bardosy Posted March 23, 2010 Share Posted March 23, 2010 I got a virus warning when I navigate on main BFC site: 2010.03.23. 12:16:08 HTTP filter file http://www.battlefront.com/products/battlefront_client.exe a variant of Win32/Kryptik.DFC trojan connection terminated - quarantined Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe. Is it a real trojan, or what? 0 Quote Link to comment Share on other sites More sharing options...
Sivodsi Posted March 23, 2010 Share Posted March 23, 2010 Yes, same here. I get a nice e-mail from newsletter@battlefront.com about a client, and I go to the link which downloads a file from the repository which sets off my virus checkers, which give me the following alarming message: "C:\Users\HP\AppData\Local\Temp\gsdcak.exe";"Trojan horse Downloader. Generic9. BFTQ"; "Infected" "C:\Users\HP\AppData\Local\Temp\nnae.exe";"Trojan horse Cryptic.CH";"Infected" "C:\Users\HP\AppData\Local\Temp\oeqvorps.exe";"Trojan horse Crypt.QOA";"Infected" What gives? 0 Quote Link to comment Share on other sites More sharing options...
Nicdain Posted March 23, 2010 Share Posted March 23, 2010 Same here. When on the home page, it asks me to save an .exe file 0 Quote Link to comment Share on other sites More sharing options...
Sergei Posted March 23, 2010 Share Posted March 23, 2010 I guess we'll need someone to install it and see what happens? (Don't do that. Let's hope that someone from the staff clears things up fast.) 0 Quote Link to comment Share on other sites More sharing options...
Bertram Posted March 23, 2010 Share Posted March 23, 2010 See also the general discussion. 0 Quote Link to comment Share on other sites More sharing options...
Sivodsi Posted March 23, 2010 Share Posted March 23, 2010 The BFT site looks kind legit, if you can get there without the thing asking you to download 0 Quote Link to comment Share on other sites More sharing options...
Moon Posted March 23, 2010 Share Posted March 23, 2010 Yes, the main page was infected by code injection. Whatever you do, DO NOT EXECUTE THIS CLIENT. It is not from Battlefront.com. We are working on resolving the issue. 0 Quote Link to comment Share on other sites More sharing options...
Moon Posted March 23, 2010 Share Posted March 23, 2010 Yes, same here. I get a nice e-mail from newsletter@battlefront.com about a client, and I go to the link which downloads a file from the repository which sets off my virus checkers, which give me the following alarming message: "C:\Users\HP\AppData\Local\Temp\gsdcak.exe";"Trojan horse Downloader. Generic9. BFTQ"; "Infected" "C:\Users\HP\AppData\Local\Temp\nnae.exe";"Trojan horse Cryptic.CH";"Infected" "C:\Users\HP\AppData\Local\Temp\oeqvorps.exe";"Trojan horse Crypt.QOA";"Infected" What gives? That email does not originate from us. It's easy to fake a sender address unfortunately 0 Quote Link to comment Share on other sites More sharing options...
Matchstick Posted March 23, 2010 Share Posted March 23, 2010 Moon, I'm afraid to say that I think the email did originate from Battlefront rather than just having a faked sender address. This is the header of the email I received (if you would like a copy of the unredacted header or the full SMTP session log from my mail server please let me know) From - Tue Mar 23 12:59:20 2010 X-Account-Key: account2 X-UIDL: 2VWY65Q.CNM3C772A49 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Received: from spooler by redacted.com (Mercury/32 v4.72); 23 Mar 2010 12:53:58 -0000 X-Envelope-To: <redacted@redacted.com> Return-path: <SRS0=c5ac8e96f672fac7a2880cc597f443fe26ee986c=355=battlefront.com=bounce@battlefront.com> Received: from mail.battlefront.com (216.121.6.209) by Mercury SMTP Server (smtp.redacted.com) (Mercury/32 v4.72) with ESMTP ID MG0000F0 (Using SSL/TLS, 3DES, CBC mode, keysize 192 bits) ; 23 Mar 2010 12:53:47 -0000 Received: from www.battlefront.com (mail.battlefront.com [216.121.6.209]) by mail.battlefront.com (Battlefront.com Mail Server) with ESMTP id FPY03252 for <redacted@redacted.com>; Tue, 23 Mar 2010 06:53:52 -0600 Date: Tue, 23 Mar 2010 06:53:51 -0600 To: Paul Redacted <redacted@redacted.com> From: Battlefront Newsletter <newsletter@battlefront.com> Subject: We are proudly presenting new update client for all games from battlefront for FREE. Message-ID: <33263b74e9603f47ff06263526fdb143@www.battlefront.com> X-Priority: 3 X-Mailer: PHPMailer [version 1.73] X-Mailer: SM2 Email Marketing X-SM2MessageID: 227 Precedence: bulk X-SM2Recipient: redacted@redacted.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_33263b74e9603f47ff06263526fdb143" The relavent line is Received: from mail.battlefront.com (216.121.6.209) by Mercury SMTP Server (smtp.redacted.com) (Mercury/32 v4.72) with ESMTP ID MG0000F0 (Using SSL/TLS, 3DES, CBC mode, keysize 192 bits) ; 23 Mar 2010 12:53:47 -0000 This indicates that the IP address of the server that actually sent the message to my mail server is 216.121.6.209 which is the same IP address as www.battlefront.com (and also the address I've receieved other Battlefront mail from) which, I'm afraid, makes me think that there's something more here going on than just a hack of the front page. Can I also suggest that the download that the email points to http://www.battlefront.com/products/battlefront_client.exe is, as a matter of urgency, replaced with a webpage that details what Battlefront know about what has happened and what they are doing to investiage. 0 Quote Link to comment Share on other sites More sharing options...
Moon Posted March 23, 2010 Share Posted March 23, 2010 I'm no expert but I believe that headers can be faked, too. However, like I said, we're investigating. 0 Quote Link to comment Share on other sites More sharing options...
birdstrike Posted March 23, 2010 Share Posted March 23, 2010 Wow, good thing I did check the forums first. The mail smelled kinda fishy - lucky me. 0 Quote Link to comment Share on other sites More sharing options...
BFCElvis Posted March 23, 2010 Share Posted March 23, 2010 I'm no expert but I believe that headers can be faked, too. However, like I said, we're investigating. You might want to send out a warning email ASAP for people that haven't looked here. 0 Quote Link to comment Share on other sites More sharing options...
Moon Posted March 23, 2010 Share Posted March 23, 2010 The file is not accessible anymore (it was only for about an hour). Martin 0 Quote Link to comment Share on other sites More sharing options...
DJ-Hazard Posted March 23, 2010 Share Posted March 23, 2010 Talking to late ! is to late i get the virus on 14:26 PM MEZ my system is total crashed i rescued some files and install now a backup image ! EVERY ONE TAKE CARE THIS VIRUS IS IMMORTAL HE TAKES DOWN SYMANTEC ANTIVIRUS in just a sec and it is the Virtual WMD :-) 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.