- Site Map >
- Welcome to ModTheSims >
- Site Questions and Issues >
- General/Other - Infected File Problem
- Site Map >
- Welcome to ModTheSims >
- Site Questions and Issues >
- General/Other - Infected File Problem
Replies: 18 (Who?), Viewed: 857 times.
#1
9th Mar 2024 at 10:57 AM
Last edited by FuryCat : 9th Mar 2024 at 1:28 PM.
Infected File Problem
Hello,A very weird and unlikely problem with my upload "PaJama Jam" showed up yesterday.
A user reported one of the files displayed a message about the zip having a virus. I was confused as the file was clean before I uploaded it. I redownloaded the possibly infected file again and surely enough, the same message of "Virus Detected" showed up. I resumed to see what the malicious file was, and immediately Windows Defender notified of a bizarre file named "wacatac.b!ml" which had a severe level . I quarantined the file and removed it as soon as possible then searched for information about the suspicious file. I was surprised to find that this file can be both a false positive and a real virus, and people have seen it in zip files they archived themselves. I believe I'm not in danger as I quarantined and removed the file, but what gets me is how that file managed to sneak in. I did not have it before as Windows Defender would have warned me.
Now here's the part which I connected the parts: I was having problems with the upload wizard, server error 0's mainly. But I dont believe that would be the issue. But how would the weird file go in if the upload was entirely clean? I did read someone had had that file with another zip file, that they made themselves as I said. I'm just suspecting something could have happened during the uploading. I feel like that is the primary source that the file had gotten infected with that. The zip that I uploaded was fine, but the MTS one was infected with the 'virus'. Anyone have any ideas?
Advertisement
#2
9th Mar 2024 at 12:47 PM
Okay so according to the files on server they only contain .package files:
So this indicates that the files on the MTS server are correct in that there are no exe files or anything. I suspect that it's actually Windows Defender being totally dumb (see other reports: https://www.reddit.com/r/antivirus/...in32wacatacbml/ )
Indeed, I cannot download it in Chrome, but I can download in linux and examine the file:
My guess is that it's a false positive. It's triggering on *something* inside the .7z file, but it's a regular .package (as the Information tab on the download shows) so should be fine in the sense of nothing can get executed.
This also happens with:
https://db.modthesims.info/d/682865...-m-outfits.html and
https://db.modthesims.info/d/682480...emale-sims.html and
https://db.modthesims.info/d/682640...ed-outfits.html
But only to the BeltedCoat on the last one.
Running a clamav virus scan in Linux shows me 0 viruses:
So nothing sneaked in while uploading, it's just *something* inside those package files is triggering Windows Defender.
Story books are full of fairy tales, of Kings and Queens, and the bluest skies.
Code:
Type = 7z Physical Size = 234917 Headers Size = 206 Method = LZMA2:384k Solid = + Blocks = 1 Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------------ 2024-03-04 11:42:03 ....A 179604 234711 5fa20d12_PajamaJam1.package 2024-03-04 12:12:49 ....A 152632 5fc92b0c_PajamaJam2.package ------------------- ----- ------------ ------------ ------------------------ 2024-03-04 12:12:49 332236 234711 2 files
Code:
Type = 7z Physical Size = 151261 Headers Size = 162 Method = LZMA2:192k Solid = - Blocks = 1 Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------------ 2024-03-04 11:42:03 ....A 179604 151099 5fa20d12_PajamaJam1.package ------------------- ----- ------------ ------------ ------------------------ 2024-03-04 11:42:03 179604 151099 1 files
So this indicates that the files on the MTS server are correct in that there are no exe files or anything. I suspect that it's actually Windows Defender being totally dumb (see other reports: https://www.reddit.com/r/antivirus/...in32wacatacbml/ )
Indeed, I cannot download it in Chrome, but I can download in linux and examine the file:
Code:
Path = getfile.php?file=2211408&v=1709834133 Type = 7z Physical Size = 234917 Headers Size = 206 Method = LZMA2:384k Solid = + Blocks = 1 Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------------ 2024-03-04 16:42:03 ....A 179604 234711 5fa20d12_PajamaJam1.package 2024-03-04 17:12:49 ....A 152632 5fc92b0c_PajamaJam2.package ------------------- ----- ------------ ------------ ------------------------ 2024-03-04 17:12:49 332236 234711 2 files
My guess is that it's a false positive. It's triggering on *something* inside the .7z file, but it's a regular .package (as the Information tab on the download shows) so should be fine in the sense of nothing can get executed.
