Virus warning, HiPiHi may contain trojan [UPDATED]
by Tateru Nino 
Dec 19th 2007 at 1:30AM
Filed under: Exploits, New titles, News items, HiPiHi
Users of the HiPiHi virtual world are reporting that the application uninstaller for the virtual world client may be infected with a malicious trojan, identified as BackDoor.Bifrose.YM aka BDS/Bifrose.Gen.
It is not presently confirmed as to whether this is a genuine threat or a false-positive, but you need to be cautious. Not all virus scanners are reporting this - which says little about whether the threat is genuine or not.
Update: Wikipedia suggests that there is usually a trojan embedded in the uninstaller.
[Thanks to Massively reader ZATZAi for the heads-up, and the image]
Update:
We performed an independent test to see if this could be the result of pre-existing trojans or software threats on people's machines.
Our test setup:
- An old PC with no network access, and an Ubuntu Feisty Linux installation CD.
Procedure:
We freshly installed Ubuntu and while we waited for that we downloaded the HiPiHi 40011 installer on a spare linux box and burned that to a rewritable CD to avoid potentially contaminating anything.
We loaded the HiPiHi installer, onto the fresh linux install, and unpacked it by the simple expedient of installing it using wine.
Once it was all installed, we checked it out with two virus scanners, which we freshly installed and updated: Clam Antivirus, and Grisoft's AVG (Free Edition).
Results:
- Clam Antivirus did not find any problems.
- AVG reported the trojan signature from the bifrost family, as the story originally reported.
Conclusion:
This could still, honestly, be a false positive - in which case, we urge (and have urged) the HiPiHi people to get in touch with Grisoft to clear it up. The mention in the Wikipedia article casts some doubt on the matter.
"The uninstall routine of HIPIHI tends to be infected with a Trojan. With releases up to 30014 it was BDS/Bifrose.Gen from the Bifrost family. The new releases 40011 and 40012 feature the backdoor program Packed.64. The change indicates that the Trojan is deliberately inserted in the code." -- from Wikipedia.
Either the uninstaller is being routinely infected (we don't believe for a moment that that would be condoned or intended by the HiPiHi company), or AVG's scanner is a bit hypersensitive.
Until it is confirmed either way, you should exercise caution. The family of trojans that are claimed to be involved are quite rude strangers to have on your machine, and you want to avoid them. By all means, take a look at HiPiHi, but be careful.
Reader Comments (Page 1 of 1)
rockxie said on 6:56PM 12-19-2007
I think the reasom is that the user's computer affects trojan
-hipihi.org
Reply
Bjorn said on 9:24PM 12-19-2007
we hear ya at HiPiHi here, tests internally on various virus scans have reflected inconsistent results on the presence of this "trojan". dun seem to have any real threat but we are keeping an eye out for it.
if any of you folks out there have updates to this problem, give us a holler by replying here.
Reply
Bjorn said on 9:24PM 12-19-2007
strange, my earlier comment seems to have disappeared..
I am from HiPiHi and our team has run a number of tests with different virus scanning softwares. It appears the trojan result from AVG is an anomaly. Nonetheless, the inconsistent trojan results is a cause for concern and we are looking into it.
if any readers here have follow on updates to this problem, give us a holler by replying here..
Reply
Tateru Nino said on 9:47PM 12-19-2007
We're just in the process of unpacking the HiPiHi installer on a clean linux system, so we can run some virus/trojan scans across the files. Will post the results as they become available.
Sisi said on 9:43PM 1-01-2008
I am from HiPiHi, Grisoft has confirmed that HiPiHi uninstall.exe file is virus-free and detection of this file was false alarm. They have released new virus base that solves this false alarm. Please update your AVG and scan your files again.
You can restore already removed files from your AVG Virus Vault this
way:
open this Vault (in AVG -> upper menu Program -> Launch Virus
Vault), right-click on the file and choose Restore File(s)
Cheers!
Reply