BitDefender detected a Trojan :: Estranged: Act I General Discussions

Estranged: Act I

All Discussions Screenshots Artwork Broadcasts Videos Workshop News Guides Reviews

Estranged: Act I > General Discussions > Topic Details

Tomboeg 8 Jul, 2020 @ 11:57am

BitDefender detected a Trojan

Hello.

I believe i've just encountered a false positive in the latest Estranged Act I update.

`The file T:\Steampowered\steamapps\common\Estranged Act I\estrangedact1\html\mail\mail1.html is infected with JS:Trojan.Cryxos.3771 and was moved to quarantine. It is recommended that you run a System Scan to make sure your system is clean.`

Just a heads up, have a good weekend in advance.

A developer of this app has marked a post as the answer to the topic above.
Click here to jump to that post.

Originally posted by Alan Edwardes:

Hi,

Thank you for reporting this, and thank you rarestMeow for the extra information!

As you alluded to this should be regarded as a false positive, you can see my full response to this in the other thread: https://gtm.steamproxy.vip/app/261820/discussions/0/2272575584128380336/

As I said there, it's something to report to your anti-virus vendor.

Thanks,
Alan

< >

Showing 1-6 of 6 comments

rarestMeow 8 Jul, 2020 @ 12:21pm

hello,

BitDefender is well-known for being quite sloppy and finding viruses where noone else found them - and that case is no exception, just a false positive, as you correctly said. in fact that particular file was already reported as being "suspicious", https://gtm.steamproxy.vip/app/261820/discussions/0/2272575584128380336/

I have opened it up and, well, it is just a regular html+css+javascript file with jquery framework. I guess the part of code that set BitDefender off is that one:

<div id="bsmem" class="bluescreen hide">ARQUEOSERR_0xFFFFFF LOC:<br/><br/>69 20 61 6d 20 65 73 74 72 61 6e 67 65 64 2c 20 69 20 61 6d 20 61 6c 6f 6e 65 2e 20 69 20 61 6d 20 65 73 74 72 61 6e 67 65 64 2c 20 69 27 6d 20 6e 6f 74 20 67 6f 69 6e 67 20 68 6f 6d 65 2e<br/><br/>ACCESS_VIOLATION_HEAP_TRANSPOSE<br/>▮</div>

those HEX-values are look like some malicious code is trying to encrypt itself to protect from being decrypted. I guess BitDefender have found that block, look at it and thought, "hmm. kinda reminds me a shady trojan"

what that code is actually doing is to simulate BSOD effect on a PC which you use to shut down a generator, it looks like this in the game, https://i.postimg.cc/bNsKMG6W/20200708-220732-75073.png

A developer of this app has indicated that this post answers the original topic.

Alan Edwardes [developer] 8 Jul, 2020 @ 12:41pm

Al Bundy 23 Jul, 2020 @ 7:01am

Hi, I had the exact same problem with bitdefender and this file.

I checked the folder of that file, and found strange stuff there, pictures and videos of a cat and other things I dont understand.

What made this even stranger is that I got the exact same warning for the same file from bitdefender for another steam game, in another folder. The name of the game is "No more room in hell".
Now I am completly confused, why do I finde this exact same folder with that pseudo-malicious file and other strange stuff (pictures and videos of a cat, picture of an old truck...) in the files of two completly different games ?

To make sure all this stuff has been there for both games right from the installation I uninstalled and reinstalled both games several times.

I have no idea whats going on

rarestMeow 23 Jul, 2020 @ 8:03am

hello,

Originally posted by Al Bundy:
I checked the folder of that file, and found strange stuff there, pictures and videos of a cat and other things I dont understand.

in the game "Estranged: Act I" you have to browse through people's e-mails and their PC to find clues how to restart (stop) a generator. those images of cats, trucks and other files are media from people's e-mails and their desktop, in other words they a genuine part of the game

why the very same folder in the "No more room in hell" that's a good question. given both "No more room in hell" & "Estranged: Act I" are Source-based games, I think that this is just a Source SDK shenanigans, nothing special

Last edited by rarestMeow; 23 Jul, 2020 @ 10:27am

Al Bundy 23 Jul, 2020 @ 8:25am

Originally posted by rarestMeow:
hello,

Originally posted by Al Bundy:
I checked the folder of that file, and found strange stuff there, pictures and videos of a cat and other things I dont understand.
in the game "Estranged: Act I" you have to browse through people's e-mails and their PC to find clues how to restart (stop) a generator. those images of cats, trucks and other files are media from people's e-mails and their desktop? in other words they genuine part of the game

why the very same folder in the "No more room in hell" that's a good question. given both "No more room in hell" & "Estranged: Act I" are Source-based games, I think that this is just a Source SDK shenanigans, nothing special

ah ok, thanks for the hint. i thought maybe both games are from the same developer or so ...