Recount Addon Virus ??

[Lieandra]

Scenario:

I play WoW on 2 computers (one at home and one at work). Since I do most of my addon up-dating at home, I tend to eMail the interface folder to myself at work. That helps me make sure that I have the same thing on both computers - hey, I'm a bit lazy too.

As I want to make sure that I receive the Zipped file at work. I eMail the file to both my Hotmail and Gmail accounts.

Well, at first I used very little addons, cartographer, mining, herbalism, etc.; and eMailing them to myself caused no problems.

But now I started using more addons - from WowAce.com - and have encountered a problem.

I went to work and attempted to download the interface zipped folder and hotmail blocked it as containing a virus.

HotMail ScreenShot 01

So I came back home and scanned my WoW addons folder with Avast. Nothing showed as a virus. So I conducted a long process of file eMail elimination to figure it out. Meaning I took the files in the addons folder and divided them - subtracting the Blizzard addons into one group and my downloaded ones as another group. Checked to see what Hotmail said. Deleted the good non-virus zip file. Extracted and divided into two new zip files the attachment Hotmail said was viral.

I repeated the above process until I found the addon named "Recount" to be at fault.

Not being satisfied with just knowing what addon is showing on Hotmail as a virus. I did the same process of dividing and eMailing the contents of the Recount addon folder.

Within the Recount addon. I found the file that flags as a virus to Hotmail is a Targa image called "Line".

HotMail ScreenShot 02

(Locate the file in this tree sequence: "Your Drive Letter":\WoW\World of Warcraft\Interface\AddOns\Recount\libs\GraphTextures)

The file line.tga is the only one within recount that shows on Hotmail as viral. I was able to receive the file with no claim to be a virus on Gmail.

Curiosity as it is. I also eMailed the line.tga to a Yahoo account. Yahoo does not see this as a virus either.

So. My questions to you:

1. Is this Recount line.tga file a virus?
2. Has anyone ever encountered an addon being a virus?
3. If so: which ones?
4. How were you able to check and see that there is a Virus Addon ->
*** ** *(ie. Avast does not recognize it as such, Gmail does not recognize it as such, but Hotmail does.)?
5. What means of protection do you use in order to avoid getting a viral addon on your computer?

~Lie

[Seerah]

Your hotmail is being stupid. Sorry that it put you through all that trouble.

[Siz]

First of all, the file in question, line.tga is not actually a part of Recount, it is part of a library which Recount utilizes called GraphLib. In order to confirm your scanning result with Avast, I've scanned the Recount directory using McAfee VirusScan Enterprise 8.5.0i and everything turned up clean. I would guess that due to the volume of traffic it receives, Hotmail uses a very simple type of virus scanning technology for attachments, possibly simple enough that it only looks at file names.

I have a few recommendations:

1. Use WowAceUpdater to update as many of your addons as it can both at home and at work.
2. Disembed the Ace2 libraries which some of your addons (including Recount) are using so that you don't have libraries duplicated in each of the addon's "libs" folders. WowAceUpdater helps facilitate the process of disembedding, current versions will actually download most of the required dependencies for any addon that you update. You can also select the !!!StandaloneLibraries addon which contains a single copy of all well established libraries.

Regarding your questions:

1. Is this Recount line.tga file a virus?

Probably not.

2. Has anyone ever encountered an addon being a virus?

Personally, no. Addons themselves are mostly nothing more than text or images which are not executed in a manner that could be exploited by a virus.

3. If so: which ones?

Names of extremely popular addons such as KTM or CTRaid are often glued onto viruses in the hopes that this will help them spread. You have to be smart enough to catch these fakes.

4. How were you able to check and see that there is a Virus Addon

Antivirus software on your local machine can generally be trusted to detect viruses. You could browse through the .zip files that addons are distributed in and look for files with extensions like .exe, .pif, .scr that have no business in an addon. It is generally wise to avoid any .exe files that you encounter when downloading an addon, though some addons are distributed as "self-extracting" executables.

5. What means of protection do you use in order to avoid getting a viral addon on your computer?

Be smart. Download from trustworthy sites such as WowInterface.com which individually verifies (by a real person) each file uploaded to the site before it is made public.

[PathMaster]

I generally trust WowAce.

Hotmail is a PITA. They hate doing attachments. I use Avast myself, and while none of them are 100% fool-proof, Avast! has served me well for a long while.

I trust Gmail enough to say that it is ok.

False-positive then.

[Layrajha]

The extensions of the files you might find in your addon folders are usually:

.toc: a text file that gives wow information about what the addon is and what files to load

.lua: code

.xml: code of GUI elements mostly

.wav or .mp3: well, audio files

.tga or .blp: some textures

.txt: there can be a readme or a liscence


None of those files can be a problem used by wow. None of this file can be executed from windows without you to rename them to an executable extension or to specifically ask for them to be executed. Therefore, there cannot be a dangerous virus in addons that contain only those files: if there is one, it won't be able to do anything unless you strongly interact with the file.

However, there is still this story about "non virus files being dangerous":
Some time ago, someone created a virus that would basically wait until an image (.jpg only I think, I might be wrong) is open. Upon opening the .jpg, it would read data that can have been hidden in the .jpg while creating the file, and if this data is executable, it would run it. That allowed the coding and broadcasting of new viruses through .jpg files. Those files were not harmful to a sane computer, but if you were already infected, they could do whatever their author wanted them to do, while they looked like any other image.
The thing is that those files aren't the real problem. If your computer is infected, there is already a problem, and you'll get one of those files one day or another, so...
My point is, don't mess too much with "non plain text" "non working sound or image" files in your addons, and nothing wrong will ever happen. Addons could be made to help a virus destroying your comp or sending confidential data, but if they do, your computer was infected already.

[Lieandra]

I want to thank all of you for your responses. The viral information should have been obvious to me. But being new to the WoW scene - counting the addons - well... I really felt as if I was in uncharted waters.

Never-the-less, all of your responses are great. Including "Seerah's" response about hotmail. Not to mention you guys (girls) being addon users yourself and saying which sites you trust... well; that's also comforting to know.

I will stick with your recommendations.

Now I search for the WowAceUpdater to help me out some more. Here's hoping the learning curve is small !

Thank you again.

Ps: "Layrajha" - Thanks for the info on the .jpg compression. That was news to me.

[Kaomie]

Although it may be a false positive in this case (Trend is probably matching a specific pattern that appears randomly in the binary content of the picture) this makes you wonder. You can never know if the graphic renderer in WoW is completely safe from specially crafted pictures injected with addons. There are vulnerabilities even in DX9 that could be exploited: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4183
Not much we can do in that case, just run an up-to-date antivirus with memory scanning and buffer overflow protection if possible

[Gemini_II]

Well, I'm going to really hope that Blizz doesn't run their servers on Windows machines, so theoretically they should be fairly "safe" from the GDI+ exploit (that's the JPG hack... also the name of the patch from Microsoft Update)... "Bugs get in through open Windows" so keep your 'puter patched.

I have seen and heard reports of many false-positives within Hotmail, so I would rely upon your local anti-virus solution. Biggest thing is don't download from a site you don't trust. If you are in doubt, don't touch it.

The LUA code itself is very very safe since it's plain text, but as Layrajha mentioned, it's the other files in an addon that could be infected. Specifically sound, image, and of course executables. Look for filesize... unless it includes sound files or is very large and comprehensive, most addons should be pretty small. ~500k or less usually.