Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Worrying? Info about Second_Life_5_0_9_329906_i686 viewer
#1
Exclamation 
Dear friends and honours,

I have just checked Second_Life_5_0_9_329906_i686_Setup.exe (just downloaded from the very SL site) with antivirus-antimalware analyzing magical spells. As a result, I had to do my hair again because my hair stood on end LOL

The pixie of magical spells revealed to me information that I do not know whether to worry about or not. And that is why I beg you your kind unvaluable and wise experience.

For example:

1) About persistence things, my pixie says that the SL sotfware "Modifies auto-execute functionality by setting/creating a value in the registry" and "Writes data to a remote process"

2) About fingerprints, my pixie says that the SL software "reads the active computer name" and "reads the cryptographic machine GUID"

3) About Network behavior says that it contacts the domain install.secondlife.com with IP 216.82.8.58, from Ascio Technologies, Inc Organization: Linden Research, Inc. Name Server: NS1.P19.DYNECT.NET in USA.

4) My pixie also developes the previous warnings and points out as malicious or suspicious indicators the following:

1/74 Antivirus vendors marked dropped file "libblend_plugin.dll" as malicious (classified as "Trojan.WisdomEyes.16070401.9500" with 1% detection rate)
1/72 Antivirus vendors marked dropped file "msvcp120.dll" as malicious (classified as "Adware.Mobogenie.A" with 1% detection rate)
With a relevance of 10/10.

Installation/Persistance. Writes data to a remote process: 
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\explorer.exe" (Handle: 708)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\explorer.exe" (Handle: 708)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\explorer.exe" (Handle: 708)
"<Input Sample>" wrote 8 bytes to a remote process "%WINDIR%\explorer.exe" (Handle: 708)
being the source an API call with a relevance 6/10

Environment Awareness. Reads the active computer name. Details:

"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"explorer.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
source

About the problem of reading the cryptographic machine GUID:


"explorer.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") source. Registry Access relevance 10/10
  • General
    Reads configuration files. Details: "<Input Sample>" read file "%USERPROFILE%\Desktop\desktop.ini". Source: API Call. Relevance: 4/10.

  • Installation/Persistance. Drops executable files. Details: 
  • "libblend_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libdmo_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libvoc_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libdrawable_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libscte27_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libhotkeys_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libsubsdelay_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libh264_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libcef.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libwave_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libdeinterlace_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libmjpeg_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libtcp_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libmux_mpjpeg_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libcaca_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libgl_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""libidummy_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""msvcp120.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows""libaudioscrobbler_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows""liboldmovie_plugin.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"Relevance: 10/10.Modifies auto-execute functionality by setting/creating a value in the registry. Details:"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SECONDLIFEVIEWER.EXE")"<Input Sample>" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SECONDLIFEVIEWER.EXE"; Key: "DISABLEEXCEPTIONCHAINVALIDATION"; Value: "01000000")Relevance: 8/10.
  • Network Related
    Uses a User Agent typical for browsers, although no browser was ever launched (Found user agent(s): NSISDL/1.2 (Mozilla)). Relevance 10/10.

  • Ransomware/Banking. The input sample dropped 2000 files (often an indicator for ransomware). Relevance 5/10.

  • System Destruction. Marks file for deletion. Details: 
    "C:\62bd71eba60698255e006f5ce7f59e2af69ff670dc2ce97df6d40370365814ba.exe" marked "%TEMP%\nsiD24A.tmp" for deletion"C:\62bd71eba60698255e006f5ce7f59e2af69ff670dc2ce97df6d40370365814ba.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nspD6FF.tmp" for deletion"C:\62bd71eba60698255e006f5ce7f59e2af69ff670dc2ce97df6d40370365814ba.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsc9B79.tmp" for deletion"C:\62bd71eba60698255e006f5ce7f59e2af69ff670dc2ce97df6d40370365814ba.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nspD6FF.tmp\LangDLL.dll" for deletion"C:\62bd71eba60698255e006f5ce7f59e2af69ff670dc2ce97df6d40370365814ba.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nspD6FF.tmp\NSISdl.dll" for deletion"C:\62bd71eba60698255e006f5ce7f59e2af69ff670dc2ce97df6d40370365814ba.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nspD6FF.tmp\System.dll" for deletion"C:\62bd71eba60698255e006f5ce7f59e2af69ff670dc2ce97df6d40370365814ba.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nspD6FF.tmp\UserInfo.dll" for deletionRelevance 10/10.Opens file with deletion access rights:"<Input Sample>" opened "%TEMP%\nsiD24A.tmp" with delete access"<Input Sample>" opened "%TEMP%\nspD6FF.tmp" with delete access"<Input Sample>" opened "%TEMP%\nsc9B79.tmp" with delete access"<Input Sample>" opened "%TEMP%\nspD6FF.tmp\LangDLL.dll" with delete access"<Input Sample>" opened "%TEMP%\nspD6FF.tmp\NSISdl.dll" with delete access"<Input Sample>" opened "%TEMP%\nspD6FF.tmp\System.dll" with delete access"<Input Sample>" opened "%TEMP%\nspD6FF.tmp\UserInfo.dll" with delete access"<Input Sample>" opened "%TEMP%\nspD6FF.tmp\" with delete accessRelevance: 7/10

