Trojan horse virus found in SWL patch from Steam and during installation using install file from SWL website

Paranoid thought here - could your AV software be infected?

Pretty unlikely - if it were, it would be getting you to replace Word or something popular I think.

yeah, no:D i dont think that would’ve happened without my notice since i bought a completely new machine and installed everything fresh and licensed, and i specifically keep an eye out for such things with the new machine…daily full timed scans etc…if i check on my old machine (a laptop from 2016) which i still have, its infested because that was like a machine which i didnt care about and installed everything without caring about the alerts…and that is where i started playing SWL as well

Right now it’s not failing at the game exe. It’s failing when updating the patcher (I was installing from scratch). Did you send in your patcher executable as well?

Pretty sure I did, but you can safely whitelist it at this point. Which specific .exe is it flagging? I can try that one again.

Secret World Legends\PatcherSetup.exe.tmp for Trojan:Win32/Emotet!ibt .

Are you also sending in a “live version” (patched from running the actual install and patch process) or a locally built version? (I.e. the Version you are expecting to “send out”).

If the latter, a compromise of the patch servers (as has been happening to others lately like Solar Winds or Nox) is not out of the question. That is why I don’t feel 100% fine whitelisting.

(Also losing Lifetimer login bonuses until this is resolved :frowning: )

The versions I’ve sent are the plain clients, I don’t have some special version of the game at home. Is this the Steam version or our version?

This is your version. Fresh install, when the patcher tries to update itself the first time.

I just received new Defender stuffs and tried it again with the same result. Please note it’s not PatcherSetup.exe at the point it gets Quarantained, it’s PatcherSetup.exe.tmp.

Also, to reply to “I don’t have some special version of the game at home”, what I meant was that if the programmer handed you the version to pass on to microsoft directly it could be maliciously
changed once it’s gone through the patch process, and not that you got the version from installing the game normally. Since you wrote “at home” I’m assuming you’re sending on the Version that you get from normally installing and patching the game and not the exe itself that is put into your patch infrastructure which is the ideal way to do it.

Guy using Linux reading this thread

tenor

I can’t seem to reproduce the issue with the specific temp file cited; are you able to DM me and send me the file in question if possible? Either in a dropbox or google drive link or anything like that is fine.

edit: got a copy

1 Like

This is the base Funcom client (not Steam) from last week:

Now, the .tmp file appears to be different from the actual .exe, it looks like WD is flagging the temp file before the .exe is actually created as something and quarantining it (if you’re updating from an older version, for example).

Also just to be sure, I rescanned the file just now on the Microsoft submission page:

So if I can get a copy of the temp file maybe that will help?

edit: got a copy

1 Like

I got a copy of the .tmp file and submitted it. Hopefully we get a response soon!

edit:

:man_shrugging: Initial scan shows nothing. Maybe an analyst will find something more. Virustotal also shows the file is completely clean.

2 Likes

Should be good, hopefully!

2 Likes

Patching the patcher now worked, thank you. Hopefully the rest of the install will now go smoothly! :slight_smile:

Edit: Install worked without further issues.

3 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.