win32 Mkar.k Question

[Kevin Renn]

A couple days ago when AVG updated the signitures, it located MKAR.K in 2
files on my system.Both infected files were Electroic Arts games.
C:\program files\EA Games\MOHAA\Ereg MOHAAB\Medal of honor Allied Assault
Breakthrough_EZ.exe
C:\Program Files\EA Games\Command & Conquer Generals Zero Hour\support
\Command and Conquer Generals Zero Hour_EZ.exe

I'm a bit concerned because I didn't find MKAR.K anywere else. Could
someone tell me how MKAR.K typically infects a computer. Generally I'm
pretty careful about junk coming in to my computer. I have ZoneAlarmPro
running also.

Kevin Renn

 

[Ian Kenefick]

A couple days ago when AVG updated the signitures, it located MKAR.K in 2
files on my system.Both infected files were Electroic Arts games.
C:\program files\EA Games\MOHAA\Ereg MOHAAB\Medal of honor Allied Assault
Breakthrough_EZ.exe
C:\Program Files\EA Games\Command & Conquer Generals Zero Hour\support
\Command and Conquer Generals Zero Hour_EZ.exe

I'm a bit concerned because I didn't find MKAR.K anywere else. Could
someone tell me how MKAR.K typically infects a computer. Generally I'm
pretty careful about junk coming in to my computer. I have ZoneAlarmPro
running also.

Kevin Renn

Might be a flase positive. Send the executables to grisoft for
analysis. They should rectify these if they are inded falsly
identified as virus.

Regards,
Ian Kenefick
http://www.ik-cs.com

 

[David H. Lipman]

I saw a post on this infector recently and found no real information on it.

W32/Mkar.gen -- http://vil.nai.com/vil/content/v_126622.htm
W32/Mkar.a -- http://vil.nai.com/vil/content/v_130636.htm

They were also using AVG. Could it be a False Poistive ?

Please submit the two EA Games executables to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.

--
Dave




| A couple days ago when AVG updated the signitures, it located MKAR.K in 2
| files on my system.Both infected files were Electroic Arts games.
| C:\program files\EA Games\MOHAA\Ereg MOHAAB\Medal of honor Allied Assault
| Breakthrough_EZ.exe
| C:\Program Files\EA Games\Command & Conquer Generals Zero Hour\support
| \Command and Conquer Generals Zero Hour_EZ.exe
|
| I'm a bit concerned because I didn't find MKAR.K anywere else. Could
| someone tell me how MKAR.K typically infects a computer. Generally I'm
| pretty careful about junk coming in to my computer. I have ZoneAlarmPro
| running also.
|
| Kevin Renn

 

[David H. Lipman]

Ian:

You beat me to it ;-)

I suggested Virus Total so it will be tested against several AV vendors.

--
Dave




| On Mon, 21 Feb 2005 15:33:30 -0600, Kevin Renn <[email protected]>
| wrote:
|
| >A couple days ago when AVG updated the signitures, it located MKAR.K in 2
| >files on my system.Both infected files were Electroic Arts games.
| >C:\program files\EA Games\MOHAA\Ereg MOHAAB\Medal of honor Allied Assault
| >Breakthrough_EZ.exe
| >C:\Program Files\EA Games\Command & Conquer Generals Zero Hour\support
| >\Command and Conquer Generals Zero Hour_EZ.exe
| >
| >I'm a bit concerned because I didn't find MKAR.K anywere else. Could
| >someone tell me how MKAR.K typically infects a computer. Generally I'm
| >pretty careful about junk coming in to my computer. I have ZoneAlarmPro
| >running also.
| >
| >Kevin Renn
|
| Might be a flase positive. Send the executables to grisoft for
| analysis. They should rectify these if they are inded falsly
| identified as virus.
|
| Regards,
| Ian Kenefick
| http://www.ik-cs.com

 

[Ian Kenefick]

Ian:

You beat me to it ;-)

I suggested Virus Total so it will be tested against several AV vendors.

Yeah, there was less than 60 secs between our posts

Regards,
Ian Kenefick
http://www.ik-cs.com

 

[bassbag]

A couple days ago when AVG updated the signitures, it located MKAR.K in 2
files on my system.Both infected files were Electroic Arts games.
C:\program files\EA Games\MOHAA\Ereg MOHAAB\Medal of honor Allied Assault
Breakthrough_EZ.exe
C:\Program Files\EA Games\Command & Conquer Generals Zero Hour\support
\Command and Conquer Generals Zero Hour_EZ.exe

I'm a bit concerned because I didn't find MKAR.K anywere else. Could
someone tell me how MKAR.K typically infects a computer. Generally I'm
pretty careful about junk coming in to my computer. I have ZoneAlarmPro
running also.

