Hey,

Just wanted to let you all know that you are mirroring virii and trojan in the tools section of this website. The files that are supplied by the creator "Thul Rasha" all seem to contain a trojan. I've scanned the first colormix.zip available at http://www.gwonline.net/files/files.php?&id=20 with this result from AVG free

http://www3.sympatico.ca/plauder/gw/Screenies/scannedColorMix.JPG

details page shows

http://www3.sympatico.ca/plauder/gw/Screenies/scanned.JPG

and I scanned the new color mix available at Http://www.gwonline.net/files/files.php?&id=21 and got these results

http://www3.sympatico.ca/plauder/gw/Screenies/newColorMix.JPG

details page shows

http://www3.sympatico.ca/plauder/gw/Screenies/results2.JPG

I have read http://forums.gwonline.net/showthread.php?t=347118 and see the author of said app saying that the person who started that thread must have an infected computer. Would anyone actually admit they've included a trojan in their application while there are still 100k people to download it? It's also funny that before I downloaded these files there were no virii/spyware/trojans on my system and as soon as I deleted them it returned to that state of not being infected at all. I also noticed THIS when I went to download the colormix app "Please note that some virus checkers will read the file as a 'trojan dropper'. This is not the case." and basically the same statement for the prior build. I'm sorry but until you supply SOURCE CODE for this application to a reputable anti-virus company and THEY say it's safe or even make ALL the source available to the general public so they can see for themselves what your application is doing I think the normal rules should be followed. Looks like a virus, identified as a virus by reputable SCANNERS (yes, more than just 1 scanner picks up the trojan embedded in this app), must be a virus. I for one will be avoiding ALL Thul Rasha's apps until they stop being detected by scanners as containing trojans. If this is happening either it contains a trojan or the coding of the app is very wrong. Either way, it's not for me. Thul, if you read this I program as well, c++ vb c# and have never coded an app that is detected as a virus (out of thousands). For Fallen_62 , If you read this perhaps your virus detection is out of date. 100% of the people I have asked to scan this file have id'd it as a virus with up-to-date scanners. Try going to www.grisoft.com and downloading some new protection and then scanning the file FOR YOURSELF before you lock the topic (by the way, kaspersky and avg are 2 of the best scanners on the market and both have id'd it as containing a trojan. Just out of curiosity what scanner are you using? If both you and the author (assuming you are 2 different people) are going to insist that this does not contain a virus than release the source.

Regards,
Herb


Help make the internet safe for ALL, don't host trojans and virii on your websites!!!

I believe you're wrong.

As was said before already, the test the AVP does only checks for a short sequence of numbers if they fit it will say it's infected - it doesn't have to be - on several occations such AVP's have been wrong, personally I've seen at least 3 times.

Funny because now I've seen more than 5 scanners id this as a virus. Hard to think that 5/6 are wrong. I'm saying 5/6 because gwonlines scanner obviously did not catch this (curious, did your scanner not pick this up? update it and scan the archive again). As well, something that is id as a virus is usually more than just a couple random numbers that randomly popped into that order. Especially when it's been identified so many times by reputable programs like kaspersky which happens to be one of the best scanner on the market. I will just say, detected as a virii multiple times, no source, why would you even want to use it?

why don't you install a firewall and see if you computer ever tries to contact an outside source. That is exactly what a trojan would do, it would mine information and then broadcast it. People have tried monitoring colormix and never has an instance been reported of it being blocked/trying to send info by a closed firewall or of anyone using it and downloaded 'from this website' had their account stolen, which has happend with people who downloaded from other places. This has been discussed many many times on this website already and nobody has ever actually had anything happen to their computer even when monitoring it with approriate network monitoring software.

And if you still don't feel good about it install it on a system that doesn't have GW on it, remove your network connection, use it for 10 minutes and then remove it and scan your system

why don't you install a firewall and see if you computer ever tries to contact an outside source. That is exactly what a trojan would do, it would mine information and then broadcast it. People have tried monitoring colormix and never has an instance been reported of it being blocked/trying to send info by a closed firewall or of anyone using it and downloaded 'from this website' had their account stolen, which has happend with people who downloaded from other places.

