Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is this program infected, please?


  • Please log in to reply
22 replies to this topic

#1 Kerr Avon

Kerr Avon

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 26 February 2015 - 09:03 AM

Basically, I'm hoping that someone can say once and for all if the following program (and related files) are infected with malware or not. So if anyone here is familiar with the problem of false positives, and knows how to check for definite, please read on.
 
As you might know, current N64 emulators aren't exactly ideal, and so someone created a downloadable archive file containing an N64 emulator (no piracy, the emulator is freeware) and a 'mouse injector', the latter allowing you to use mouse and keyboard (WASD keys) to play Perfect Dark and Goldeneye the way you'd play a native PC first person shooter (and it works great, by the way). The archive doesn't contain Perfect Dark or Goldeneye, so it's OK for me to post the link here.
 
Anyway, some people have been saying that it's malware, a key logger, full of viruses, etc, and others say it's clean, that the virus killers' reports are just false positives. With me, Avast! never reported an infection, and Zone Alarm didn't tell me that the program was trying to access the internet, so I'd be inclined to think that it's all just false positives, but if there are any virus/malware experts on here, I'd really appreciate it if you could look at it and confirm or deny any infection.
 
The download is at:
 
 
Thanks for any answers.


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:22 AM

Posted 26 February 2015 - 09:09 AM

Hello there,

Can you upload the downloaded file to http://www.virustotal.com and post the result link here?

Alex

#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:22 PM

Posted 26 February 2015 - 09:52 AM

Hi Kerr.

Judging by the reviews, this program is apparently infected so I wouldn't trust it at all. If it was really clean and working, and as "amazing" as it says it is, the comments would be way more positive. I wouldn't download that program at all and I suggest you to get checked for malware here on BleepingComputer if you downloaded and executed it. I'll download it in a VM for you and see what it gives.
 
I just requested a new analysis on the main .zip archive on VirusTotal, here goes:

https://www.virustotal.com/fr/file/4f72253ef3acc03f2b378ce18bea5a64a80d34579eb6b7a72c8f55d6bb2494c9/analysis/1424962549/

Inside there's 4 .zip archives, here's their VirusTotal (requested new analysis as well) in order:

https://www.virustotal.com/fr/file/6b2ef2fb63c0ab1b0958d2db7772c06a7b9101fdeec71e5f3bcf4982c0ee8085/analysis/1424962631/
https://www.virustotal.com/fr/file/e671de2971bb89b75a75afa15e73a4d5c123c3a99a8c03168afc7b5840c1772e/analysis/1424962630/
https://www.virustotal.com/fr/file/6fd82c1233aa5bb7e399b23f7ca4bcb3d93480ce9215d09dad20a65cd8823b8e/analysis/1424962632/
https://www.virustotal.com/fr/file/b534ea0975b8466a1e87b44c0e5d6b62bf013326b4aa5ec936e09a3fb75e415a/analysis/1424962633/

Edit: Looks like I can't do the tests at work since I use VirtualBox and it doesn't support DirectX 3D, which the executable needs.

Edited by Aura., 26 February 2015 - 11:07 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:22 PM

Posted 26 February 2015 - 10:48 AM

Those detections indicate it's more of a generic detection which includes applications with suspicious behavior, those containing embedded files, and those considered risky (risk tools).

Generic detections are usually a heuristics engine detection of possible new variants of malware {typically representatives of the Trojan family} before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus. Generic detections are generally seen having numerous variants, ending with different alpha/numerical characters representing additional information - see Microsoft Malware Protection Center Naming Standards.

In general, heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. Packed files use a specially compressed (protected) file that may have been obfuscated or encrypted in order to conceal itself and often trigger alerts by anti-virus software using heuristic detection because they are resistant to scanning (difficult to read). With heuristics, there is always a potential risk for a "false positive" when the heuristic analysis flags a file as suspicious or infected that contains no malware.