This also happens with:
https://db.modthesims.info/d/682865...-m-outfits.html and
https://db.modthesims.info/d/682480...emale-sims.html and
https://db.modthesims.info/d/682640...ed-outfits.html
But only to the BeltedCoat on the last one.
Running a clamav virus scan in Linux shows me 0 viruses:
Code:
root@fileserver:~/tmp# ls -latr total 568 -rw-r--r-- 1 root root 179604 Mar 4 16:42 5fa20d12_PajamaJam1.package -rw-r--r-- 1 root root 152632 Mar 4 17:12 5fc92b0c_PajamaJam2.package -rw-r--r-- 1 root root 234917 Mar 7 17:55 AllPajamas.7z root@fileserver:~/tmp# /usr/bin/clamscan * /root/tmp/5fa20d12_PajamaJam1.package: OK /root/tmp/5fc92b0c_PajamaJam2.package: OK /root/tmp/AllPajamas.7z: OK ----------- SCAN SUMMARY ----------- Known viruses: 8686298 Engine version: 0.103.10 Scanned directories: 0 Scanned files: 3 Infected files: 0 Data scanned: 0.89 MB Data read: 0.54 MB (ratio 1.66:1) Time: 14.716 sec (0 m 14 s) Start Date: 2024:03:09 12:46:06 End Date: 2024:03:09 12:46:20
So nothing sneaked in while uploading, it's just *something* inside those package files is triggering Windows Defender.
Story books are full of fairy tales, of Kings and Queens, and the bluest skies.
#3
9th Mar 2024 at 12:52 PM
Also this upload https://db.modthesims.info/d/682480...emale-sims.html
Only the first file there says it has a virus. All the rest are fine.
Are you using some weird compressorizer or something? The package files seem file though since the site is able to read them for the Information tab. I also checked other creators who have recently uploaded and all of the other stuff is fine. It's only your stuff, but not all of it.
Story books are full of fairy tales, of Kings and Queens, and the bluest skies.
Only the first file there says it has a virus. All the rest are fine.
Are you using some weird compressorizer or something? The package files seem file though since the site is able to read them for the Information tab. I also checked other creators who have recently uploaded and all of the other stuff is fine. It's only your stuff, but not all of it.
Story books are full of fairy tales, of Kings and Queens, and the bluest skies.
#4
9th Mar 2024 at 12:59 PM
Quote: Originally posted by Tashiketh
Okay so according to the files on server they only contain .package files:
Code:
Type = 7z Physical Size = 234917 Headers Size = 206 Method = LZMA2:384k Solid = + Blocks = 1 Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------------ 2024-03-04 11:42:03 ....A 179604 234711 5fa20d12_PajamaJam1.package 2024-03-04 12:12:49 ....A 152632 5fc92b0c_PajamaJam2.package ------------------- ----- ------------ ------------ ------------------------ 2024-03-04 12:12:49 332236 234711 2 files
Code:
Type = 7z Physical Size = 151261 Headers Size = 162 Method = LZMA2:192k Solid = - Blocks = 1 Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------------ 2024-03-04 11:42:03 ....A 179604 151099 5fa20d12_PajamaJam1.package ------------------- ----- ------------ ------------ ------------------------ 2024-03-04 11:42:03 179604 151099 1 files So this indicates that the files on the MTS server are correct in that there are no exe files or anything. I suspect that it's actually Windows Defender being totally dumb (see other reports: https://www.reddit.com/r/antivirus/...in32wacatacbml/ ) Indeed, I cannot download it in Chrome, but I can download in linux and examine the file:
Code:
