Virus alert - PWS Lineage

"Heurisitc" means that it was flagged by a set of rules that pick out things that look virus-ish, but it didn't match any known virus in the definitions. Heuristic detection has a very high false-positive rate.

On a slightly weirder note, PlayNC Launcher seems to be sure i have Lineage II Installed, although i have never done so.

Updated to 8.0 and I'm clean. *phew*

Hmm I've seen this lineage trojan message too ni AVG. it claimed to have quarantined it, but tonight I'm double checking and changing my pass yet again...

This morning, while sitting through the morning computer scan with AVG, the PWS Lineage Trojan had come on to say hello.

Now I haven't downloaded anything EXCEPT TexMod and the three mods for Cartography Made Easy. I've used these for about a month now, and seeing it comes now of all times... just confuses me.

That's my two cents.

Maybe something we have generates a wtf# file in TEMP and AVG tags it as PWS.Lineage?

Is there any way to examine one of these wtf# files and find out what created it?

I suspect googling wtf would be a bad idea ^^

[edit] Don't mind me - it's just senility setting in. From a previous TexMod thread:

So yes, it's TexMod and it certainly appears benign. I'm sticking with my assumption that the AVG8 update has brought this one up again. Then again, what if the creator of TexMod buried this trojan in it from the start and just waited until thousands of us had it installed before reaping the benefits?

Conspiracy theory again?

.tmp files could be anything don't trust it.

Ive packet sniffed TexMod and listened in on API calls it doesn't seem to be sending any data or creating any hidden log files.

However theoretically it could be using Guild Wars to pm people(bypassing firewalls) so I won't give it the all clear

I remember a very popular 3rd party program for Diablo 2 that was fully functional but also sent the player login data to the developers database.
I realy hope this isn't the case with TexMod.

You shouldn't have to worry about password stealers with texmod, seeing how Texmod was AFAIK originally made for modding Tomb Raider and was then later used for Guild Wars, but I know for certain it wasn't made for Guild Wars. Its inconceivable that the creator had released texmod with code for stealing passwords from another game. And since it has been used for years without people reporting problems you will be safe as long as you aren't downloading a different version.

Correct. Texmod was use for modding Tomb Raider, and has been floating around for quite a while. In fact, the main place to get a copy of Texmod is from the Tomb Raider website that started it all.

Hey, anyone good at these virus protection thing? I found these and thought its quite useful, something that does not involve typing - that you can use to key in infomation. is it safe to use?

"Transaction Guard is FREE software that protects you against spyware while performing sensitive online tasks on a public computer, like Internet banking or other financial transactions. Transaction Guard has two components:

* Spyware Monitor – Monitors for spyware and notifies you of any intrusions.
* Password ClipBoard – An on-screen keyboard for securely entering user names and passwords.



http://www.trendsecure.com/portal/en...nsaction_guard

In your haste towards reassurance apparently you guys completely miss this post where it was found on a pc without textmod? Not once was it mentioned. GJ

1. I generally do not trust free software that offers to manage your passwords. All too often, free password managers are in fact password thieves. I would only trust (1) password managers you compile yourself (presuming you know enough about programming to be able to read and understand the code you are compiling), or (2) password managers from reputable corporations that have a vested interest in maintaining their reputation. Trend Micro probably falls into category (2), so it's probably safe to use something downloaded directly from their official site.

2. I'm not sure how much protection this program really offers. Mouse positions can be captured the same way keystrokes can. All an attacker's program would have to do would be wait until the virtual keyboard program started up, then log mouse positions and send them to the attacker. Unless the virtual keyboard randomly moves around the screen or randomly changes the positions of keys as you type, it should be trivially easy to guess where the virtual keyboard window was positioned and derive your password from there. That's not terribly much harder to write than a keylogger, so the only "protection" the program gives you is the "protection through scarcity" that not many attackers are including mouseloggers with their keyloggers (yet).

I also have a bad feeling that this program uses the windows clipboard to transfer the password to the program you want to feed it to, which means that an attack directed at recovering the windows clipboard contents would completely bypass any security provided by this program.

My AVG is running right now and that trojan was picked up. I'd like to know where were all getting this from. I am so careful, I just don't understand it.

i seem to remember something to do with texmod and AVG picking up a false positive for this trojan when it scans texmod.

It's probably a good idea if people don't just put this down to textmod though, as I didn't have textmod on my comp when my scan found the trojan :/ It was a new comp.

Still gotta be careful.

Here's a thought for you:

Has anyone detected this trojan with anything other than AVG?

My AVG is picking it up every time I use TexMod.

I didnt use TexMod for 4 days, no flags on my scans. I used TexMod yesterday & my scan found it this morning. So I fired up TexMod this morning & low & behold it creates a wtf2A.tmp file. AVG sees this temp file as the PSW.Lineage Trojan.

It creates it in C:\Documents and Settings\User\Local Settings\Temp\

thank you Chthon for the analysis. appreciated.

http://www.virustotal.com/analisis/d...5aaf9b1c68cc43

and a scan from here(see link below) came up with this: now i'm not saying it's all texmod, but this is the one I have. and yes it was d/l'd from wiki.
http://virusscan.jotti.org/

POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)

MD5:3a561b80cfba394a810d528d4c05dc7e
Packers detected:
PE_PATCH, NSPACK, ASPACK

Scan taken on 20 May 2008 16:01:11 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found Trojan-PWS.Win32.Agent.BU
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Yes, Avast detects it too, it creates a *.tmp file.

Aren't AVG and Avast fairly well-known for being great as free personal protection, but notorious in producing false positives due to their heuristic scans?


http://www.tombraiderforums.com/show...t=99663&page=3
It looks like Texmod has been flagged by AVG since 7.5 in 2007.

It was eventually fixed:
http://www.tombraiderforums.com/show...5&postcount=34

And it seems like the new 8.0 version has reverted the fix.