A Risk Tool detection is a very broad threat category which can include various legitimate programs. When flagged by an anti-virus or security scanner, it's because the program has the potential for being misused by others (hackers) or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus/Anti-Malware scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. Since these detections do not necessarily mean the file is malicious or a bad program, in some cases the detection may be a "false positive".

Artemis technology is the "Active Protection" component of McAfee's Security Center which uses a combination of signature and behavior analysis to check with McAfee servers in real-time to identify possible new malware threats. This is accomplished by adding heuristics to the virus database. McAfee then uses this heuristic detection to analyze the cataloged behaviors and assess the likelihood of possible new variants of malware before the vendor can get samples and update the program's definitions for detection. This process is similar to Symantec's Bloodhound Technology. Artemis is not the name of an actual virus, but an alert displayed by McAfee when it thinks it may have found a new virus. Artemis is included in the detection name for any file that is quarantined or blocked by McAfee's Global Threat Intelligence (GTI) technology for enhanced detection of unknown threats based on the file's behavior. Thus, Artemis detections may or may not be malicious.

The 1964 GE/PD Edition contains a custom build of the 1964 emulator designed for GoldenEye 007/Perfect Dark. Typically emulators install drivers which use rootkit-like techniques to hide from other applications and can interfere with investigative tools or security scanners. This interference can produce misleading or inaccurate scan results and general dross. This 'dross' often makes it hard to differentiate between malicious and legitimate drivers. We have found this especially problematic with CD Emulators when investigating for malware.

This all explains why you will receive varying opinions..."some people have been saying that it's malware, a key logger, full of viruses, etc, and others say it's clean".

If most cases if you installed or recognize the program, it's been on your system for some time and your anti-virus never detected it as a threat...then you can ignore the detection. Usually when a computer is infected with malware there will be indications (signs of infection) that something is wrong.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Kerr Avon

Kerr Avon
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 26 February 2015 - 10:57 AM

Hi Kerr.

Judging by the reviews, this program is indeed infected so I wouldn't trust it at all. If it was really clean and working, and as "amazing" as it says it is, the comments would be way more positive. I wouldn't download that program at all and I suggest you to get checked for malware here on BleepingComputer if you downloaded and executed it. I'll download it in a VM for you and see what it gives.
 
I just requested a new analysis on the main .zip archive on VirusTotal, here goes:

https://www.virustotal.com/fr/file/4f72253ef3acc03f2b378ce18bea5a64a80d34579eb6b7a72c8f55d6bb2494c9/analysis/1424962549/

Inside there's 4 .zip archives, here's their VirusTotal (requested new analysis as well) in order:

https://www.virustotal.com/fr/file/6b2ef2fb63c0ab1b0958d2db7772c06a7b9101fdeec71e5f3bcf4982c0ee8085/analysis/1424962631/
https://www.virustotal.com/fr/file/e671de2971bb89b75a75afa15e73a4d5c123c3a99a8c03168afc7b5840c1772e/analysis/1424962630/
https://www.virustotal.com/fr/file/6fd82c1233aa5bb7e399b23f7ca4bcb3d93480ce9215d09dad20a65cd8823b8e/analysis/1424962632/
https://www.virustotal.com/fr/file/b534ea0975b8466a1e87b44c0e5d6b62bf013326b4aa5ec936e09a3fb75e415a/analysis/1424962633/

Edit: Looks like I can't do the tests at work since I use VirtualBox and it doesn't support DirectX 3D, which the executable needs.

 

 

Hello Aura (and Alexstrasza!). Thanks for uploading them to VirusTotal, but I'm still not sure of the results, as only a few virus checkers (as reported by that site) think that the files are infected, and I'd have thought by now that all, or at least most, of the virus killers would have those infections (if they are genuine) in their databases. Even so, I'd normally stay away from that emulator/mouse injector package just because some virus killers say it's infected, but I've been using it off and on for a while now, and as far as I know my PC isn't infected (Avast is on constantly, and I run a full scan with Avast and Malware Anti-Bytes every fortnight or so).

 

If you get the chance, please try it at home and post the results here.

