Infected File Problem

FuryCat

Instructor

Original Poster

#1

9th Mar 2024 at 10:57 AM Last edited by FuryCat : 9th Mar 2024 at 1:28 PM.

Infected File Problem

Hello,
A very weird and unlikely problem with my upload "PaJama Jam" showed up yesterday.
A user reported one of the files displayed a message about the zip having a virus. I was confused as the file was clean before I uploaded it. I redownloaded the possibly infected file again and surely enough, the same message of "Virus Detected" showed up. I resumed to see what the malicious file was, and immediately Windows Defender notified of a bizarre file named "wacatac.b!ml" which had a severe level . I quarantined the file and removed it as soon as possible then searched for information about the suspicious file. I was surprised to find that this file can be both a false positive and a real virus, and people have seen it in zip files they archived themselves. I believe I'm not in danger as I quarantined and removed the file, but what gets me is how that file managed to sneak in. I did not have it before as Windows Defender would have warned me.

Now here's the part which I connected the parts: I was having problems with the upload wizard, server error 0's mainly. But I dont believe that would be the issue. But how would the weird file go in if the upload was entirely clean? I did read someone had had that file with another zip file, that they made themselves as I said. I'm just suspecting something could have happened during the uploading. I feel like that is the primary source that the file had gotten infected with that. The zip that I uploaded was fine, but the MTS one was infected with the 'virus'. Anyone have any ideas?

Cats are the cutest creatures. And the most stubborn.

Tashiketh

Warrior Gryphon

site owner

#2

9th Mar 2024 at 12:47 PM

Okay so according to the files on server they only contain .package files:

Code:

Type = 7z
Physical Size = 234917
Headers Size = 206
Method = LZMA2:384k
Solid = +
Blocks = 1

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2024-03-04 11:42:03 ....A       179604       234711  5fa20d12_PajamaJam1.package
2024-03-04 12:12:49 ....A       152632               5fc92b0c_PajamaJam2.package
------------------- ----- ------------ ------------  ------------------------
2024-03-04 12:12:49             332236       234711  2 files

Code:

Type = 7z
Physical Size = 151261
Headers Size = 162
Method = LZMA2:192k
Solid = -
Blocks = 1

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2024-03-04 11:42:03 ....A       179604       151099  5fa20d12_PajamaJam1.package
------------------- ----- ------------ ------------  ------------------------
2024-03-04 11:42:03             179604       151099  1 files

So this indicates that the files on the MTS server are correct in that there are no exe files or anything. I suspect that it's actually Windows Defender being totally dumb (see other reports: https://www.reddit.com/r/antivirus/...in32wacatacbml/ )

Indeed, I cannot download it in Chrome, but I can download in linux and examine the file:

Code:

Path = getfile.php?file=2211408&v=1709834133
Type = 7z
Physical Size = 234917
Headers Size = 206
Method = LZMA2:384k
Solid = +
Blocks = 1

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2024-03-04 16:42:03 ....A       179604       234711  5fa20d12_PajamaJam1.package
2024-03-04 17:12:49 ....A       152632               5fc92b0c_PajamaJam2.package
------------------- ----- ------------ ------------  ------------------------
2024-03-04 17:12:49             332236       234711  2 files

My guess is that it's a false positive. It's triggering on *something* inside the .7z file, but it's a regular .package (as the Information tab on the download shows) so should be fine in the sense of nothing can get executed.

This also happens with:
https://db.modthesims.info/d/682865...-m-outfits.html and
https://db.modthesims.info/d/682480...emale-sims.html and
https://db.modthesims.info/d/682640...ed-outfits.html

But only to the BeltedCoat on the last one.

