Sign in to follow this  
Tenzarian

Wurm is being flagged by AVG on startup, New as of 1-5pm EST 5/10/2012

Recommended Posts

Was playing this morning up until 12:55pm EST today without issue. Got back around 5:00pm EST, launched wurm, hit play, on the connecting to server message AVG flags a warning about a Blackhole exploit. The session continues to launch, and it doesn't appear to hinder game play. Thought someone should know, See error message below Below:

BgFdT.png

Share this post


Link to post
Share on other sites

I checked that address out with my setup and it is showing an address hook or redirection I am not familiar with.  Will alert the Devs about it.

So far I can state that an up to date AVG and Avast can protect you, currently I cannot confirm any other systems.  I have contacted the upper echelons and all I can state is to be cautious until they investigate what is going on.

Just for your curiosity. http://www.avgthreatlabs.com/webthreats/info/blackhole-exploit-kit/

Share this post


Link to post
Share on other sites

Also getting this threat blocked with AVG - as an additional note, my Microsoft Security Essentials was *not* detecting it, nor blocking it.

Share this post


Link to post
Share on other sites

I had a terrible time with Blackhole yesterday. Was running Microsoft Security Essentials which did a very bad  job of protecting me. At the time I was not sure exactly where it had come from, but I had just started playing Wurm a minute or two earlier. For some reason, the idea that I might have gotten infected from an MMO did not occur to me.

Fun thing. Before it did anything else, this virus managed to send a kill message to my monitor, fooling me into thinking I was having a hardware issue. So I was messing around with cables and such while it was merrily doing it's thing on my machine. Was only when I rebooted that my monitor returned to life. And I only figured out I was infected at all from reviewing my system logs. MSE did not consider it important enough to tell me about.

I don't think I have managed to eradicate it fully yet. Seems like it's managed to get quite deep into my system.

I am not best pleased. We trust Wurm to take proper precautions against this sort of thing.

Share this post


Link to post
Share on other sites

I am haveing massive client crashes as well as the same warning also got a massive alert whcere is blue screened me. Im currently not going to log back in. Im actually thinking this has to do with the gold farm thing that was mentioned in my alliance chat.

Share this post


Link to post
Share on other sites

It is showing up in both stable and unstable. It is being picked up by AVG but not ESET. Which is strange. It only seems that 1 or 2 antivirus are picking it up and not all of them.

Share this post


Link to post
Share on other sites

I also logged in today to get this message

AVG blocked it hope to here it just a bug

Share this post


Link to post
Share on other sites

Well this is incredibly worrying, I have been playing and logging on and off all day, my Symantec Endpoint Protection isn't detecting anything though so either that means I haven't been exposed or it doesn't detect it...

Not sure what to make of this....

edit: let me add in info about what I'm running.

Java version: 64-bit version, v6 update 31 (build 1.6.0_31-b05)

Symantec Endpoint Protection, no detection of anything.

I launch my game with a shortcut like this: "C:\Program Files\Java\jre6\bin\javaws.exe" http://www.wurmonline.com/client/wurmclient.jnlp

No idea if I have been exposed or not, just adding info here in case it comes in handy later. I should mention I haven't noticed strange behavior of my computer, network traffic is normal as well. Only client issues I have had was it took a bit longer then normal to log in once on one occasion (stayed on "connecting" for maybe 15 sec even though I could see on an alt that the char was already in-game) but it did connect properly after the slight delay.

Share this post


Link to post
Share on other sites

I got a slightly different message, but basically the same thing when I started up the unstable client and the stable client simultaneously just a few minutes ago. Also, a few minutes before that I tried to open two stable clients and I got the blue screen of death and my computer restarted. I have AVG and the free version of Malwarebytes. I am currently doing full computer scans with AVG and Malwarebytes to see what is going on. The message popped up in an AVG dialogue. AVG has asked to move Wurm files into the vault before, but it has never full out blocked them. It hasn't appeared to affect my game play so far, I will post more about my scan results when they are done.

Nothing found in the AVG scan or the Malwarebytes scan.

Share this post


Link to post
Share on other sites

I am getting this also.  As Shannara is doing, I ran full AVG, Malwarebytes and Spybot scans and nothing came up.  Is this something that only activates when a certain process runs?

Not sure to keep playing or not.  AVG says it's blocking it but it's still concerning knowing that it's there and trying to run.