 

Thanks.



#6 Kerr Avon

Kerr Avon
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 26 February 2015 - 11:03 AM

Quietman7, thanks for the detailed and clear explanation. I see what you're saying, and I think that what you say probably does apply in this case, that the files are clean. But I'd appreciate a 100% confirmed opinion, if such is possible - I've heard it said that you can never be 100% sure that a file does NOT contain a new (i.e. not explicitly already known by the virus killer in question) virus or malware killer.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:22 PM

Posted 26 February 2015 - 01:33 PM

Depending on what anti-virus one is using, the test could yield different results for different testers.

You can always supplement your anti-virus or get a second opinion by performing an Online Virus Scan. ESET is one of the more effective online scanners. However, even after doing that you could get conflicting results.

BTW...
  • VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
  • In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
  • Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/agressiveness level than the official end-user default configuration.
VirusTotal FAQs
About VirusTotal
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:22 PM

Posted 26 February 2015 - 01:38 PM

A "100% confirmation" will only be possible of someone reverse engineer all the files (or the whole program) and test is thoroughly, which could take quite some time.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:22 PM

Posted 26 February 2015 - 01:43 PM

And since the 1964 GE/PD Edition has been around for some time, it appears the researchers are not interested.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 27 February 2015 - 05:20 PM

Kerr, the ZIP file contains 4 ZIP files, which in turn contain 191 files in total. There are duplicate files: eliminating them, I'm left with 95 unique files.
Of these 95 unique files, 35 are executables (PE files).
Of these 35 unique executables, 16 file have a VirusTotal score different from 0. I'm listing them here:
 
10 detection(s): 1964/Mouse Injector.exe
5 detection(s): 1964/GE-MP/Mouse Injector (P2 Only).exe
4 detection(s): Project64 1.6.1/Mouse Injector.exe
4 detection(s): Project64 1.6.1/GE-MP/GE-MP.exe
4 detection(s): Project64 1.6.1/GE-MP/Mouse Injector (P2 Only).exe
4 detection(s): 1964/GE-MP/Mouse Injector (P2 Only).exe
4 detection(s): 1964/Mouse Injector.exe
3 detection(s): 1964/msvcp60d.dll
2 detection(s): 1964/1964.exe
2 detection(s): 1964/msvcrtd.dll
1 detection(s): 1964/1964.exe
1 detection(s): 1964/plugin/SoftGraphic_1.5.0.dll
1 detection(s): 1964/plugin/Jabo_Direct3D6.dll
1 detection(s): 1964/plugin/RSP.dll
1 detection(s): Project64 1.6.1/Plugin/AziAudio.dll
1 detection(s): 1964/plugin/DarkMan_DInput.dll
 
I took a look (disassembled & decompiled it) at the one with the highest number of detections on VT: 1964/Mouse Injector.exe
Taking a quick look at the decompiled code, I get the impression that this program does the following:
 
It looks for processes with the following names:
"1964.exe"
"1964_ultrafast.exe"
"mupen64pp.exe"
"mupen64plus-ui-console.exe"
"Project64.exe"
 
If it does not find one of these processes, it displays a message: Emulator not detected. Closing...
If it finds one of these processes, it opens the process, reads 2 memory locations and tests the read values, and displays message "Emulator not detected. Closing..." if it does not find the expected values.
If if finds the expected values, it reads the keyboard and the mouse position, and depending on this, writes values into the memory of the opened process.
Some of the keys it takes action on are: left & right control key, add key (+), subtract key (-), F9 key, and numeric keys: 0, 4, 5, 6, 7, and 8.
 
Before I continue, I have some questions for you:
1) do you know what the 5 processes are?
2) do the keys that I mention sound familiar to you?
 
Disclaimer: I've never played with Nintendo, neither with this emulator, so I don't know what it does (apart from being a game console).