Path = getfile.php?file=2211408&v=1709834133 Type = 7z Physical Size = 234917 Headers Size = 206 Method = LZMA2:384k Solid = + Blocks = 1 Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------------ 2024-03-04 16:42:03 ....A 179604 234711 5fa20d12_PajamaJam1.package 2024-03-04 17:12:49 ....A 152632 5fc92b0c_PajamaJam2.package ------------------- ----- ------------ ------------ ------------------------ 2024-03-04 17:12:49 332236 234711 2 files My guess is that it's a false positive. It's triggering on *something* inside the .7z file, but it's a regular .package (as the Information tab on the download shows) so should be fine in the sense of nothing can get executed. This also happens with: https://db.modthesims.info/d/682865...-m-outfits.html and https://db.modthesims.info/d/682480...emale-sims.html and https://db.modthesims.info/d/682640...ed-outfits.html But only to the BeltedCoat on the last one. Running a clamav virus scan in Linux shows me 0 viruses:
Code:
root@fileserver:~/tmp# ls -latr total 568 -rw-r--r-- 1 root root 179604 Mar 4 16:42 5fa20d12_PajamaJam1.package -rw-r--r-- 1 root root 152632 Mar 4 17:12 5fc92b0c_PajamaJam2.package -rw-r--r-- 1 root root 234917 Mar 7 17:55 AllPajamas.7z root@fileserver:~/tmp# /usr/bin/clamscan * /root/tmp/5fa20d12_PajamaJam1.package: OK /root/tmp/5fc92b0c_PajamaJam2.package: OK /root/tmp/AllPajamas.7z: OK ----------- SCAN SUMMARY ----------- Known viruses: 8686298 Engine version: 0.103.10 Scanned directories: 0 Scanned files: 3 Infected files: 0 Data scanned: 0.89 MB Data read: 0.54 MB (ratio 1.66:1) Time: 14.716 sec (0 m 14 s) Start Date: 2024:03:09 12:46:06 End Date: 2024:03:09 12:46:20 So nothing sneaked in while uploading, it's just *something* inside those package files is triggering Windows Defender. |
I had NO idea that this has happened to other of my uploads. I have read thousands of reddit posts that say how wacatac is a really common false positive. I'm curious how this happened and what is triggering windows defender to freak out.
I'm guessing they're all safe and people can download them, as long as they resume the download?
I checked the package files, but it's all really normal. Does Chrome freakout with the other files too? I'm curious to know as no one reported this issue.
#5
9th Mar 2024 at 1:03 PM
Quote: Originally posted by Tashiketh
Also this upload https://db.modthesims.info/d/682480...emale-sims.html Only the first file there says it has a virus. All the rest are fine. Are you using some weird compressorizer or something? The package files seem file though since the site is able to read them for the Information tab. I also checked other creators who have recently uploaded and all of the other stuff is fine. It's only your stuff, but not all of it. |
I'm really only using 7zip. I havent done anything weird to the zip files. I'm really weirded out about this.
#6
9th Mar 2024 at 1:11 PM
Last edited by Tashiketh : 9th Mar 2024 at 1:25 PM.
For all of the uploads I reported Chrome does not allow download of the files I indicated. So yeah it's a really common false positive.
If I look inside one of the package files I see:
Interestingly enough, if I extract them in Linux and manually copy the .package files to Windows, they scan fine:
So this indicates it's the actual .7z. If you make them .zip then it works fine. (I attached a .zip file of the AllPajamas.7z and it can be downloaded fine)
Edit to add: Added a .7z version
Okay so yeah the .7z version is definitely the culprit, not the package files inside. (See the attached .7z for proof)
You should recompress them all as .zip and it'll work fine!
Story books are full of fairy tales, of Kings and Queens, and the bluest skies.
