Texture Cache Virus

[outtaspace]

Ive seen a couple of threads like this recently, tonight my virus checker (mcaffee) quaranteed a virus in the SL texture cache too.

Virus name: VPP.728

I was just out exploring SL, looking around a new place ive never been before then a virus alert pops up..

ETA: i found the texture UUID in the quarantined folder..

3f8de024-1166-fea6-8ace-43fee5c5db83.texture

i also just ive got a couple more of these from end of last year

 

Anyone else want to check it out, here is th SLURL

 http://maps.secondlife.com/secondlife/Zale/97/110/26

go down to the water and there is a platform with a big fire on it, last things i saw was the fire and the 2 arcade games before i got the alert

[Ted McGregor]

Most likely a false positive by your virusscanner. 

 

Could you tell us the exact filename containing the virus ? Delete the quarantined file.

 

Delete your SL cache and rescan your system again. Revisit the place and see if your virusscanner gets triggered again.

 

Hope you will let us know results from that.

 

ETA : Concerned virus infection :  http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=116084

 

ETA2 : Visited this place you suggested, went to the gambling machines and campfire and waited till everything in my sight was loaded. Quit the SL Viewer. Scanned cache folders immediately afterwards with Clam AV ( with current virusdefinitions ). In below image you can see said file residing in my texture cache folder.

 

Scanned files : 2060

Found threats : 0

 

[Janelle Darkstone]

I dropped by.  MSE didn't seem to pick up anything.  *shrug*

[outtaspace]

must just be mcaffee then, you got a very nice pic from it though

[161488303349]

bc like you say this been coming up on here quite a bit now. I done some research. like I open up a normal jpg file and a linden texture file in a hex editor

+

here is the jpg. can see that it have a JFIF header and is encoded with the jpeg format algo

 

 

+

here is the linden texture file. can see that it encoded differently by a linden custom encoding format algo which effectively produce "random" data output files

 

+

therefore can conclude that if anything ever was embedded in a standard jpg (or any other image format) and uploaded to SL then is going to end up being re-encoded into the linden format and stored on your hard disk

which means that the embed not going to be picked up by any virus scanning program bc of the randomize nature of the linden encoder

if a linden texture file is signaled as a virus then is a false positive and is not an actual virus or anything really. bc the linden texture file is just a bunch of random bytes to anything other than the linden texture decoder algo

 

[Janelle Darkstone]

Then again.... maybe it was the virus.  Or maybe even The Virus, seeing as how empty Second Life seems to be sometimes.  I honestly think the entire grid should be one big zombie shooting zone sometimes since you're more likely to encounter a bot zombie than a real, live person.

Here's what Real Life looks like:

Here's what Second Life looks like:

(aaaagghhh!!)

[Ansariel Hiller]

---

16 wrote:

therefore can conclude that if anything ever was embedded in a standard jpg (or any other image format) and uploaded to SL then is going to end up being re-encoded into the linden format and stored on your hard disk

which means that the embed not going to be picked up by any virus scanning program bc of the randomize nature of the linden encoder

if a linden texture file is signaled as a virus then is a false positive and is not an actual virus or anything really. bc the linden texture file is just a bunch of random bytes to anything other than the linden texture decoder algo

 

---

Of course the file format of textures downloaded by the viewer is different because they're in JPEG2000 format!

[161488303349]

---

Ansariel Hiller wrote:

---

16 wrote:

therefore can conclude that if anything ever was embedded in a standard jpg (or any other image format) and uploaded to SL then is going to end up being re-encoded into the linden format and stored on your hard disk

which means that the embed not going to be picked up by any virus scanning program bc of the randomize nature of the linden encoder

if a linden texture file is signaled as a virus then is a false positive and is not an actual virus or anything really. bc the linden texture file is just a bunch of random bytes to anything other than the linden texture decoder algo

 

---

Of course the file format of textures downloaded by the viewer is different because they're in JPEG2000 format!

---

yes

the OP question was how come the virus detection program signaled a linden texture file in the SL cache as being a virus. add: on his hard disk

 

[Ansariel Hiller]

---

16 wrote:

the OP question was how come the virus detection program signaled a linden texture file in the SL cache as being a virus. add: on his hard disk

 

---

Easy: False positive by crappy virus scanner!

[Perrie Juran]

---

Ansariel Hiller wrote:

---

16 wrote:

the OP question was how come the virus detection program signaled a linden texture file in the SL cache as being a virus. add: on his hard disk

 

---

Easy: False positive by crappy virus scanner!

---

It had been a while since I had looked at AV ratings.  While I do take the ratings with a grain of salt, the highest rating I could find for McAfee on a list was #7.   It didn't make the top ten on several!

[161488303349]

---

Ansariel Hiller wrote:

---

16 wrote:

the OP question was how come the virus detection program signaled a linden texture file in the SL cache as being a virus. add: on his hard disk

 

---

Easy: False positive by crappy virus scanner!