Edited by Didier Stevens, 27 February 2015 - 06:34 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Kerr Avon

Kerr Avon
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 01 March 2015 - 11:16 AM

Kerr, the ZIP file contains 4 ZIP files, which in turn contain 191 files in total. There are duplicate files: eliminating them, I'm left with 95 unique files.
Of these 95 unique files, 35 are executables (PE files).
Of these 35 unique executables, 16 file have a VirusTotal score different from 0. I'm listing them here:
 
10 detection(s): 1964/Mouse Injector.exe
5 detection(s): 1964/GE-MP/Mouse Injector (P2 Only).exe
4 detection(s): Project64 1.6.1/Mouse Injector.exe
4 detection(s): Project64 1.6.1/GE-MP/GE-MP.exe
4 detection(s): Project64 1.6.1/GE-MP/Mouse Injector (P2 Only).exe
4 detection(s): 1964/GE-MP/Mouse Injector (P2 Only).exe
4 detection(s): 1964/Mouse Injector.exe
3 detection(s): 1964/msvcp60d.dll
2 detection(s): 1964/1964.exe
2 detection(s): 1964/msvcrtd.dll
1 detection(s): 1964/1964.exe
1 detection(s): 1964/plugin/SoftGraphic_1.5.0.dll
1 detection(s): 1964/plugin/Jabo_Direct3D6.dll
1 detection(s): 1964/plugin/RSP.dll
1 detection(s): Project64 1.6.1/Plugin/AziAudio.dll
1 detection(s): 1964/plugin/DarkMan_DInput.dll
 
I took a look (disassembled & decompiled it) at the one with the highest number of detections on VT: 1964/Mouse Injector.exe
Taking a quick look at the decompiled code, I get the impression that this program does the following:
 
It looks for processes with the following names:
"1964.exe"
"1964_ultrafast.exe"
"mupen64pp.exe"
"mupen64plus-ui-console.exe"
"Project64.exe"
 
If it does not find one of these processes, it displays a message: Emulator not detected. Closing...
If it finds one of these processes, it opens the process, reads 2 memory locations and tests the read values, and displays message "Emulator not detected. Closing..." if it does not find the expected values.
If if finds the expected values, it reads the keyboard and the mouse position, and depending on this, writes values into the memory of the opened process.
Some of the keys it takes action on are: left & right control key, add key (+), subtract key (-), F9 key, and numeric keys: 0, 4, 5, 6, 7, and 8.
 

 

Before I continue, I have some questions for you:
1) do you know what the 5 processes are?
2) do the keys that I mention sound familiar to you?
 
Disclaimer: I've never played with Nintendo, neither with this emulator, so I don't know what it does (apart from being a game console).

 

 

1. No, sorry.  I know nothing of the technicalities, just that (aparently) the mouse movement is translated into some sort of input data that the emulator can use. I've no idea how it's done.

 

 

 

 

2. According to "BUNDLE_README.txt" in the file 1964_GEPD_Final.zip :

 

 

GAMEPLAY INPUT
WASD - Movement
Enter - Start
Q - A button (Accept/Next Weapon)
E - B button (Cancel/Use/Reload)
Mouse 1 - Z button (Fire)
Mouse 2 - R button (Aim)
Mouse Wheel - Next/Previous Weapon
CTRL - Crouch
Mouse 2+W/S - Sniper Zoom-In/Zoom-Out
Arrows - Analog stick (camspy/slayer)
 
EMULATOR HOTKEYS
F3 - Pause emulation (toggle)
F4 - Stop emulation
F5 - Quicksave
F7 - Quickload (may desync Mouse Injector)
F12 - Screenshot (saves to 1964 directory)
TAB - Hide Mouse Cursor
LSHIFT+1..9 - Select State (the Windows Asterisk sound will play when state has changed)
CTRL+C - Cheats (only in windowed mode)
CTRL+V - Change graphics settings (only in windowed mode)
ALT+ENTER - Fullscreen toggle
ALT+F4 - Closes 1964
 
INJECTION HOTKEYS
4 - Toggle Mouse Injection/Lock Mouse Cursor
5 - Mouse Sensitivity (+/-)
6 - Crosshair Movement (+/-)
7 - Invert Pitch
8 - Aim Mode (only for GE 60fps build)
CTRL+0 - Hide/Show Settings
+/- - Edit Mouse Sensitivity/Crosshair Movement
CTRL+F9 - GE/PD difficulty preset (my personal settings)
 
Note: These controls have been setup for the 1.2 profile which can be set in
GoldenEye 007's and Perfect Dark's options menu. If you would prefer a different
control layout, please refer to the FAQ.

