Jump to content

Touhou 6 download link literally has multiple malwares in it.


Popcorn1339

Recommended Posts

https://www.virustotal.com/gui/file/c700df5deb7647cc592e43a92dde8ece451fb051686344477312a2024423c15f/detection (VirusTotal link)

Check VBA32 and you'll see what I'm talking about. Also, check Kingsoft for the second type of malware.

https://howtofix.guide/bscope-trojan-bitrep/ (A guide about BScope-Trojan-Bitrep)

Useful information on how it affects your computer.

http://www.technologydiscover.us/malware/learn-how-to-take-away-win32-troj-generic-a-kcloud.html (A guide about Win32.Troj.Gener.(kcloud))

Same as before.

I'm way too lazy to try to attempt to cut out the portions of the code that contains the malware. Someone with reasonable programming skills could do it. (Derp)

Touhou 6: Koumakyou - The Embodiment of Scarlet Devil  

Touhou_6__-_The_Embodiment_of_Scarlet_Devil.zip <--- the file that I'm referring to

Disclaimer: I only used the VirusTotal application to scan the file, I did not use any other application as the file is simply too large.

 

Link to comment
Share on other sites

ok bud... it has malware because it's updates and patches are given through an external site which sets off multiple red flags. If you don't want it, go thru thcrap urself

Howdy! Stay puffie! ^-^

Link to comment
Share on other sites

According to Google, the definition of malware is, "software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system." So you do agree that the file that I referred to contains malware that can steal information from your computer and literally steal your banking information (If you have one)? (If this question insulted anyone, I apologize for trying to prove myself right by using evidence. My ego is too high.)

Link to comment
Share on other sites

Okay, I've mentioned this to the staff that are of this expertise, who can probably check on this and explain what happens better.  That said, we have had issues previously with false positives on the games.

I assume this is due to virus scanner assuming that the patch that translates the game is doing something more malicious when it adjusts the program to perform said translation.  I'm not the expert though.

Link to comment
Share on other sites

What jssf is roughly accurate, i'm pretty sure the touhou 6 download is still the one I put up myself roughly 2 years ago and I still have that copy on my computer and play it every now and again. I think thcraps auto patcher and the way it translates the games sets off an atrocious amount of false positives. Regardless I will look into it just to be sure later when I have the time.

L

Link to comment
Share on other sites

"Check VBA32 and you'll see what I'm talking about. Also, check Kingsoft for the second type of malware."

VBA32? KingSoft? I've never heard of either one of those. Does something like Avast or Norton pick anything up?

Link to comment
Share on other sites

It was shown in the VirusTotal app when I scanned the entire file. VBA32 and KingSoft are softwares that are assumed by VirusTotal to have "BScope.Trojan.Bitrep" and "Win32.Troj.Gener.(kcloud)" (respectively), which are computer viruses. The file for Touhou 6 is a zip file, which means that it can hold multiple files in it, including the game and possible malware.

Link to comment
Share on other sites

Avast and Norton Antivirus softwares are behavioral based software which means that they determine what the files are doing to the computer and whether it is harmful towards the computer. I'm not too sure about the effectiveness of the softwares though (As I've never used it).

Link to comment
Share on other sites

5 minutes ago, Popcorn1339 said:

It was shown in the VirusTotal app when I scanned the entire file. VBA32 and KingSoft are softwares that are assumed by VirusTotal to have "BScope.Trojan.Bitrep" and "Win32.Troj.Gener.(kcloud)" (respectively), which are computer viruses. The file for Touhou 6 is a zip file, which means that it can hold multiple files in it, including the game and possible malware.

Oops, I'm a fool. VBA32 and KingSoft are used by VirusTotal to scan the files. They aren't the files that contain malware, they merely detected possible viruses in the file that I scanned, which was the entire zip file for Touhou 6 (the second zip file when you check downloads). 

