BFC main page trojan

[bardosy]

I got a virus warning when I navigate on main BFC site:

2010.03.23. 12:16:08 HTTP filter file http://www.battlefront.com/products/battlefront_client.exe a variant of Win32/Kryptik.DFC trojan connection terminated - quarantined Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.

Is it a real trojan, or what?

[Sivodsi]

Yes, same here.

I get a nice e-mail from newsletter@battlefront.com about a client, and I go to the link which downloads a file from the repository which sets off my virus checkers, which give me the following alarming message:

"C:\Users\HP\AppData\Local\Temp\gsdcak.exe";"Trojan horse Downloader. Generic9. BFTQ"; "Infected"

"C:\Users\HP\AppData\Local\Temp\nnae.exe";"Trojan horse Cryptic.CH";"Infected"

"C:\Users\HP\AppData\Local\Temp\oeqvorps.exe";"Trojan horse Crypt.QOA";"Infected"

What gives?

[Nicdain]

Same here. When on the home page, it asks me to save an .exe file

[Sergei]

I guess we'll need someone to install it and see what happens?

(Don't do that. Let's hope that someone from the staff clears things up fast.)

[Bertram]

See also the general discussion.

[Sivodsi]

The BFT site looks kind legit, if you can get there without the thing asking you to download

[Moon]

Yes, the main page was infected by code injection. Whatever you do, DO NOT EXECUTE THIS CLIENT. It is not from Battlefront.com. We are working on resolving the issue.

[Moon]

Yes, same here.

I get a nice e-mail from newsletter@battlefront.com about a client, and I go to the link which downloads a file from the repository which sets off my virus checkers, which give me the following alarming message:

"C:\Users\HP\AppData\Local\Temp\gsdcak.exe";"Trojan horse Downloader. Generic9. BFTQ"; "Infected"

"C:\Users\HP\AppData\Local\Temp\nnae.exe";"Trojan horse Cryptic.CH";"Infected"

"C:\Users\HP\AppData\Local\Temp\oeqvorps.exe";"Trojan horse Crypt.QOA";"Infected"

What gives?

That email does not originate from us. It's easy to fake a sender address unfortunately

[Matchstick]

Moon,

I'm afraid to say that I think the email did originate from Battlefront rather than just having a faked sender address.

This is the header of the email I received (if you would like a copy of the unredacted header or the full SMTP session log from my mail server please let me know)

From - Tue Mar 23 12:59:20 2010

X-Account-Key: account2

X-UIDL: 2VWY65Q.CNM3C772A49

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Received: from spooler by redacted.com (Mercury/32 v4.72); 23 Mar 2010 12:53:58 -0000

X-Envelope-To: <redacted@redacted.com>

Return-path: <SRS0=c5ac8e96f672fac7a2880cc597f443fe26ee986c=355=battlefront.com=bounce@battlefront.com>

Received: from mail.battlefront.com (216.121.6.209) by Mercury SMTP Server (smtp.redacted.com) (Mercury/32 v4.72) with ESMTP

ID MG0000F0 (Using SSL/TLS, 3DES, CBC mode, keysize 192 bits) ; 23 Mar 2010 12:53:47 -0000

Received: from www.battlefront.com (mail.battlefront.com [216.121.6.209])

by mail.battlefront.com (Battlefront.com Mail Server) with ESMTP id FPY03252

for <redacted@redacted.com>; Tue, 23 Mar 2010 06:53:52 -0600

Date: Tue, 23 Mar 2010 06:53:51 -0600

To: Paul Redacted <redacted@redacted.com>

From: Battlefront Newsletter <newsletter@battlefront.com>

Subject: We are proudly presenting new update client for all games from battlefront for FREE.

Message-ID: <33263b74e9603f47ff06263526fdb143@www.battlefront.com>

X-Priority: 3

X-Mailer: PHPMailer [version 1.73]

X-Mailer: SM2 Email Marketing

X-SM2MessageID: 227

Precedence: bulk

X-SM2Recipient: redacted@redacted.com

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="b1_33263b74e9603f47ff06263526fdb143"

The relavent line is

Received: from mail.battlefront.com (216.121.6.209) by Mercury SMTP Server (smtp.redacted.com) (Mercury/32 v4.72) with ESMTP

ID MG0000F0 (Using SSL/TLS, 3DES, CBC mode, keysize 192 bits) ; 23 Mar 2010 12:53:47 -0000

This indicates that the IP address of the server that actually sent the message to my mail server is 216.121.6.209 which is the same IP address as www.battlefront.com (and also the address I've receieved other Battlefront mail from) which, I'm afraid, makes me think that there's something more here going on than just a hack of the front page.

Can I also suggest that the download that the email points to http://www.battlefront.com/products/battlefront_client.exe

is, as a matter of urgency, replaced with a webpage that details what Battlefront know about what has happened and what they are doing to investiage.

[Moon]

I'm no expert but I believe that headers can be faked, too. However, like I said, we're investigating.

[birdstrike]

Wow, good thing I did check the forums first. The mail smelled kinda fishy - lucky me.

[BFCElvis]

I'm no expert but I believe that headers can be faked, too. However, like I said, we're investigating.

You might want to send out a warning email ASAP for people that haven't looked here.

[Moon]

The file is not accessible anymore (it was only for about an hour).

Martin

[DJ-Hazard]

Talking to late !

is to late i get the virus on 14:26 PM MEZ

my system is total crashed i rescued some files and install now a backup image !

EVERY ONE TAKE CARE THIS VIRUS IS IMMORTAL HE TAKES DOWN SYMANTEC ANTIVIRUS in just a sec and it is the Virtual WMD :-)