Share this post


Link to post
Share on other sites

The Blackhole toolkit is a serious threat. It is more than capable of installing keyloggers, destroying work, and any amount of other dangerous stuff. You may still be able to play Wurm, but that does not mean that very bad things are not happening on your computer.

If Wurm or its launcher are infected, this needs to be addressed NOW. The infected launcher should have been pulled the moment this was known, and all players notified. To allow players to continue to get infected after the threat is known is shocking!

Share this post


Link to post
Share on other sites

The Blackhole toolkit is a serious threat. It is more than capable of installing keyloggers, destroying work, and any amount of other dangerous stuff.

If Wurm or it's launcher are infected, this needs to be addressed NOW. The infected launcher should have been pulled the moment this was known, and all players notified.

I hear yah on that

Share this post


Link to post
Share on other sites

I have a fresh install of BitDefender2012, as of yesterday, and have been off and on the game a couple of times today with no warnings. Running a full system scan now after reading this. Will post results when finished.

I know the management of this game will take this seriously and respond appropriately. Please make sure this is one "issue" that will be supported with official follow up as to the "current" efforts being made to correct this problem. IF indeed there is a problem and it is not just a false positive virus detection.

And for the record: THANK YOU for the twitter post!  ;D  That is how I got the heads up. I would rather be made aware and be cautious than be unaware an get hammered.

Share this post


Link to post
Share on other sites

I am just one of the volunteer Wurm Online GM's but I am a technician by trade and this is not a false positive.  I do not believe that the client is infected or anything like that.

Bitdefender used to be one of my favorite scanners...  for now it disappoints me me that only AVG and Avast seem to work on this threat that has been spreading around on the internet for a few months.

Be very cautious.  I have sent urgent messages to Rolf and the Devs.  They will see them soon.

Share this post


Link to post
Share on other sites

Thank you Enki, and for what it is worth the full system scan detected no threat on my pc. I am a little foggy on the time line though and not even sure my pc, or my wife's, was exposed to the threat. My wife was just signing on when I read the message, but had not started the game as she was waiting for the launcher to finish downloading files. Needless to say we did not launch the game.

Will be patiently waiting as you guys do what you need to do.

Thank you  :)

Share this post


Link to post
Share on other sites

I am not getting any messages with Panda Cloud antivirus but i am downloading Avast right now to double check it.

Share this post


Link to post
Share on other sites

I've had a look at the code that connects to that infected address, and the data it gets from it is never run.

As far as the client is concerned, it gets the data from that page, shows it in console, then discards it, it is never executed.

I would recommend not visiting that page in your browser though.

Note: From some comments saying that it has managed to infect people, I'm not willing to bet my life on my observations about it not being executed until Rolf/egal/wollschaf can have a look.

Share this post


Link to post
Share on other sites

It definitely did bad things on my computer. Files were installed, the usual system file that Blackhole deletes (windows/system32/sxs.dll) was deleted, and I shudder to think what else went on that I can't locate.

I was using java 6 at the time. Perhaps that would make a difference? I expect you're using the latest version of 7, but plenty of folks are using older ones.

Share this post


Link to post
Share on other sites

My AVG also alerted me to it, so for non-technical folk like myself. What are the do's and don'ts?  :-\

Share this post


Link to post
Share on other sites

Do: Keep AVG updated and running

Don't: Visit the infected page in your browser

From the AVG page on this exploit:

avgthreatlabsTop 10

Collapse

A Blackhole Exploit isn't a downloadable virus - it's a webpage that finds a way to exploit your browsing program so that it can put malware on your machine. AVG catches Blackhole in the act - stopping it from doing harm before anything gets downloaded to your computer.

As far as the client is concerned about this, it just gets the data from that page, shows it in console, then throws it away. I am 90% sure that the client can't execute the infected code, so there is nothing for it to exploit.

Share this post


Link to post
Share on other sites

Do: Keep AVG updated and running

Don't: Visit the infected page in your browser

So what is this page that we are not to visit the online launcher? If so i have one installed on my pc from whenever the last client update was.

Share this post


Link to post
Share on other sites

I got the same thing. My client updated, and it wouldnt finish the update. I tried three times then finally closed my browser (firefox) and the update worked. When I launched wurm again I got the virus warning.

Share this post


Link to post
Share on other sites

It's coming from a page the client connects to to 'send data' about your game settings/hardware etc.

Although turning off 'send data' will still connect to that site to say that you are launching the game.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this