Ground this Jet

[Dan Honeycutt]

Hi all,

When I released Cupcake a few years back we (Jim Ablett and I) did a jet version for those who did not have the latest version of Java. For those not familiar, Jet is a utility that makes a windows executable from a java source.

Anyway, a few weeks ago my computer started exhibiting some odd behavior and it was obvious that I had a virus. After some detective work it turned out that the culprit was the Jet runtime library. If you have used the Jet version of Cupcake (or the Jet version of any other Java application) I suggest you check your system. The filename is XKRN37043.DLL. I found it with Malwarebytes after a couple other virus scans failed to find anything.

I don't know if the file was corrupt from the start or something else corrupted it. Jim, if you read this, maybe you can check your download pages. I thought Jet was a fairly popular and well-thought-of program.

Best
Dan H.

[fern]

Man, glad yo see you even if for a matter of jet lag

Fern

[tmokonen]

What sort of odd behavior were you experiencing? I know my antivirus (Avast) has flagged a number of different JA compiles as viruses, but this antivirus program is also known for sometimes causing false alarms.

I uploaded the XKRN37043.DLL file that was distributed with Cupcake 1.1 JA, dated March 22, 2012, 2,125,312 bytes in size, CRC 16C62263, to the VirusTotal web site, which tests an uploaded file against a wide array of different antivirus programs. The file had already been previously analyzed by someone else, but I reanalyzed it with the latest versions of antiviruses. Three antivirus programs had flagged it as a virus, Malwarebytes being one of them:

CMC
Hoax.Win32.BadJoke.ScreenFlicker!O
20140312

Malwarebytes
Spyware.OnlineGames.Gen
20140312

McAfee-GW-Edition
Heuristic.BehavesLike.Win32.Suspicious-BAY.O
20140312

I kind of suspect that this is a false positive. I know that you can send files to the Malwarebytes team, and they they can determine for sure whether it's a false positive or not.

[Dan Honeycutt]

What sort of odd behavior were you experiencing?

Hi Tony,

First, we are looking at the same file. My date has changed to current but the bytes and checksum are the same.

It could be a false positive. I haven't used that file in 3 years or so and I have had no indication of any suspicious activity during that time - at least up until about 3 weeks ago. Several people (a couple of them CCC members) sent me notice that they had received a spam mailing from my email account. I figured someone had phished my password so I changed it hoping that would be the end of it. But then, a few days ago, I - my account - sent out another spam mailing.

I figured it must be a keylogger. Yahoo boots you out every few weeks so you have to log in anew. The time between spam mailings was about the right amount for me to get booted, log in again and have a keylogger pick up my password.

First I ran an old version of McAfee (it's old because I got mad at them and quit paying for updates). After dunning me yet again it ran a scan and found no threats. I figured I better use something new so I typed "get rid of keylogger" into my browser search box. To my amazement Firefox hung - it just sat there with the circle spinning. I tried the phrase in my laptop to see if I had stumbled across some sort of egg but results came up immediately just as you'd expect. I tried a second time with my desktop and got the same result. Whatever was infecting me wasn't going to let me search for a way to kill it.

From my laptop search results I first tried Microsoft Security Basics. It took half an afternoon to do a full scan and found nothing. Next was Malwarebytes which found the XKRN file. I had my doubts due to the age as I noted above. But after Malwarebytes quarantined the file and rebooted me I typed my test phrase into Firefox again - and this time it worked fine.

A final note - I play a game that has a feature where it will sync your saved games with the cloud. That feature never worked for me so I turned it off. After this virus hunt I thought "hmmm...." and turned the cloud sync back on. Lo and behold, it worked for the first time ever.

So I'm cautiously optimistic that I've cured the problem. We'll see. If anyone here gets a spam email from me, let me know.

Best
Dan H.

[Sylwy]

Hello !

I tested this file with:

-Microsoft Forefront Endpoint Protection;
-Bitdefender 2014;
-Avira Antivirus Suite 2014;

.....and the file is OK !

Otherwise I run intensively Cupcake 1.1b:

http://talkchess.com/forum/viewtopic.ph ... 79&t=51043
http://talkchess.com/forum/viewtopic.ph ... 95&t=51043
http://talkchess.com/forum/viewtopic.ph ... 13&t=51043

..............and (unfortunately for some here ) I'm still alive !



SilvianR

[Dan Honeycutt]

..............and (unfortunately for some here ) I'm still alive !

Whew. I'm glad you're still alive, Ruxy. I knew these virus things were a pain in the ass but I didn't realize they could be fatal.

Following Tony's suggestion I've sent the file to Malwarebytes. When/if I hear something back I'll post here.

Best
Dan H.

[Dan Honeycutt]

As I noted above, I sent the file to Malwarebytes and explained what I had done. They wrote back and asked that I update to make sure I had the latest dtabase and then run a scan with a /developer command line switch and then send them the log of that.

I updated and ran a normal scan - no change, the same file showed up. Then I ran a scan with the /developer switch and nothing showed up. I sent them the log and asked why the normal and /developer scans would give different results. They came back and said they had determined that it was a false positive and they would fix it in the next update. They didn't answer my question about why the results were different.

Best
Dan H.