PDA

View Full Version : pokesav questions



johnnygg
12-10-2013, 03:11 AM
so I ran pokesav at virusscan.org and this is the result
http://r.virscan.org/report/de5ab98e4eeef2688e293f4171ab2395.html

it seems that someone else had run a similar scan last month-ish.

Here are the full results, in case you don't want to click the link:

VirSCAN.org Scanned Report :
Scanned time : 2013/12/09 20:05:58 (CST)
Scanner results: 35% Scanner(s) (13/37) found malware!
File Size : 159076 byte
File Type : Zip archive data, at least v2.0 to extract
MD5 : 5c464bfb55b6eba162b825d3227961df
SHA1 : e839ad5d9ff5d9c217c6328553e1f6a24dd5aa4a
Online report : http://r.virscan.org/de5ab98e4eeef2688e293f4171ab2395

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 00050000000000 0005-00-00 0.34 HackTool.Win32.Poks!IK
AhnLab V3 2013.05.28.00 2013.05.28 2013-05-28 4.26 -
AntiVir 8.2.10.202 7.11.50.58 2012-11-16 10.70 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.21 -
Arcavir 2011 201311271241 2013-11-27 7.17 Trojan.Psw.Qqpass.Yyg
Authentium 5.3.14 5.3.14 0005-14-00 0.94 -
AVAST! 4.7.4 131209-0 2013-12-09 0.36 -
AVG 10.0.1405 2109/6405 2013-12-09 0.30 Generic9_c.RLZ
BitDefender 7.90123.105542247.52000 2013-12-10 6.66 -
ClamAV 0.97.8 18220 2013-12-10 0.26 PUA.Win32.Packer.BorlandCpp-7
Comodo 5.1 15023 2013-10-10 2.36 UnclassifiedMalware
CP Secure 1.3.0.5 2013.10.19 2013-10-19 0.21 -
Dr.Web 5.0.2.3300 2013.12.04 2013-12-04 25.41 -
F-Prot 4.6.2.117 20131209 2013-12-09 0.83 -
F-Secure 7.02.73807 2013.12.09.02 2013-12-09 0.49 -
Fortinet 4.3.392 16.549 2013-10-12 0.15 -
GData 22.12903 20131001 2013-10-01 7.60 -
ViRobot 20131011 2013.10.11 2013-10-11 0.46 -
Ikarus T3.1.32.10.0 ..1.32.10.0. --1.32.10.0 3.66 -
JiangMin 16.0.100 2013.08.13 2013-08-13 0.00 -
Kaspersky 5.5.10 2013.07.09 2013-07-09 0.00 -
KingSoft 2009.2.5.15 2013.11.4.9 2013-11-04 0.95 Win32.PSWTroj.QQPass.437760
McAfee 5400.1158 5805 2009-11-17 4.91 -
Microsoft 1.9901 2013.10.09 2013-10-09 30.81 HackTool:Win32/Poks
NOD32 3.0.21 9152 2013-12-09 0.28 -
Norman 6.8.3 201305031020 2013-05-03 0.21 -
Panda 9.05.01 2013.01.22 2013-01-22 7.08 -
Trend Micro 9.500-1005 10.462.07 2013-12-09 0.26 TROJ_SPNR.29K412
Quick Heal 11.00 2013.11.05 2013-11-05 3.28 Trojan.Genome.zsww
Rising 20.0 24.46.00.03 2013-01-21 0.69 Trojan.Win32.Generic.128A6CB2
Sophos 3.16.1 4.62 2013-12-10 3.04 -
Sunbelt 3.9.2570.2 22124 2013-10-05 2.86 -
Symantec 1.3.0.24 20130909.001 2013-09-09 0.61 -
nProtect 20131011.03 15523128 2013-10-11 3.09 Trojan/W32.Agent.461824.BY
The Hacker 6.8.0.5 v00346 2013-10-10 0.93 Trojan/Genome.zsww
VBA32 3.12.24.3 20131209.0703 2013-12-09 2.61 TrojanPSW.QQpass
VirusBuster 5.5.2.13 15.0.644.1/147260352013-12-10 10.24 -

In case you don't have experience with services like virusscan.org: you upload a file, and they scan it using a bunch of industry-recognized scanners/heuristics and post the results on a single page.

It is significant that a-squared actually identified the file as a hack tool: "HackTool.Win32.Poks!IK".
Microsoft also did the same: "HackTool:Win32/Poks". In the context of antiviruses and antimalware, a hack tool is used to access remote machines, not hack pokemon saves, in case anyone was confused. Anywho, "HackTool" isn't the part that is significant; the fact that a-squared and Microsoft actually have a name for this type of hack tool and they know it is related to Pokemon, hence the "Poks" is what really stands out. This means that this is an actual definition, not a heuristics result (an example of a heuristics result would be comodo's result "unclassified malware").

Interestingly, COM's Japanese versions (COM is who originally wrote pokesav http://pokesav.umimi.com/) are 100% clean, which is making me think that either the person that made the English versions is pulling shenanigans or the server is compromised and someone out there is uploading insecure files for everyone to download.

I expect I'll get much hate from this post, but please know that this isn't a criticism of this site, the community, or even the admins, I'm just making the community aware of these scan results in case it didn't already know. I'd also like to point out that these scan results are not guaranteed to be 100% accurate. False positives do happen, but it is rare that so many false positives (13 different recognized scanners, including Comodo and Trend Micro) are produced by a single small file.

Admins, if you do believe these to be false positives, it is actually really simple to contact these individual scanners and ask them to white-list you...just go on their forums and let them know--they'll have an analyst look at the file and white-list it if it is actually clean.

tl;dr: scanned pokesav using a bunch of different scanners, a lot are claiming it to be a trojan/hack tool. This is a post to raise awareness, and bring these results to the admin team.