malware

[Redstrike01]

Hi,

Please do not experiment with the url's that I'll put in this threat.

I recently had a malware/trojan on my PC - I hope shortly after, but possible at the moment, I had been on site www.matrixgames.com.

I have been tracing the actions of the software that contains the malware (new.exe) and my tracing software points to the server which contains www.matrixgames.com

I have sent a mail to developers@matrixgames.com explaining how I found this, but the mail is now gone a few hours and I did not receive any response. How can you see if you are infected : you need to look at the processes turning on your PC (attention only for Win XP users : on some PC's with Ctrl+Alt+Del) If it contains Serv1ce.exe (behind the letter v is a one) then you have propably the malware I found (on the internet I found more references on such a file but with some other characteristics than I had - so its possible a other variant of an existing malware.

If you don't have the serv1ce.exe, which is very well possible since the server which runs www.matrixgames.com does not make the malware appear in most normal circumstances, you don't need to worry about this forum thread, just check from time to time the processes runing.

At the moment I don't want to explain how the server start that proces on your PC because I don't want to give any ideas to people who are looking the spread other malware in that way - the explaination was sent to developers@matrixgames.com, along with the coding I found that eventually starts serv1ce.exe.

If you have serv1ce.exe the most important advice I can give you is not to user any usernames and paswords until it is cleaned from your PC. - I don't have a lot of time to explain, I gave my phonenumber to developers@matrixgames.com so if they find it's on their server (or on that of their ISP), I expect them to explain how to remove it - or if they can't to contact their supporting security software provider - in worst case they can always call. If they (www.matrixgames.com) do not have the code which initiates the malware, it is propably only my PC that play tricks on me with a malware or virus - and you all don't have to worry about it.

This thread is just a advice and warning to other users of the matrix site and forum. An other possible thing is that my PC is so infected that it only seems that the server from www.matrixgames.com initiates the processes which eventually leads to the malware on my PC (by some kind of spoof to my network protocol analyser) - I am not a senior expert on these things (I just know a lot of PC's).

I need to get my kid and wife, but I'll try to follow any reaction on this thread as soon as possible.

Sincerely yours,
Sven
alias Redstrike01

[DuckofTindalos]

We know this...

[Redstrike01]

The Torjan/Malware installation script is still on the server - just checked.  I have now sent the code of the malware script to my anti-virus software provider.
 
From Matrix themselves no response up till now.

[Marc von Martial]

I have sent a mail to developers@matrixgames.com explaining how I found this, but the mail is now gone a few hours and I did not receive any response.

Hi you should wite to tech support at support@matrixgames.com or webmaster@matrixgames.com the email adress you used is for game developer inquiries.

[Erik Rutins]

Redstrike01,

If this is a serious post, please e-mail any info you have to erikr@matrixgames.com and davidh@matrixgames.com ASAP and we will look into it right away.

Regards,

- Erik

[Erik Rutins]

Just FYI, I just went to our front page, www.matrixgames.com three times. I received no malware/virus warnings and I'm running AVG, NOD32 and Webroot SpySweeper. I checked my processes and no serv1ce.exe is running there. I go to www.matrixgames.com many times each day, so I'm not sure what you're seeing that I'm not.

Regards,

- Erik

[Redstrike01]

Erik,

I just mailed you and David the info already sent to support@matrixgames.com. I used emails : erikr@matrixgames.com; davidh@matrixgames.com

Keep me informed if you get the same result (the code that installs the Trojan). If you don't get that code the Trojan I seem to trace to your server comes from somewhere else - by spoofing my Network Analyzer or something else.

Sven

[Redstrike01]

It seems David is out of the office until the 8th. By the way serv1ce.exe is not running on the server. It will run only on a PC which becomes infected by a code that is sent from the server running the www.matrixgames.com. I am not sure but I think some code on the server was changed to add specific other code to some browser pages that are sent from the server, I don't even think you need to run a specific program on the server for that, just alter some code for specific pages - I don't want to get more specific on the forum.

Email me directly if more information is necessary for you.


Sven

[Redstrike01]

Hi,

The Trojan is gone, when I test it the way I found it.

Sven

[Erik Rutins]

Sven,

I replied to you by e-mail but wanted to post this here as well.

I just tried all the URLs you provided via e-mail on a "safe" computer and found no problems. No malware attack, nothing detected by my scanners, no unusual processes or files on the system. We are having our security people look into this, but all signs I can see indicate that it is not on our servers. Why it is showing up for you and not for me is a mystery to me, but perhaps our security folks will figure it out.

Regards,

- Erik