  • Unusual Characteristics
    • CRC value set in PE header does not match actual value. Details:
      "libdmo_plugin.dll" claimed CRC 64771 while the actual is CRC 247672"libvoc_plugin.dll" claimed CRC 90103 while the actual is CRC 64771"libdrawable_plugin.dll" claimed CRC 84499 while the actual is CRC 90103"libscte27_plugin.dll" claimed CRC 69953 while the actual is CRC 84499"libhotkeys_plugin.dll" claimed CRC 131114 while the actual is CRC 69953"libsubsdelay_plugin.dll" claimed CRC 85348 while the actual is CRC 131114"libh264_plugin.dll" claimed CRC 33367 while the actual is CRC 85348"libwave_plugin.dll" claimed CRC 57614 while the actual is CRC 5274125"libdeinterlace_plugin.dll" claimed CRC 206545 while the actual is CRC 57614"libmjpeg_plugin.dll" claimed CRC 83637 while the actual is CRC 206545"libtcp_plugin.dll" claimed CRC 30344 while the actual is CRC 83637"libmux_mpjpeg_plugin.dll" claimed CRC 47633 while the actual is CRC 30344"libcaca_plugin.dll" claimed CRC 848541 while the actual is CRC 47633"libgl_plugin.dll" claimed CRC 131792 while the actual is CRC 848541"libidummy_plugin.dll" claimed CRC 86415 while the actual is CRC 131792"msvcp120.dll" claimed CRC 489709 while the actual is CRC 86415"libaudioscrobbler_plugin.dll" claimed CRC 117859 while the actual is CRC 489709"liboldmovie_plugin.dll" claimed CRC 89433 while the actual is CRC 117859"libaccess_output_file_plugin.dll" claimed CRC 27940 while the actual is CRC 89433"libudp_plugin.dll" claimed CRC 64546 while the actual is CRC 27940Relevance: 10/10.

    • Imports suspicious APIs. Details:
      GetTickCountVirtualProtectUnhandledExceptionFilterGetProcAddressGetModuleHandleATerminateProcessSleepLoadLibraryAGetModuleHandleWclosesocketCreateFileACopyFileWIsDebuggerPresentFindNextFileWFindFirstFileExWGetFileAttributesExWCreateFileWGetDriveTypeWacceptWSAStartupconnectsendlistenrecvsocketbindrecvfromsendtoGetModuleFileNameWGetModuleFileNameALoadLibraryExWGetStartupInfoWGetCommandLineAWriteFileGetModuleHandleExWOutputDebugStringWGetVersionExAOpenProcessGetThreadContextGetComputerNameAVirtualAllocLoadLibraryWRegOpenKeyExARegCloseKeyDeviceIoControlCreateDirectoryAOpenFileMappingAGetTempPathAMapViewOfFileGetStartupInfoAGetFileSizeGetDriveTypeAGetFileAttributesA

And a lot of multiple etceteras, as for example:
    • Installs hooks/patches the running process
    • Reads information about supported languages
    • Timestamp in PE header is very old or in the future
So ... should we all be worried or should we not be at all?

Better yet: Is there any software that allows us to analyze any executable and remain calm or have real reasons to be concerned about our privacy and security?