Link to comment
Share on other sites

For example, if you scan the entire file using VirusTotal again, it will show 59 antivirus softwares(Fortinet, McAfee, KingSoft, etc...) which are used to assume whether there is a virus in the zip file and if so, what the virus is. In my case, I got 7 different types of antivirus softwares which detected possible malware in the zip file itself (Fortinet, McAfee, KingSoft, McAfee-GW-Edition [slightly different version of McAfee, I assume], Sangfor Engine Zero, Sophos, and VBA32). These antivirus softwares will have different views on what the virus is exactly. (In McAfee's case, it will quarantine and name any file with the tag "Artemis" to say that the file that it scanned was suspicious and may contain a virus [Artemis isn't an actual virus and McAfee doesn't specify what virus it is, it just says "Hey, the file I scanned was triggered by my GTI [Global Threat Intelligence, which uses data-banks to determine if there is a possible virus], I have decided to tag the file with Artemis and alert the consumer that there is a possible virus in the file.")

Link to comment
Share on other sites

This is why I was so scared about the fact that the file may contain malware since the chances that 7 different antivirus softwares (Granted that they all use behavioral analysis software) of detecting a virus and having a false positive is incredibly low. This is also the reason that I'm going to use Hybrid Analysis and scan literally every single file in the zip file to determine if it truly has malware in it. (Hybrid Analysis uses 3 different antivirus scanners which in turn uses multiple different types of antivirus softwares to scan the file.) Of course, the number of False Positives goes up, but the relative efficiency of all 3 scanners goes up incredibly high. (If there is any malware in the files)

Link to comment
Share on other sites

It seems like the combination of files in [Touhou 6  - The Embodiment of Scarlet Devil -> thcrap -> bin] is settingoff one of the antivirus scanners in Hybrid Analasis, but only one of them registers it. Could somebody look further into this? This is on the pre-patched English version I think.

Link to comment
Share on other sites

Most likely this is false positive, heuristic analysis tends to give false positive with software that messes with binaries which thcrap does. To be fair not every antivirus on virustotal is trusthworthy,
I could show official windows files that were detected by some virustotal scanners, so it's really not that uncommon for false positives.

Also I have this touhou 6 and I don't detect any suspicious activity coming from my pc, so for my money it seems clean. (Hopefully mods will clarify it)

Link to comment
Share on other sites

I agree, with how few positives there are out of the total, it is believable that they could be false. I'm pretty sure there were only 6 out of almost 60 on VirusTotal from somebody else's scan, and the others are negative. I won't run it on my pc yet, but I probably will in the near future.

Link to comment
Share on other sites

TIme for advertisement :D. Did you know that there is a club named "Popcorn Scanners"? (:D) You can join it to get access to a google docs consisting of all of the files that I've currently scanned. (There is no rule that says that I can't advertise my club. :D)

 

Link to comment
Share on other sites

Oh fine, I'll just put the info in...

*This is what I've scanned so far in the download files.*

Safe Files:

custom.exe (96 KB) (https://www.hybrid-analysis.com/sample/5ab1f4e8bf31fc4f8484ab0882a882f0fb399ba758fc98601ae9a6f6e69b5cdf) 

enbconvertor.ini (113 bytes) (https://www.hybrid-analysis.com/sample/a200f7e7263e1913a73ef11904e49eaf1046c91f00e916a514e4d5691300de7f) (No sandbox)

Instructions.txt (431 bytes) (https://www.hybrid-analysis.com/sample/347e7cf1eee6c52d000e839110afd44f179fb44db012e2c62a134226992b200a) (No sandbox)

vpatch.exe (46 KB) (https://www.hybrid-analysis.com/sample/29a933678de5dc4bf7941ff8587e3fe2a4794f3cfdad94453200151376f6388a) 

vpatch.ini (319 bytes) (https://www.hybrid-analysis.com/sample/83dc1f784850a44a11132828a5e0ba3215d42b55cac5952d3a08c15b87accecf) (No sandbox)

東方紅魔郷.cfg (56 bytes) (https://www.hybrid-analysis.com/sample/fc7e2c23621b3dd3e4e4e9d7357db4fc23da2602e61b47bc9300fe49ccfba551) (No sandbox) 