If I look inside one of the package files I see:
Code:
(venv) root@fileserver:~/tmp# dbpf l 5fa20d12_PajamaJam1.package DBPF: v1.2 | Index: v7.2, 7 entries @ 0x2bcec, size 168 bytes | Game: The Sims 2 (TS2) | HiInstance: True Holes: 3 key name size truesize offset compression ------------------------------------ ----- ---------- ---------- ---------- ------------------------------ 0C560F39::5FA20D12::0000000100000000 BINX 130 193 178758 CompressionType.CHECK AC506764::5FA20D12::0000000100000000 SKIN 124 124 178972 CompressionType.NONE 53545223::5FA20D12::0000000100000000 STR# 25 83 178938 CompressionType.CHECK EBCF3E27::5FA20D12::0000000100000000 GZPS 399 690 531 CompressionType.CHECK 49596978::5FA20D12::FF55B1A07FB7C73C TXMT 366 550 96 CompressionType.CHECK E86B1EEF::E86B1EEF::286B1F0300000000 DIR 100 100 179336 CompressionType.NONE 1C4A276C::5FA20D12::FF1853FC5A1680BD TXTR 177810 1048722 939 CompressionType.CHECK
Interestingly enough, if I extract them in Linux and manually copy the .package files to Windows, they scan fine:
So this indicates it's the actual .7z. If you make them .zip then it works fine. (I attached a .zip file of the AllPajamas.7z and it can be downloaded fine)
Edit to add: Added a .7z version
Okay so yeah the .7z version is definitely the culprit, not the package files inside. (See the attached .7z for proof)
You should recompress them all as .zip and it'll work fine!
Attached files:
AllPajamas.zip (276.8 KB, 1 downloads) | |
AllPajamas.7z (229.5 KB, 3 downloads) |
Story books are full of fairy tales, of Kings and Queens, and the bluest skies.
#7
9th Mar 2024 at 1:27 PM
Quote: Originally posted by Tashiketh
For all of the uploads I reported Chrome does not allow download of the files I indicated. So yeah it's a really common false positive. If I look inside one of the package files I see:
Code:
(venv) root@fileserver:~/tmp# dbpf l 5fa20d12_PajamaJam1.package DBPF: v1.2 | Index: v7.2, 7 entries @ 0x2bcec, size 168 bytes | Game: The Sims 2 (TS2) | HiInstance: True Holes: 3 key name size truesize offset compression ------------------------------------ ----- ---------- ---------- ---------- ------------------------------ 0C560F39::5FA20D12::0000000100000000 BINX 130 193 178758 CompressionType.CHECK AC506764::5FA20D12::0000000100000000 SKIN 124 124 178972 CompressionType.NONE 53545223::5FA20D12::0000000100000000 STR# 25 83 178938 CompressionType.CHECK EBCF3E27::5FA20D12::0000000100000000 GZPS 399 690 531 CompressionType.CHECK 49596978::5FA20D12::FF55B1A07FB7C73C TXMT 366 550 96 CompressionType.CHECK E86B1EEF::E86B1EEF::286B1F0300000000 DIR 100 100 179336 CompressionType.NONE 1C4A276C::5FA20D12::FF1853FC5A1680BD TXTR 177810 1048722 939 CompressionType.CHECK Interestingly enough, if I extract them in Linux and manually copy the .package files to Windows, they scan fine: So this indicates it's the actual .7z. If you make them .zip then it works fine. (I attached a .zip file of the AllPajamas.7z and it can be downloaded fine) Edit to add: Added a .7z version |
Hmm, this is pretty weird. I suppose everytime I upload something I'll compress it to zip. I still dont know why 7z is being weird and causing windows defender to scream about it. I guess this is solved. Will I have to re-zip all affected downloads?
#8
9th Mar 2024 at 1:28 PM
Yes, you'll have to re-zip all of the affected ones. I don't know why .7z is doing it either, but since it's also when I compress it to .7z it means it's nothing you did specifically. It's just a weird oddity.
Story books are full of fairy tales, of Kings and Queens, and the bluest skies.
Story books are full of fairy tales, of Kings and Queens, and the bluest skies.
#9
9th Mar 2024 at 2:06 PM
Last edited by FuryCat : 9th Mar 2024 at 2:21 PM.
Quote: Originally posted by Tashiketh
Yes, you'll have to re-zip all of the affected ones. I don't know why .7z is doing it either, but since it's also when I compress it to .7z it means it's nothing you did specifically. It's just a weird oddity. |
If I use the 7zip compressor program but change the file extension to .zip, will that fix the problem? Or will I have to change compressing programs altogether?
Edit: Actually, whenever I download an affected file it seems to be fine. I tried downloading the BeltedCoat outfit and also the Artsy Like You tops but they don't craze Chrome nor Windows Defender.