Yours,
Claire
Reply
#2
Eh... basically anything you install that connects to servers on the internet is going to do a majority of that. When a virus or malware gets analyzed, every atom of its structure gets identified as suspicious when it occurs in other programs, so in effect what often happens is that code that has been running for years, innocently, gets used in a non-innocent program, and then, guilt by association. For an oversimplified example, a few lines of vanilla C++ that read and write a file on disk, which everything has to do, but if a virus happens to do it the same way as an average program, then that way starts raising red flags just because it's present in a virus. Watch everything and carry a bat but if carrying a bat is bothersome, stay at home and unplug the internet, basically. lol.
Fractured Crystal: You know ban evasion isn’t in the TOS, right?
---
SL banned? Search 'technitium', 'MAC changer', 'serial changer', 'ban evasion', 'VPN', 'IP ban', 'hardware ban'.
---
As a Gemini I can argue any side of everything with equal conviction.  You have been warned.
---
New here?  Click: Guests cannot see links in the messages. Please register to forum by clicking here to see links.
Reply
#3
People shouldn't use the official viewer. It's boring and old. I am sure you can find even more info if you look through it all.
Reply
#4
(01-01-2018, 01:29 PM)xXravenXx Wrote: Guests cannot see links in the messages. Please register to forum by clicking here to see links.Been using all the betas for a long time now, currently on Firestorm 5.0.11 (53579)

All absolutely fine

Yeah nice... the message isn't about Firestorm though.





Reply
#5
(01-02-2018, 01:55 AM)Sahulat Wrote: Guests cannot see links in the messages. Please register to forum by clicking here to see links.
(01-01-2018, 01:29 PM)xXravenXx Wrote: Guests cannot see links in the messages. Please register to forum by clicking here to see links.Been using all the betas for a long time now, currently on Firestorm 5.0.11 (53579)

All absolutely fine

Yeah nice... the message isn't about Firestorm though.

My bad,
didn't have specs on lol
post deleted
"Quote the Raven, Never More"
Reply
#6
(01-01-2018, 12:00 AM)Claire Fraser Wrote: Guests cannot see links in the messages. Please register to forum by clicking here to see links.I have just checked Second_Life_5_0_9_329906_i686_Setup.exe (just downloaded from the very SL site) with antivirus-antimalware analyzing magical spells. As a result, I had to do my hair again because my hair stood on end LOL

The pixie of magical spells revealed to me information that I do not know whether to worry about or not. And that is why I beg you your kind unvaluable and wise experience.

If you want to gain some perspective, find the largest executable file that your pixie has in its own installation folders, and have it run an analysis on itself.

I have not the slightest speck of an idea how many people buy lindens on a weekly basis, but I know how many average being logged on whenever I check, and it ranges from 25 to 30 thousand at slow times to 50 thousand plus at busy times. Extrapolating from that, if half of those buy lindens one time in a week, at US $1 a pop, that is $25,000 a week, just on the transaction fee. A hundred grand a month. They don't have to use stupid spyware tricks to get your information, you gave them anything they needed to know when you made an account, and especially if you have pay info on file.
Fractured Crystal: You know ban evasion isn’t in the TOS, right?
---
SL banned? Search 'technitium', 'MAC changer', 'serial changer', 'ban evasion', 'VPN', 'IP ban', 'hardware ban'.
---
As a Gemini I can argue any side of everything with equal conviction.  You have been warned.
---
New here?  Click: Guests cannot see links in the messages. Please register to forum by clicking here to see links.
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  Alchemy Viewer Kenoyantaroh 9 767 07-31-2018, 11:06 AM
Last Post: xXravenXx
  Kokua viewer goes on 64bits in Second Life Claire Fraser 4 852 12-27-2017, 07:00 AM
Last Post: xXravenXx
  Kirsten Lee's viewer has come back to life Sahulat 3 2,012 07-16-2017, 06:34 AM
Last Post: cbuser
  [Viewer] Diamond Viewer (clean Emerald mod) Ashido 25 13,196 11-20-2016, 08:51 AM
Last Post: CzarChasm
  The Cool VL Viewer BOOM 17 10,253 07-31-2016, 05:19 PM
Last Post: BobbyR
Star CtrlAltStudio Viewer 1.0.0.34218 RELEASE - WINDOWS and OSX mightymarc 53 19,148 06-24-2016, 06:52 AM
Last Post: EchoSeven
  I built a test version of Alchemy Viewer (Should probably go here) nerdboi88 2 1,942 05-19-2016, 07:34 AM
Last Post: nerdboi88
  [Oficial Post] Lumiya Viewer V2.6.2 For Android [13/05/2014] Matesito 36 25,247 05-16-2016, 03:01 AM
Last Post: Sahulat
  UPDATED: CtrlAltStudio Viewer 1.2.1 Release mightymarc 1 1,774 01-15-2016, 04:54 PM
Last Post: dixaras
Photo Black Dragon Viewer SiTWulf 2 4,008 09-04-2015, 07:11 PM
Last Post: kalypso



Users browsing this thread: 1 Guest(s)