PermalinkThere's been a recent influx of people (or a person) posting viruses on the forums here on PMC. I'm not sure why it's suddenly so bad, but, I just want to give you guys a few heads up about how to catch these guys and save yourselves grief (and possibly money).
- The people who post these virused programs prefer the WinRAR archive format (.rar) over the others, most likely because its' compression algorithm is not public and therefore not scannable by (most) virus programs. A lot of peoples' instincts is to run programs from inside the rar after downloading, which gives the virus time to propogate before anti-viruses can contain them.
- The programs tend to appear as something people would want. One instance I've seen was a "Skin Editor", and a lot of them may appear to give you free Minecraft accounts, or OP on servers. They often only have a vague name describing some action, rather than an actual name.
- Generally, the virus posts contain a single exe which is approximately 800 kb, and has a random, often times un-related icon (an apple, or the standard Windows application icon). Sometimes, there will be empty text files alongside the executable to make it look more "professional". Do not be fooled by these zero-byte devils.
- While it's not something that can be detected by the average user, the exes are often written in VB.NET, and obfuscated to avoid detection by anti-virus scanners. The best way to check is to drop it to http://virustotal.com and see if AVG (or any of the other scanners) detect anything in the exe.
- Charzhoopz pointed this out, and he makes a good point. Avoid downloading files from users which are level 1 and have no submissions/no other sites in which the program is posted on.
- Lastly, the posts are often very bland, use MediaFire as a storage for their .rar files, and may contain "screenshots" which are very crude Paint jobs.
So, basically: don't download random rar files from MediaFire which contain small exes with very crude (or no) screenshots. If you see a post containing this, report it by clicking on the triangle with the exclamation mark on it at the top-right of the post.
-P