#10
9th Mar 2024 at 9:36 PM
You can't just change the file extension manually, but if you right click the package files, then select 7-Zip, then Add to "blahblah".zip then it'll make an actual .zip file and be fine.
Or just use the in built windows compression and use it that way.
Story books are full of fairy tales, of Kings and Queens, and the bluest skies.
Or just use the in built windows compression and use it that way.
Story books are full of fairy tales, of Kings and Queens, and the bluest skies.
#11
10th Mar 2024 at 8:13 AM
Last edited by FuryCat : 10th Mar 2024 at 9:29 AM.
Quote: Originally posted by Tashiketh
You can't just change the file extension manually, but if you right click the package files, then select 7-Zip, then Add to "blahblah".zip then it'll make an actual .zip file and be fine. Or just use the in built windows compression and use it that way. |
Yeah, that's what I meant, sorry for not phrasing it correctly. I couldnt find the windows compression so I'll stick to the 7zip method.
I'm confused as Chrome now allows me to download the affected files including the most problematic one and Windows Defender doesnt notify me of anything. This is all really bizarre.
#12
10th Mar 2024 at 2:01 PM
Posts: 546
Thanks: 58402 in 142 Posts
Just coming to report the same problem on my latest update : https://modthesims.info/d/588966/al...24-updated.html
It is also a 7zip and it got me worried since I'm on a Mac : no reason to have that kind of file. I've tried looking for it in hidden files, it is not even showing up.
Someone suggested my account might have been hacked and the 7zip swapped with a corrupted one.
Obviously, Chrome lets me to download the file : never seen Chrome stop me to download anything, not sure we have that protection on Mac ( or it is rarely triggered ? )
Edit : I did not remove the 7zip ( in case anyone wants to make some test ) and uploaded a zip of the exact same folder ...
I make sims worlds ... can you believe it ?
It is also a 7zip and it got me worried since I'm on a Mac : no reason to have that kind of file. I've tried looking for it in hidden files, it is not even showing up.
Someone suggested my account might have been hacked and the 7zip swapped with a corrupted one.
Obviously, Chrome lets me to download the file : never seen Chrome stop me to download anything, not sure we have that protection on Mac ( or it is rarely triggered ? )
Edit : I did not remove the 7zip ( in case anyone wants to make some test ) and uploaded a zip of the exact same folder ...
I make sims worlds ... can you believe it ?
#13
10th Mar 2024 at 2:08 PM
Last edited by FuryCat : 10th Mar 2024 at 3:14 PM.
Quote: Originally posted by Blackgryffin
Just coming to report the same problem on my latest update : https://modthesims.info/d/588966/al...24-updated.html It is also a 7zip and it got me worried since I'm on a Mac : no reason to have that kind of file. I've tried looking for it in hidden files, it is not even showing up. Someone suggested my account might have been hacked and the 7zip swapped with a corrupted one. Obviously, Chrome lets me to download the file : never seen Chrome stop me to download anything, not sure we have that protection on Mac ( or it is rarely triggered ? ) |
Is the virus wacatac? I've seen its really common this month or so. If you go to the antivirus subreddit there are people asking for help with this stupid wacatac file. It's more than often a false alarm. I still dont know why 7z triggers this problem, but just change the files to zip and it will work.
Chrome too allows me to download affected files for some reason. It's all very weird.
-------------
To creators:
If you have this problem, it's not your fault. It's not something you did, it is a weird oddity that happens with 7zip, and it can happen to any file (It has been reported by users who have made apps themselves and their antivirus notifying them of it.). Chances are, a file called wacatac is probably what your antivirus will say it is. This is probably not harmful as you made the file yourself.
Inform people by putting up a notice in your upload's description!! This is important. Inform your downloaders that this is NOT dangerous and that once the 7z files have been replaced with zip, they can safely download and that this is a false alarm.
Replace all the 7z files with zip files. The primary culprit is 7z. zip files work fine and alleviate the issue.
Test your old upload by redownloading it. This will not always work and Chrome may allow you to download it, but if it says virus detected then it's the false positive wacatac file.
Make a habit of compressing your files into zip instead of 7z. This will save you time obviously from replacing the files again and again.