Most people wouldn't block outbound port 25 on their firewalls so they could continue to send email. It's common for trojans to utilize their own SMTP daemons, so you should probably qualify your "install a firewall and see..." Likewise, there's no reason why the return traffic couldn't be sent over any other commonly-used port. I wouldn't recommend anyone not experienced enough to "test" the possibility that the color mixer is infected. If in doubt, leave it out.

He has multiple-source confirmations that a trojan is detected in the archive. If I were the author, I'd probably try to correct whatever the trigger is. Otherwise, I see no reason to discount this report flat out.

I wans't discounting it flat out, but this is an asked and aswered on this forum every day and you can find threads and threads of investigations into the issue by searching for 'trojan'. There are a number of threads that show up discussing the issue and keyloggers in general. And I agree that the author should try to fix it but it is not always possible if there's only one easy way, or one way within his knowledge to perform a particular action, and that it happens to coincide with a trojan's signature. Any anti-virus company will confirm that false positives are possible.

I wans't discounting it flat out, but this is an asked and aswered on this forum every day and you can find threads and threads of investigations into the issue by searching for 'trojan'. There are a number of threads that show up discussing the issue and keyloggers in general. And I agree that the author should try to fix it but it is not always possible if there's only one easy way, or one way within his knowledge to perform a particular action, and that it happens to coincide with a trojan's signature. Any anti-virus company will confirm that false positives are possible.

I posted mostly in opposition to advising non-technical people to "test" a theory using unsound methods with insufficient knowledge to perform a legitimate test.

I'm not saying it can't be a false positive. But confirmation using multiple AV scanners lends to my suspicion.

yeah, you are right needing a knowledge base to test it

and here's the post from Chantal assuring us that the file is safe, it was good enough for me to download it and mess around on an unrelated maching

Chantal vouches for Color Mix from GWOnline.com only...be careful of colormix.exe from other sites (http://forums.gwonline.net/showpost.php?p=3500125&postcount=25)

sorry that link is weird, only the one post shows up, it didn't link to the post in context of the entire thread

This thread caught my eye, so I downloaded ColorMix and tested it using The Cleaner (http://www.moosoft.com/products/cleaner/). The Cleaner is THE app for scanning for worms and trojans. Modern virus scanners just scan for worms and trojans as a sideshow (in the "olden" days, they couldn't detect them at all). The Cleaner (updated today) does not trigger on ColorMix.

Norton AntiVirus did not alert on the file, either. In my experience, AVG gives a lot of false positives. The engines with the highest detection rate are not necessarily the most practical to use on a daily basis for this reason.

If you do not feel comfortable running the program or downloading the file, please don't. However, I think accusing the author of spreading malware or trojans is extremely premature. If you have a paid subscription to a virus program, you should be able to send it to their testing center for a definitive answer.

Edit: I want to note that I scanned both the zip file and the unzipped executable.

Yeah, my Symantec Corporate didn't complain either. The whole firewall-for-virus-testing idea has a lot of potential pitfalls for the average PC user and the OP was doing more sound research by using multiple scanners and posting findings.

I'll restate that, were I the originator of this utility, I'd find out what the trigger is and fix it. I'm curious like that and do perimeter AV as part of my job, but also I completely understand that he/she may take the, "Use it, don't use it. I don't care." approach. It's not like people get paid for helpful utilities.

I have a network of 5 machines running in my house right now. All run anti-virus and anti-spy/adware software daily. Color mix has been installed and run on 3 of the five for several weeks. I have never come up with any virus in all that time. Norton, McAffee, and Trend-Micro run on the 3 machines that it is installed on. According to them, which by the way are some of the leading companies in the av world, it is clean. Good enough for me. This has been discussed so many times, and it's now like beating a dead horse. If you don't trust it, don't use it. Let others make up their own mind.

I'm not at home right now otherwise Id do it myself... Could someone give this site a shot with the files in question? (and post the results)

http://virusscan.jotti.org/

Even if it is found that it doesn't have a virus I suggest we just pull the file. It was last updated when? In feb? It's results seem to have no bearing on ingame reality. Its not accurate and the possible risks far outweigh any possible use/benefit it can offer anyone at this time. Perhaps if the author updates it to more accuratly reflect the ingame dye/color mixing system it would be worth hosting it again in the future.

why don't you install a firewall and see if you computer ever tries to contact an outside source. BTW, both norton and mcaffee sure do own up the AV world :happy14: kind of like M$ with windows ...