Kevin Renn

see...
http://www.wilderssecurity.com/showthread.php?t=67323
me

 

[Kevin Renn]

Thanks everybody for the quick reply. It sounds like false positives
from the posts and the links. I'm trying to submit the files, but AVG
moved them to the virus vault, and I don't know where that is. I'm
looking and I'll submit them (when I find them) and see.

I guess this is a common problem with AVG and EA games.

Kevin Renn

lso.

 

[Kevin Renn]

Well, the results are in. It's a false positive (unless AVG is right and
everyone else is wrong).


Results of a file scan
This is the report of the scanning done over
"Medal_of_Honor_Allied_Assault_Breakthrough_EZ.exe" file that VirusTotal
processed on 02/22/2005 at 03:14:43 (CET).

Antivirus Version Update Result
AntiVir 6.29.0.16 02.21.2005 no virus found
AVG 718 02.21.2005 no virus found
BitDefender 7.0 02.22.2005 no virus found
ClamAV devel-20050130 02.22.2005 no virus found
DrWeb 4.32b 02.21.2005 no virus found
eTrust-Iris 7.1.194.0 02.21.2005 no virus found
eTrust-Vet 11.7.0.0 02.21.2005 no virus found
Fortinet 2.51 02.22.2005 no virus found
F-Prot 3.16a 02.21.2005 no virus found
Ikarus 2.32 02.21.2005 no virus found
Kaspersky 4.0.2.24 02.22.2005 no virus found
NOD32v2 1.1005 02.21.2005 no virus found
Norman 5.70.10 02.21.2005 no virus found
Panda 8.02.00 02.21.2005 no virus found
Sybari 7.5.1314 02.22.2005 no virus found
Symantec 8.0 02.21.2005 no virus found

This is the report of the scanning done over
"Command_and_Conquer_Generals_Zero_Hour_EZ.exe" file that VirusTotal
processed on 02/22/2005 at 03:17:58 (CET).

Antivirus Version Update Result
AntiVir 6.29.0.16 02.21.2005 no virus found
AVG 718 02.21.2005 no virus found
BitDefender 7.0 02.22.2005 no virus found
ClamAV devel-20050130 02.22.2005 no virus found
DrWeb 4.32b 02.21.2005 no virus found
eTrust-Iris 7.1.194.0 02.21.2005 no virus found
eTrust-Vet 11.7.0.0 02.21.2005 no virus found
Fortinet 2.51 02.22.2005 no virus found
F-Prot 3.16a 02.21.2005 no virus found
Ikarus 2.32 02.21.2005 no virus found
Kaspersky 4.0.2.24 02.22.2005 no virus found
NOD32v2 1.1005 02.21.2005 no virus found
Norman 5.70.10 02.21.2005 no virus found
Panda 8.02.00 02.21.2005 no virus found
Sybari 7.5.1314 02.22.2005 no virus found
Symantec 8.0 02.21.2005 no virus found

 

[David H. Lipman]

It was too much of a coincidence that two EA Games would be flagged and not a file in the
OS.

I'm glad it was a False Positive declaration but now Grisoft needs to know.

Interesting how AVG doesn't flag it on Virus Total..

"AVG 718 02.21.2005 no virus found"

What is the version of AVG and the definitions you are using ?

--
Dave




| Well, the results are in. It's a false positive (unless AVG is right and
| everyone else is wrong).
|
|
| Results of a file scan
| This is the report of the scanning done over
| "Medal_of_Honor_Allied_Assault_Breakthrough_EZ.exe" file that VirusTotal
| processed on 02/22/2005 at 03:14:43 (CET).

< Clean results snipped >

 

[Kevin Renn]

Interesting how AVG doesn't flag it on Virus Total..

"AVG 718 02.21.2005 no virus found"

What is the version of AVG and the definitions you are using ?

Program Version:7.0.300 (Free Version)
Signiture Version 266.4.0 (2-22-05) (it updated when I started it up
today so I don't know the version that hit on the EA files was)

 

[David H. Lipman]

I contacted the other poster in another News Group and he indicated ...

"Yep, it was in an EA game"

--
Dave




|
| >
| > Interesting how AVG doesn't flag it on Virus Total..
| >
| > "AVG 718 02.21.2005 no virus found"
| >
| > What is the version of AVG and the definitions you are using ?
|
|
| Program Version:7.0.300 (Free Version)
| Signiture Version 266.4.0 (2-22-05) (it updated when I started it up
| today so I don't know the version that hit on the EA files was)
|
|
|
|