the problem to the roots. Email Symantec or Norton about this.

According to a post on the scummvm forums Symantec is aware of the problem, and it shouldn't occur anymore with new virus definitions.

http://sourceforge.net/forum/forum.php? ... _id=115757

(The scummvm snapshots are created by Kirben as well, with the same program as the Exult snapshots.)

f-prot (under linux) with the last updates also said it found a suspicious file with
exult-1.00-win32.exe.

The report of f-prot:

[root@localhost serge]# f-prot /home/serge/Desktop/test -archive -dumb -packed
Virus scanning report - 3 August 2003 @ 21:23

F-PROT ANTIVIRUS
Program version: 4.1.1
Engine version: 3.13.3

VIRUS SIGNATURE FILES
SIGN.DEF created 1 August 2003
SIGN2.DEF created 2 August 2003
MACRO.DEF created 28 July 2003

Search: /home/serge/Desktop/test
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED

/home/serge/Desktop/test/exult-1.00-win32.exe is a security risk named W32/RPC-1(part)

Results of virus scanning:

Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 1
Infected: 0
Suspicious: 1
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 0:00

well, but just suspicious.

i send the file to the viruslab of f-prot and i m waiting for the result...

RPC-1 is an exploit of the windows RPC vulnerability found last month (according to this. I seriously doubt we managed to produce that exploit when we released 1.0

hello,
i received an answer from the viruslab of fprot:

"Hello and thank you for your submission.

This will be fixed.

Don?t hesitate to email us if you have any futher questions.


Best regards,

Fjalar
_______________________________________
Sigurdur Fjalar Sigurdarson
Virus Analyst
viruslab@f-prot.com
FRISK Software Int. http://www.f-prot.com"

I updated f-prot and obtained the following result:

[root@localhost f-prot]# f-prot /home/serge/Desktop/test -archive -dumb -packed
Virus scanning report - 12 August 2003 @ 0:35

F-PROT ANTIVIRUS
Program version: 4.1.2
Engine version: 3.13.4

VIRUS SIGNATURE FILES
SIGN.DEF created 11 August 2003
SIGN2.DEF created 11 August 2003
MACRO.DEF created 11 August 2003

Search: /home/serge/Desktop/test
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED


Results of virus scanning:

Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 35

Time: 0:00

No viruses or suspicious files/boot sectors were found.

there is no problem with the exult-1.00-win32 installation file, it was a false positive of f-prot...

how surprising.

Hehe, well, if the Exult downloads were all corrupted with viruses, would we still be here chatting about it?

~ Wizardry Dragon

Thanks for reporting this to f-prot and getting it fixed.