Jump to content

Trojan Detection

Guest sam

Recommended Posts

My Virus Scanner Antivir Personal alarmed kivan-v8.1.exe to contain an trojan.

D:/ (...) /kivan-v8.1.exe is trojan TR/Orsam.A.2433


I scanned the file at virustotal.com and got the following report:


Datei kivan-v8.1.exe empfangen 2010.03.09 12:54:53 (UTC)

Status: Beendet

Ergebnis: 16/42 (38.1%)


Antivirus Version letzte aktualisierung Ergebnis


a-squared 2010.03.07 Trojan.Generic!IK

AhnLab-V3 2010.03.07 -

AntiVir 2010.03.05 TR/Orsam.A.2433

Antiy-AVL 2010.03.05 -

Authentium 2010.03.06 -

Avast 4.8.1351.0 2010.03.07 -

Avast5 5.0.332.0 2010.03.07 -

AVG 2010.03.07 -

BitDefender 7.2 2010.03.07 -

CAT-QuickHeal 10.00 2010.03.06 -

ClamAV 2010.03.06 -

Comodo 4091 2010.02.28 -

DrWeb 2010.03.07 -

eSafe 2010.03.04 -

eTrust-Vet 35.2.7342 2010.03.05 -

F-Prot 2010.03.06 -

F-Secure 9.0.15370.0 2010.03.07 -

Fortinet 2010.03.07 -

GData 19 2010.03.07 -

Ikarus T3. 2010.03.07 Trojan.Generic

Jiangmin 13.0.900 2010.03.07 -

K7AntiVirus 7.10.990 2010.03.04 Trojan.Win32.Agent

Kaspersky 2010.03.07 -

McAfee 5912 2010.03.06 Generic.dx

McAfee+Artemis 5912 2010.03.06 Artemis!A62C49F60697

McAfee-GW-Edition 6.8.5 2010.03.07 Trojan.Orsam.A.2433

Microsoft 1.5502 2010.03.07 Trojan:Win32/Orsam!rts

NOD32 4922 2010.03.07 -

Norman 6.04.08 2010.03.07 Suspicious_Gen2.ROHL

nProtect 2009.1.8.0 2010.03.07 -

Panda 2010.03.07 Generic Trojan

PCTools 2010.03.04 Trojan.Generic

Prevx 3.0 2010.03.09 -

Rising 2010.03.07 -

Sophos 4.51.0 2010.03.07 Mal/Generic-A

Sunbelt 5780 2010.03.07 Trojan.Win32.Generic!BT

Symantec 20091.2.0.41 2010.03.07 Trojan Horse

TheHacker 2010.03.07 -

TrendMicro 2010.03.07 PAK_Generic.001

VBA32 2010.03.05 Trojan.Win32.Agent.blqg

ViRobot 2010.3.5.2214 2010.03.05 -

VirusBuster 2010.03.06 -


So 16 of 42 Scanners detected it to be a trojan.

I read in a other forum, that the Weidu files are able to update themselves and other files, and this is why it was detected to be a trojan...

But other WEIDU files are not detected to be a trojan, so... :)


Does anybody now something about this MOD ?

Link to comment

Well, thank you for your very fast answers - thought I had to wait maybe half a day to get an answer, but you were really quick...


Got a bad worm on my notebook a few weeks before, so I'm kind of paranoid concerning potential malware...


Thank's a lot!

Link to comment

Oh, there was already a tread about the trojan problem.


Next time I maybe should do a little search before... :)


I can't install Kivan on my computer, when I try, my antivirus software automatically erase the file when it's at 99% downloaded. What can I do to install the mod ?
You could always turn off the antivirus program.


If you wish to be absolutly sure that there is no virus, you can open the .exe archive with WinRAR or 7-Zip, extract the other files(not the setup-*modname*.exe), and then download the last WeiDU.exe from the "Windows binary" archive from here. And copy the WeiDU.exe and rename it as the setup-*modname*.exe, and run it.


That comes from the process that makes the WeiDU.exe, the anti-virus programs see it as a positive as virus falsely, as the program code has some same dinary values, which gives a false alert. You can always send a note to the anti-virus program maker that their program gives false alert, but that's usually already taken care of.



Although I don't understand, why byreplacing the kivan-setup.exe with the weidu installer there's no detection anymore.

If the former setup file also was an renamed weidu installer, why doesn't the virus-scanner detect it to be a trojan, too?


Is it a different version?!

Link to comment

No idea, but it might have something to do with the version of weidu packaged with Kivan. If that's the case, perhaps updating to a newer version would help.


I'm going to be packaging Crossmod Banter Pack later this week, so maybe I'll update Kivan with the latest version of weidu at the same time. It's a great mod, and it really is a pity that anti-viral programs are aggressive to the point of insanity. I wonder how many players download Kivan, see that the mod is flagged as a trojan, and never bother coming here to find out the truth. (sigh)

Link to comment

The problem isn't in the WeiDU.exe being bundled, but with the compressed form of that WeiDU.exe inside the kivanv8.1.exe package. It may well be that the compressed code along with some compressed code from some neighboring file may together be some known virus signature that the antivir heuristics pick up :)


It'd be great if kivan and Tashia were repackaged :p (and just to be safe, pre-scan them using some online scanner like virustotal :D)

Link to comment

No, I can narrow it down to the specific version of weidu shipped with Kivan. I got the same results with MacAffee that everyone else is getting with their AV software, removal of the executable, but I don't get that when I extract newer mods. There's no way to tell which version of weidu was shipped with v8, but I know that as of this moment, weidu v213 isn't getting flagged as a trojan, so I'll package with that one. Assuming that Domi gives the go-ahead for me to repackage her mod.

Link to comment

Hmm, I just checked my files and it looks like kivan has WeiDU 20800 ... and none of the other mods I extracted have that version :) (but a-aquared picks up the compressed package but not the extracted WeiDU)


You're probably right then :p IT IZ WEIDOO!! (20800) :D

Link to comment

Yup. If you've got sane AV software that allows you to download the mod and just deletes the executable, you can always download Kivan, download weidu v213, and just rename weidu.exe as setup-kivan.exe. Works 100% of the time.


But Domi had a few other minor changes introduced in v9 alpha, which was tested, but never released. I'm not sure if they were ever included in v8.1, so maybe it would be good to look into that, as well.

Link to comment


This topic is now archived and is closed to further replies.

  • Create New...