---

yes

my entire research effort consist of open up the two dif types of files with a hex editor and post a pic of each

then make a explanation of the process that linden uses to store cached image files. sometimes pics makes it easier to follow. for people who dunno about these kinda things

hopefully if it happens again to someone else who read this thread they will go ok and not worry about it to much. if they get a false positive in the same way from their virus scanner

+

is actual quite rare for a virus scanner program to chuck up a warning on these bc most programs/files etc have a recognized format. if randomize tho then is possible to create collisions. while rare they do happen

can see the collisions works the same way as Lotto. chances of winning the zillion dollar lotto prize is even more zillion times to 1. but play long enough then someone somewhere will eventually win it

 

 

 

 

[GothGirl Demonia]

This could be a false postive due to the fact certain microsoft install programs like redist have similar codes when installing it tends to install to a random disk drive with a number like such so some virsus use long ID's and maybe the coding or the ID matches a defintion in the antivirus.

You can freely clear your cache though although I am not sure texture virsus can spread through SL I would avoid using Media, or Browsing websites in Second Life just to be safe.

A few peeps I know of say virus can spread through .JPG files and such however not sure its true but if it is its best to watch what you save on your pc from the internet for example.

[Amie Kaestner]

Can you use a hex editor to view textures? Do those numbers and letters represent all the colours that make up the image?

[Phil Deakins]

You can use a hex editor to viewer any type of file because all files are made up of "those numbers and letters".

They are actually all numbers. Hex (hexadecimal) is a number system that is 16 based. The decimal number system is 10 based:- 0 1 2 3 4 5 6 7 8 9 - 10 of them before returning to 0 - ... 7 8 9 10 11 12 etc. Hexadecimal is 0 1 2 3 4 5 6 7 8 9 A B C D E F - 16 of them before retunring to 0 - ... 7 8 9 A B C D E F 10 11 12 etc. A to F are used as numbers.

[161488303349]

---

Amie Kaestner wrote:

Can you use a hex editor to view textures? Do those numbers and letters represent all the colours that make up the image?

---

a hex editor lets you look at any file. the numbers are the base16 representation of the encoding of the data and structure of the bytes in it

you kinda have to know what the numbers/chars mean for each type of file. files say like jpeg or png or word docs etc all have a header at the start. so it can be read by a program designed to do this. like Office or Paintshop, etc

the images I show before I screencap off this hex editor. the Neo free one

http://www.hhdsoftware.com/

some professional hex editors are quite smart. they can recognize the types of files and show them in source form. like display in sections. with textual descriptions of each section depending on the file format

 

[Dillon Levenque]

Despite years of fooling around dealing with number systems based on powers of 2, until I saw Phil's post just above yours I never realized that might have been significant in your current name choice. But given that, shouldn't you use Fiona or Felicity for a display name? Or do you have special powers that allow you to overlook certain inconsistencies, like the TPC/IP guys:

 

TCP/IP: An IP address of 192.168.0.001 with a subnet mask of 255.255.255.0 indicates that there are 256 addresses beginning with 192.168.0. that can communicate with the device at 192.168.0.001.

Student: Why do you say 256? You meant 255, right?

TCP/IP: Are you asleep? Did you forget zero is a number? There are 256 numbers from zero to 255 inclusive. PAY ATTENTION!

TCP/IP: Now then. Suppose that we change the subnet mask. We'll change it to 255.255.255.252. NOW how many addresses are available that can commincate with the device at 192.168.0.001?

Student: 3

TCP/IP: Have you learned nothing? The correct answer is 4. 256 minus 252 equals 4.

Student: It's not 256 minus 252. You wrote it yourself. It's 255 minus 252.

TCP/IP: It's just written as 255. Anyone with half a brain would realize that really means 256. Unless you start subtracting numbers. Then it all changes.

Student: Who do I have to sleep with to get a Drop from this class?

 

Edited to change the starting address to make the rest at least halfway relevant

 

[161488303349]

---

Dillon Levenque wrote:

 do you have special powers that allow you to overlook certain inconsistencies, like the TPC/IP guys:

 

Student: It's not 256 minus 252. You wrote it yourself. It's 255 minus 252.

TCP/IP: It's just written as 255. Anyone with half a brain would realize that really means 256. Unless you start subtracting numbers. Then it all changes.

 

---

yes i am special. q; (:

 

but not like TCP Person. I am agree with Student Person. i want to drop out as well

bc is 255+1 - 251+1

is clear as muddy creek this kinda arithmetic. but is how can easy make like a zillion dollars an hour. just invent some funny ways of doing stuff and pretend. then charge heaps for deconfuzzle service (:

 

 

[Perrie Juran]

---

16 wrote:

---

Dillon Levenque wrote:

 do you have special powers that allow you to overlook certain inconsistencies, like the TPC/IP guys:

 

Student: It's not 256 minus 252. You wrote it yourself. It's 255 minus 252.

TCP/IP: It's just written as 255. Anyone with half a brain would realize that really means 256. Unless you start subtracting numbers. Then it all changes.

 

---

yes i am special. q; (:

 

but not like TCP Person. I am agree with Student Person. i want to drop out as well

bc is 255+1 - 251+1

is clear as muddy creek this kinda arithmetic. but is how can easy make like a zillion dollars an hour. just invent some funny ways of doing stuff and pretend. then charge heaps for deconfuzzle service (:

 

 

---

next question?