That's the whole point. Why would I install something that been identified by so many peoples scanners as containing this trojan. You have shown that 1 or 2 scanners just aren't picking it up. I have heard the authors claim that this was caused by an infection on someone elses computer prior to download, which caused the download to become infected which later switched to the author saying "Some scanners are reporting that this contains win32.dropper". :worship: Wow, I am convinced :worship: . I've seen people write programs for diablo2 similar to this that stole accounts and cdkeys. They collected pages of cdkeys and other information, 1 name/cdkey per line and sold them off one at a time over the internet. I'm afraid I've developed a bit of a mistrust of this type of application and need a little more proof than the dev of the application saying that this doesn't contain a trojan. Perhaps, maybe if someone other than the dev were able to view and compile the source with the same result. Someone who's familiar with different types of code. Other than that ... seriously, are you on @#$@ing crack? :cheesy:

The only safe way I can think of other than with FULL source and a compilation/verification of the trigger would be emulation so that connections would be reported but not made. How many people have done this? IMHO if you are going to host random authors applications this should be done with every application you host. Especially when involving cdkeys. As for my guild, I have brought up the discussion that we should not ourselves be endorsing any program that is authored by a random individual. We should leave that to the people that will take our interests at heart and do things like emulate programs and scan archives before hosting them but then I've been a member of sites where we wouldn't host files or would issue a warning in huge red letters(16px warning of possible infection, run at own risk) if sandbox emulation took too long(That means we wouldn't even test a virus scanner/trojan scanner/... vs the fact that an author can create something original without a lot of though that wont be detected as a virus or trojan).


Regards,
Herb

I'm sorry but until you supply SOURCE CODE for this application to a reputable anti-virus company and THEY say it's safe or even make ALL the source available to the general public so they can see for themselves what your application is doing I think the normal rules should be followed.
I agree completely. It's a free program... so what does Thul Rasha have to lose by posting the source code of his application?

If he is truely innocent, he would allow gwonline.net staff to verify that his source code contains no trojan. After verifying the source, gwonline could compile it again to be sure that the real source code was sent. Then they could host the recompiled version, which would assure others that there isn't anything to be alarmed about.

Doesnt run for me. It doesnt look for a short sequence of numbers either. It looks for encrypted blocks of code. Why would a trojan droppers code match a 'color mixing' program? Trojan droppers go online by means of irc, mail, http and so on. I can so no reason for a program of this type to have the code. Even if the program needed to go online it would not contain this code. You guys are running a risky game. I will stick to wasting gold to find the right combinations.

I ran it through that multi-virus scanner. 5 triggered.

All trigger on the ColorMix.exe program, not the installer or anything else.

Aside from the zip file and the folder I extracted it to. There was like 100 other copies on the hard drive in folders the file had not been and the file names were random. Admin you need to take special notice to this.

Aside from the zip file and the folder I extracted it to. There was like 100 other copies on the hard drive in folders the file had not been and the file names were random. Admin you need to take special notice to this.
Nonsense, in case it really was a trojan it wouldn't spread... it's not a virus you dummy. :howdy:

Nonsense, in case it really was a trojan it wouldn't spread... it's not a virus you dummy. :howdy:

so no one remembers why they are called a virus? it is because the first ones spread and filled up the hard drive of a computer.
a file can be contaminated in many ways. both by the programmer and after the programmer.

here is also a side note: if the file has been contaminated once regardless of how or by whom then how will you be absolutly sure you have a clean file? if they are both on the internet why cant someone replace a clean file with a corrupt one? i know! safeguards! ok now ask yourself this. how much do you trust someone else's virus scanner?

DUDE

If it was anything it's would be a trojan, trojans don't infect as such.

Guys, the staff here is really sick of hearing about the whole "color mixer trojan". Try searching the forums, you think you're the first person to wave a red flag? Has it occured to you that your free virus scanner is just crappy? If it makes you feel better, scan your system with a squared (google it) or better yet adwareaway.com's free trial - its a great scanner.

And for your reference:
http://forums.gwonline.net/showpost.php?p=3500070&postcount=21


and the thread that started it all WEEKS ago:
http://forums.gwonline.net/showthread.php?p=3503811&highlight=trojan#post3503811