紅魔郷CM.DAT (914 KB) (https://www.hybrid-analysis.com/sample/a899853d04e214ae4df8090bad7fd42698527027aa9dfccb4650fbb1d7828a0a) (No sandbox) 

紅魔郷ED.DAT (1.9 MB) (https://www.hybrid-analysis.com/sample/3fbb51f00785c98d6b4141a7a5a303f5955df3d181d2f220c2c6e81d717e9fee) (No sandbox)

紅魔郷IN.DAT (743 KB) (https://www.hybrid-analysis.com/sample/65d7ee9c4303bcb39f5f08a0ceaf7004e47fccc8242fd73db54b31a911f41af0) (No sandbox)

紅魔郷MD.DAT (299 KB) (https://www.hybrid-analysis.com/sample/8f8db1918842857a63eb7c76e7f971fb931203a6239c26828304fa3ce12da911) (No sandbox)

紅魔郷ST.DAT (2.8 MB) (https://www.hybrid-analysis.com/sample/0f834a35aef2d73b05cffecc830c017dacbcc6f11b9a0611a9da2f3970a112e7) (No sandbox)

紅魔郷TL.DAT (1017 KB) (https://www.hybrid-analysis.com/sample/c05f4fa755602f9369d7cebd5689cf3655ec81bb746f5b269ee0faf3d5f0a020) (No sandbox)

act_nut_lib.dll (109 KB) (https://www.hybrid-analysis.com/sample/e43941c738d872be52252b8a877662ed72ccab93d570659c305b934e207f499b) (No sandbox?)

bmpfont_create_gdi.dll (18 KB) (https://www.hybrid-analysis.com/sample/3ca8782a92829115b51d8fd6fc5fdf9c277c38733ff7bc1eb6d9aee1b84bfa5c) (No sandbox?)

bmpfont_create_gdiplus.dll (22 KB) (https://www.hybrid-analysis.com/sample/7a5eb7ea951678c32215a392c8229d076280e838e106e0e99478daee4474bf28) 

jansson.dll (44 KB) (https://www.hybrid-analysis.com/sample/78afe707ead28fb8bddf45ce30cecff3b30c9e6f1dbd8b2a64df7650acd03d08) 

libpng16.dll (154 KB) (https://www.hybrid-analysis.com/sample/4b329ca666f060739e045d339627e048f5b2a002d26dc50a7f9e1053ff900c91) 

Unknown Files:

dsd8.dll (100 KB) (https://www.hybrid-analysis.com/sample/1f0471c8fa53b035aa27d6d6505275e2ee0db55b6538b4e31fd79e54ce065759) 

東方紅魔郷.exe (500 KB) (https://www.hybrid-analysis.com/sample/9f76483c46256804792399296619c1274363c31cd8f1775fafb55106fb852245) 

thcrap_loader.exe (14 KB) (https://www.hybrid-analysis.com/sample/2c14782f1d2128a4cfede55293dc4b2a132458ecc60c7c642ff261e08d4c60f1) 

Harmful Files:

Touhou06-Config.exe (12 KB) (https://www.hybrid-analysis.com/sample/81329d804eb581292b4ec182a6c25faacce59b61eec91e6f744208e3ea5424da) (File is questionable at best)

Touhou06.exe (14 KB) (https://www.hybrid-analysis.com/sample/96fba15a5706e0c0e745dd2dbb93cb628247d1c855f15dfb2588d381597c30e3) (File is questionable at best)

vpatch_th06_unicode.dll (88 KB) (https://www.hybrid-analysis.com/sample/cc2513317da9ea8c832ef6d9cd95d12ead14b991a1eaed2d4c0fc27978b74e04) (File is questionable at best)

thcrap_configure.exe (17 KB) (https://www.hybrid-analysis.com/sample/ab9d0f1e76efcb6b9545c924e056568eba47f649e12f4076bea8a26d82c39380) (https://www.virustotal.com/graph/embed/gf2757a0e834448ca9d890f012c9921c112d6917d4d2a418ea2961b548e9dbe52) Well then, it seems that this exe file is communicating with another file that clearly has malware in it. (File is questionable at best)

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.