At the end of the file is the payload section starting with

Bugs will be moved here once resolved.

Post » Wed Mar 16, 2016 9:44 am

Message: pangzhenyao can only post plain text URLS until they have 500 rep. 2 URLS modified. Why?
Steam just sent me an email to report a payload at the very end of "index.html" located in an .ns package of my game. Have you had this issue before? Is it some sort of virus or an expected behavior?



Here are more exact instructions to see the issue:



1. Install anti-virus (both McAfee and Sophos have caught the file)

2. Turn on active monitoring

3. Launch the game.



The payload is at the very end of “index.html” which is located in an .ns package. When the game is launched nw.exe will extract this package that the virus scanner should flag it.



The payload is visible in the file even without a virus scanner. You can also see the payload in this version of the file we extracted on a virtual machine. http://pastebin.com/0TZGCPnp

At the end of the file is the payload section starting with <SCRIPT Language=VBScript>



In order to make your game available again, we need you to fix this so that the game files you are delivering to Steam customers does not include that script.



Your quick attention to this would be appreciated.
The payload is at the very end of “index.html” which is located in an .ns package; when the game is launched nw.exe will extract this package and the virus scanner flags it.



However, the payload is visible in this file even without a virus scanner. Also worth noting that a virus scanner will probably not catch the file during a normal scan since it’s packaged in a non-standard archive.



Here is the index.html file we pulled from matrino’s VM. You can clearly see the payload at the bottom of the file. http://pastebin.com/0TZGCPnp



B
4
Posts: 4
Reputation: 233

Post » Wed Mar 16, 2016 10:12 pm

It looks like you have the Win32/Ramnit.A virus which infects HTML files.
https://home.mcafee.com/VirusInfo/Virus ... 83337#none
B
55
S
29
G
19
Posts: 1,520
Reputation: 25,630

Post » Tue Mar 22, 2016 3:25 pm

Construct 2 definitely does not ship with this, it must be being inserted by something else on your system. Closing as not a bug.
Scirra Founder
B
387
S
230
G
88
Posts: 24,250
Reputation: 192,452


Return to Closed bugs

Who is online

Users browsing this forum: No registered users and 3 guests