This page is a wiki. Please login or create an account to begin editing.


59 posts / 0 new
Last post

Comments

Jatoba's picture
Offline
Joined: 2018 Apr 16

If it is really a miner "virus", you could check if CPU and GPU usage go too crazy with the installation or use of the allegedly-infected app. I wouldn't be surprised if it was a false positive. Had I won a 2.7Ghz G5 auction just now, I wouldn't have minded finding it out. Tongue

SkyCapt's picture
Offline
Joined: 2017 Jan 11

Possibly it is a bitcoin mining trojan, and most detectors aren't seeing it. Bitcoin was invented in early 2009 and the program in ? is late 2009. Look inside the Contents/Frameworks/Sparkle code file 192KB. Sparkle is supposed to be a simplistic version-updater, but this here file is packed full of ascii terms such as Node, Key, Signature, Public, and even "SHA1" ... all words describing bc transactions, especially SHA1. I don't believe the real Sparkle uses SHA1.

Edit: I located other programs that use "Sparkle" even before 2009 and it looks the same, so... False positive?

Only 3 games in my huge collection are using Sparkle. An interesting experiment would be to see if win10 "Defender" says any of them are miners also. The "Zoom" interactive fiction v1.1.5 uses Sparkle 1.1 (made in 2007) whereas this Comic app is using Sparkle v1.1.1 around the same size (made in 2009). I have another 2007/v1.1 Sparkle may be not here on mg, inside a cheater for Ultima III. And then there is a huge file 2009/v1.5b6 Sparkle inside "And Yet It Moves Demo". On the apps side of things (Tiger) I find only two things so far with Sparkle, they're Mactracker v5.x and Monolingual v1.3.9

Checkout this write-up about Sparkle already found here in a link on an mg page:
http://macintoshgarden.org/apps/jumpcut-clipboard-menulet-tiger

SkyCapt's picture
Offline
Joined: 2017 Jan 11

How's this for a wtf-moment. A newer than Bitcoin cryptocurrency has started up and the cover up artists have named it Sparkle! Now we can't websearch "Bitcoin Sparkle" to get any useful info about their trojan mining ops. nada. And in the link-to-outside-link posted above, there used to be something like 94 comments written starting four years ago but the whole deal got wiped out by some kind of data glitch in their system.

Who wants to call money "sparkle"?? Too many syllables and hard consonants. We say cash, dolla's, green, dough, moola, c notes, bucks. But... SparkleCoin? Really?

And I'll have you know if you read the link, it says the vulnerable sparkle framework was in the popular "VLC" media player software. That's where they'd gotcha. Spending hours at a time with VLC open as you watched internet video, and you don't complain that your CPU usage skyrockets and creates maximum heat.

mrdav's picture
Offline
Joined: 2011 Dec 3

FX pansion GURU VSTi OsX PPC v 1.5.12

There is an Windows exe file in the above archive that Sophos flags as containing malware. The exe should either be removed or cleaned up.

adespoton's picture
Offline
Joined: 2015 Feb 15

Let me take a look and see if it's an FP.

So, the archive has the Mac archive inside and GURU-keygen.exe. The keygen appears to be a rebranded ngen-keymaker keygen that's been packed with a dodgy packer. Sophos is detecting the dodgy packer that's also used to pack malware; the actual windows executable inside isn't detected.

The keygen is a bona fide keygen and generates actual keys, but only on Windows. The OS X version doesn't appear to be detected, and neither does the VST plugin.

So, the software is safe, but Sophos is unlikely to remove detection for a keygen packed with a dodgy packer. This means we can either remove the exe from the archive, or just be fine with having a detected but clean (other than containing a Windows keygen) file.

mrdav's picture
Offline
Joined: 2011 Dec 3

Thank you, adespoton, for clarifying what is going on. If it is clean, then it is OK.

MikeTomTom's picture
Offline
Joined: 2009 Dec 7

I've replaced the file + keygen with the zipped contents of that file, only. The MG isn't the place for keygens anyway, virus/trojans or otherwise.

You may want to re-check that it's now 100% clean.

[Edit] I'm sorry mrdav, but I accidentally removed your post from that page, too.

[Edit 2] Oops- found a copy of your post in a memory buffer and returned it to the page Smile

m68k's picture
Offline
Joined: 2016 Dec 30

MikeTomTom:
"The MG isn't the place for keygens anyway, virus/trojans or otherwise."

Thank you sooo much for that clarification!