Chocolate Doom 2.1.0 Official DL... malware?

[Davitch]

Just thought I'd alert people that the latest Chocolate Doom version for windows seems to have a malware identified as GEN.VARIANT.KAZY by a number of Anti-Malware programs as shown here:

https://www.virustotal.com/en/file/2ea2 ... 426279554/

I would have contacted Fraggle directly about this, but I wasn't sure how to get a hold of him.

[Gez]

He's active at Doomworld.


I'm inclined to believe it is a false positive since AFAIK Fraggle does not use Windows at all, even to compile Windows versions of ChocoDoom, so his setup could'nt be infected by a Windows malware.

[Rachael]

Most likely a false positive as Gez said.

Any VirusTotal reports that are anywhere between 3 scanners and somewhere about half the total number of scanners used at the given moment are quite inconclusive. They are indicative that caution should be warranted but it does not necessarily implicate the presence of actual malware. The only real way to test this would be using custom virtual machine software that tracks all the changes to a system and tracks all of its activities over a period of time, as well as decompiling its code - something that some anti-virus companies do better than others, and none of the software they use is ever publicly available, although they may base it on existing products (such as VirtualBox).

That being said, "Gen"s or "General"s are almost always the result of a heuristic analysis. This is where the greatest majority of false positives come from - the code is tested for certain patterns that are usually indicative of malware. However, such code can often be quite inconspicuous, or even simply be harmless data in the executable itself (such as an image). Heuristics are a necessary evil since viruses are often able to mutate upon replication and it makes them the only viable way to track them down - however, they are highly inaccurate, and given the amount of data that has to be tested on quite often slow machines, heuristic algorithms always favor speed rather than proficiency.

This is why harmless executable files are often flagged as viruses when they are not, and I strongly suspect that to be the case, here. Give Gez and fraggle some time to figure this out - if there's a trick to recompiling the executable without the "offending code" it's probably going to be the best way to solve this issue, since antivirus companies can sometimes be a bit slow and stubborn about whitelisting false-positive executables.

Whatever Gez finds out about this - I trust him. I may not know him very well, and he is a true enigma, but I do know that he's been very impartial and extremely supportive to the community at large on so many levels with a huge array of things. If there's something wrong, he will tell us.

[Gez]

http://www.doomworld.com/vb/post/1352549

I think this confirms that the report is a false positive.

And thanks for the kind words, Eruanna.

[Rachael]

You're welcome, although they were merely true.

[Davitch]

Thanks for clarifying good people. I will add chocolate-doom-setup.exe to the whitelist in Emsisoft. Cheers!