 

 

 

 

 

 

 

 

As you say, the N64 is just a games console (and nothing more, it's from the time when a console played games and nothing else, no social media, no downloadable game patches, it couldn't even play DVDs since it was cartridge only), and for some reason emulation of it is very poor compared to most contemporary of older consoles (the N64 was succeeded by the Nintendo Gamecube, which was much more powerful and yet is better emulated now!), with N64 emulation being glitchy and riddled with incompatibilities (even today, some N64 games cannot be run on any emulator). There are two cycle accurate N64 emulators in development (CEN64, and the N64 part of MESS), but they are far from completed, and will apparently need very powerful PCs to run at full speed.

 

So I still use my N64, instead of emulation, as do most N64 game lovers do. But my two favourite first person shooters of all time (Perfect Dark and Goldeneye) are on the N64, and I like being able to play them on my laptop at work, and on a laptop (or PC) I always use the mouse and WASD keys to play first person shooters, and the emulator/mouse injector package results in the only emulator that works well with the mouse and WASD keys, no doubt why Stolen felt that he had to put together the package.

 

Thanks for your work so far, mate.



#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 01 March 2015 - 11:58 AM

What does the mouse do? Because the mouse injector does not read the mouse keys, only movements?

You can play with the WASD keys without mouse injector, I suppose? You move your shooter with them right?

What does the mouse control?

 

TO better understand what the mouse injector is supposed to do, can you tel me the difference in gameplay without and with mouse injector?


Edited by Didier Stevens, 01 March 2015 - 11:59 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Kerr Avon

Kerr Avon
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 01 March 2015 - 03:20 PM

To be honest, I don't know. All I know is that previously, using different N64 emulators, the mouse was either not an option, or if it was, it 'felt' wrongly implemented. You'd have to keep on moving the mouse left, say, in order to turn around, whereas in a native PC game, you'd just quickly move the mouse and the amount of on-screen turning (via your in-game point of view) would be much greater than if you moved the mouse slowly.

 

But, er, I've just tried the 1964.exe from that download, without the mouse injector, and just used 1964's inbuilt mouse options, and it seems to play very well. Which makes me wonder if the 1964 exe has been altered, as I'm sure I would have checked all N64 emulators previously in the hopes of finding one that used the mouse conrrectly (or maybe 1964 was updated after I tried it). So, to answer your question, the mouse acts the same as it does in any first person shooter (i.e. if moves your point of view, and left mouse button fires your weapon), whether you use the mouse injector or just (this version of the) 1964 emulator. And the mouse injector seems redundent, unless it makes the mouse usages slightly smoother or whatever, since it looks like 1964 itself uses the mouse well. A real surprise, really.



#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 01 March 2015 - 04:47 PM

That doesn't surprise me, because the mouse injector does not read mouse clicks, only mouse position. So the N64 must have some kind of mouse support.

 

With the amount of reversing I did on the mouse injector, I'm thinking that it is not malware.

It listens to the keyboard while it doesn't have focus, and it opens processes, to read and write into their memory. That's why it triggers several AV programs.

But in this case, this behavior is not malicious.

 

For reference, I'm including the MD5 of the "Mouse Injector.exe" file I analyzed: fc36a7368e92b9d7470b6730e50a5a28

 

So you don't have a 100% answer that it's not malware, but lets say it's a 95%.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:22 PM

Posted 01 March 2015 - 05:10 PM

behavior not malicious but enough to be detected as suspicious....hence the generic detection.

Would that be the likely assessment?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users