A Notification on the Avast Antivirus problem

This thread was automatically marked as Locked.

#1 Feb 11, 2013
MCFUser667103
MCFUser667103

View User Profile

View Posts

Send Message
- Void Walker
- Location: in front of my computer typing t
- Join Date: 8/19/2011
- Posts: 1,734
- Minecraft: rexo12
- Member Details
Recently many people on the forums have been complaining that Avast! antivirus program has been detecting malicious links in the Minecraft Launcher. This is nothing to worry about. This problem is a false-positive error and will be fixed soon. As an assurance, one person deconstructed the "malicious" image, and it turns out to be a GIF image:

Quote from JonasProgrammer

I just have disassembled the file using ida free. Nothing that looks pretty shell-code-like or malicious. Just the 'GIF89a'-Magic number and some bytes that look like the GIF-header. Has many 0-bytes in it, what shellcode typically avoids. And 35 bytes are too few for writing something malicius. Seems to be either false-positive or free download manager didn't download the whole file.

Or here:

Quote from JonasProgrammer

Here is the fully commented IDA-Output:

seg000:00000000 ;
seg000:00000000 ; +-------------------------------------------------------------------------+
seg000:00000000 ; ¦ This file is generated by The Interactive Disassembler (IDA) ¦
seg000:00000000 ; ¦ Copyright © 2010 by Hex-Rays SA, <[email protected]> ¦
seg000:00000000 ; ¦ Licensed to: Freeware version ¦
seg000:00000000 ; +-------------------------------------------------------------------------+
seg000:00000000 ;
seg000:00000000 ; Input MD5 : 55D25E9DC950D5DB4D53A3B195C046C6
seg000:00000000
seg000:00000000 ; File Name : C:\Downloads\p-19UtqE8ngoZbM_._gif_.__evil
seg000:00000000 ; Format : Binary file
seg000:00000000 ; Base Address: 0000h Range: 0000h - 0023h Loaded length: 0023h
seg000:00000000
seg000:00000000 .686p
seg000:00000000 .mmx
seg000:00000000 .model flat
seg000:00000000
seg000:00000000 ; ---------------------------------------------------------------------------
seg000:00000000
seg000:00000000 ; Segment type: Pure code
seg000:00000000 seg000 segment byte public 'CODE' use32
seg000:00000000 assume cs:seg000
seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg000:00000000 GIF_Header <'GIF89a', 1, 1, 0, 0, 0>
seg000:0000000D GIF_ImageDesc <2Ch, 0, 0, 1, 1, localColorTable> ; sizeColor table = 0 -> Color table contains 2 ^ (0 + 1) = 2 entries
seg000:00000017 GIF_LocalColorTableEntry <0FFh, 0FFh, 0FFh>
seg000:0000001A GIF_LocalColorTableEntry <0>
seg000:0000001D db 2 ; Initial count of LZW bits
seg000:0000001E db 2 ; Image data
seg000:0000001F db 44h ; D
seg000:00000020 db 1
seg000:00000021 db 0
seg000:00000022 db 3Bh ; ; ; End of image data
seg000:00000022 seg000 ends
seg000:00000022
seg000:00000022
seg000:00000022 end

And the structure definitions:

00000000 ; Ins/Del : create/delete structure
00000000 ; D/A/* : create structure member (data/ascii/array)
00000000 ; N : rename structure or structure member
00000000 ; U : delete structure member
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 GIF_Header struc ; (sizeof=0xD)
00000000 GIF_magic db 6 dup(?) ; GIF89a or GIF87a
00000006 width dw ? ; width
00000008 height dw ?
0000000A colorTableInfo db ?
0000000B indBackColor db ?
0000000C pxAspectRatio db ?
0000000D GIF_Header ends
0000000D
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 GIF_ImageDesc struc ; (sizeof=0xA)
00000000 imageSeperator db ? ; Should be 0x2C
00000001 imageLeftPos dw ?
00000003 imageTopPos dw ?
00000005 imageWidth dw ?
00000007 imageHeight dw ?
00000009 imageFlags db ? ; enum GIF_imageDesc_imageFlags
0000000A GIF_ImageDesc ends
0000000A
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 GIF_LocalColorTableEntry struc ; (sizeof=0x3)
00000000 red db ? ; base 16
00000001 green db ? ; base 16
00000002 blue db ? ; base 16
00000003 GIF_LocalColorTableEntry ends
00000003

EDIT: After verifying the file does not contain any malicious code I opened it with mspaint. The result was a 1x1 px white picture.

Plus reassurance from other users:

Quote from Tedster

This has been asked tons - but it's simply that it's a tiny image that QuantServe uses (which is too small to have any malicious code in) linked to the Tumblr page that the Minecraft Launcher uses.
False-positive.

So, once you have read this, please tell everyone else that this is just a false alarm, until further notice.

Rollback Post to Revision RollBack

Free + Crabs + Ability to trample/suffocate opponents in Cortex Command = Free Bombs.
#3 Feb 11, 2013
BrokenEye
BrokenEye

View User Profile

View Posts

Send Message
- Mark of the Beast
- Join Date: 3/18/2011
- Posts: 2,670
- Location: Earth, Present Day
- Minecraft: BrokenEye
- Member Details
So how do I make it stop doing that?

Rollback Post to Revision RollBack

Also check me out on:
WordPress, Etsy, and Spore.
#4 Feb 11, 2013
webrosc
webrosc

View User Profile

View Posts

Send Message
Moderator
- Kitty Moderator
- Join Date: 11/26/2010
- Posts: 17,126
- Minecraft: webrosc
- Member Details
Going to lock this as we already have multiple threads on the issue
here http://www.minecraft...en-i-logged-in/
and here http://www.minecraft...ntivirus-alert/

we don't need more threads about the same issue

Rollback Post to Revision RollBack

DxDiag Log How To

Global Rules

Discussion | M&M | Other Platforms | Servers | Support | SyC | Off Topic

Quote me so i know you replied
To post a comment, please login or register a new account.

Previous Thread

Next Thread