If you are still scared, run a full scan on your PC. It's probably only a false alarm. Wacatac is an incredibly common false positive: If you tested and downloaded the affected file, just quarantine and remove it right away and you'll be safe.
To downloaders:
If you download something and it says virus detected, here's what to do:
Inform the creator kindly and do not resume the download. Do not blame them for this, this isnt a virus and 7z is the actual problem. We still dont know why 7z causes this but it's certainly not the creator's fault.
Link to this thread in the feedback comment you will make. This thread can be helpful to those who have this issue.
Lab Assistant
#14
23rd Mar 2024 at 4:28 PM
Posts: 105
Thanks: 636 in 23 Posts
This issue also affects '.zip' and '.rar' files. Converting the zip format itself doesn't work at all.
An update of MS Defender patterns seems to help or make the situation even worse.
With Firefox one should be able to download such files .
An update of MS Defender patterns seems to help or make the situation even worse.
With Firefox one should be able to download such files .
#15
23rd Mar 2024 at 5:05 PM
@o19 To me, it doesn't happen anymore, and this is why I don't understand this issue. It's weird considering sometimes it works, sometimes it doesn't.
Have you got an upload which displays a false positive notification and it's not 7zip?
Have you got an upload which displays a false positive notification and it's not 7zip?
Lab Assistant
#16
24th Mar 2024 at 1:29 AM
Posts: 105
Thanks: 636 in 23 Posts
I still have the '.rar' file and it downloads without any issues now. It contains only three plain Python files (not compiled), nested quite deep into sub folders. Anyhow I can't share the file.
The things which change daily on Windows are the Defender patterns so I suspect that MS added pattern which have matched way too much.
The things which change daily on Windows are the Defender patterns so I suspect that MS added pattern which have matched way too much.
#17
24th Mar 2024 at 10:17 AM
Quote: Originally posted by o19
I still have the '.rar' file and it downloads without any issues now. It contains only three plain Python files (not compiled), nested quite deep into sub folders. Anyhow I can't share the file. The things which change daily on Windows are the Defender patterns so I suspect that MS added pattern which have matched way too much. |
The "virus" is marked "!ml" which means windows marked it as a trojan based on its machine learning, so it's very possible this happened.
This happens with python files commonly, if you search for this in reddit you'll find people who made python files themselves that when they downloaded them they get marked with this exact same "trojan" without having anything in them.
Test Subject
#18
4th Apr 2024 at 10:22 AM
Posts: 1
I checked the package files, but it's all really normal. Does Chrome freakout with the other files too? I'm curious to know as no one reported this issue.
#19
4th Apr 2024 at 12:24 PM
Last edited by FuryCat : 7th Apr 2024 at 9:09 AM.
Quote: Originally posted by flaxzune
I checked the package files, but it's all really normal. Does Chrome freakout with the other files too? I'm curious to know as no one reported this issue. |
There is (was?) a virus called "wacatac.b!ml" which windows false identifies archives having it. There appear to be quite a lot of variations from wacatac.h!ml to wacatac.g!ml. The !ml suffix means that Windows identified it using its machine learning only, which also means it can just be a false alarm which ALSO happened in this case. Confusing, right?
We thought it was only happening witn 7zip but it appears to happen to all archives but not everytime. I tried downloading one of my past affected files and it did not happen.
Wacatac IS a real virus. It is a trojan BUT it is very easy for Windows to get confused on this because the virus probably uses similar things with archives. If you search wacatac up you will see cases of it. I am assuming this is a new one as people report having it now.
Because MTS needs archive files, there is of course the chance of windows falsely accusing the files of having it.
Chrome and all browsers will freak out with these but only sometimes; the problem does not occur now, at least for me, which I am saying for only me as there have been recent issues with this.
Criteria for false or true wacatac:
True wacatac: Does not leave if attempted to be quarantined and removed.
False wacatac: Gets removed if attempted to quarantine and remove.
In some cases, this is the opposite. The true virus leaves and the false virus stays, but it was different from me.
Here is a post about it: https://answers.microsoft.com/en-us...94-625a3402d26a
Who Posted
|