Running a clamav virus scan in Linux shows me 0 viruses:

Code:

root@fileserver:~/tmp# ls -latr
total 568
-rw-r--r--  1 root root 179604 Mar  4 16:42 5fa20d12_PajamaJam1.package
-rw-r--r--  1 root root 152632 Mar  4 17:12 5fc92b0c_PajamaJam2.package
-rw-r--r--  1 root root 234917 Mar  7 17:55 AllPajamas.7z

root@fileserver:~/tmp# /usr/bin/clamscan *
/root/tmp/5fa20d12_PajamaJam1.package: OK
/root/tmp/5fc92b0c_PajamaJam2.package: OK
/root/tmp/AllPajamas.7z: OK

----------- SCAN SUMMARY -----------
Known viruses: 8686298
Engine version: 0.103.10
Scanned directories: 0
Scanned files: 3
Infected files: 0
Data scanned: 0.89 MB
Data read: 0.54 MB (ratio 1.66:1)
Time: 14.716 sec (0 m 14 s)
Start Date: 2024:03:09 12:46:06
End Date:   2024:03:09 12:46:20

So nothing sneaked in while uploading, it's just *something* inside those package files is triggering Windows Defender.

Story books are full of fairy tales, of Kings and Queens, and the bluest skies.

Tashiketh

Warrior Gryphon

site owner

#3

9th Mar 2024 at 12:52 PM

Also this upload https://db.modthesims.info/d/682480...emale-sims.html

Only the first file there says it has a virus. All the rest are fine.

Are you using some weird compressorizer or something? The package files seem file though since the site is able to read them for the Information tab. I also checked other creators who have recently uploaded and all of the other stuff is fine. It's only your stuff, but not all of it.

Story books are full of fairy tales, of Kings and Queens, and the bluest skies.

FuryCat

Instructor

Original Poster

#4

9th Mar 2024 at 12:59 PM

Quote: Originally posted by Tashiketh

Okay so according to the files on server they only contain .package files:

Code:

Type = 7z
Physical Size = 234917
Headers Size = 206
Method = LZMA2:384k
Solid = +
Blocks = 1

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2024-03-04 11:42:03 ....A       179604       234711  5fa20d12_PajamaJam1.package
2024-03-04 12:12:49 ....A       152632               5fc92b0c_PajamaJam2.package
------------------- ----- ------------ ------------  ------------------------
2024-03-04 12:12:49             332236       234711  2 files

Code:

Type = 7z
Physical Size = 151261
Headers Size = 162
Method = LZMA2:192k
Solid = -
Blocks = 1

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2024-03-04 11:42:03 ....A       179604       151099  5fa20d12_PajamaJam1.package
------------------- ----- ------------ ------------  ------------------------
2024-03-04 11:42:03             179604       151099  1 files

So this indicates that the files on the MTS server are correct in that there are no exe files or anything. I suspect that it's actually Windows Defender being totally dumb (see other reports: https://www.reddit.com/r/antivirus/...in32wacatacbml/ )

Indeed, I cannot download it in Chrome, but I can download in linux and examine the file:

Code:

Path = getfile.php?file=2211408&v=1709834133
Type = 7z
Physical Size = 234917
Headers Size = 206
Method = LZMA2:384k
Solid = +
Blocks = 1

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2024-03-04 16:42:03 ....A       179604       234711  5fa20d12_PajamaJam1.package
2024-03-04 17:12:49 ....A       152632               5fc92b0c_PajamaJam2.package
------------------- ----- ------------ ------------  ------------------------
2024-03-04 17:12:49             332236       234711  2 files

My guess is that it's a false positive. It's triggering on *something* inside the .7z file, but it's a regular .package (as the Information tab on the download shows) so should be fine in the sense of nothing can get executed.

This also happens with:
https://db.modthesims.info/d/682865...-m-outfits.html and
https://db.modthesims.info/d/682480...emale-sims.html and
https://db.modthesims.info/d/682640...ed-outfits.html

But only to the BeltedCoat on the last one.

Running a clamav virus scan in Linux shows me 0 viruses:

Code:

root@fileserver:~/tmp# ls -latr
total 568
-rw-r--r--  1 root root 179604 Mar  4 16:42 5fa20d12_PajamaJam1.package
-rw-r--r--  1 root root 152632 Mar  4 17:12 5fc92b0c_PajamaJam2.package
-rw-r--r--  1 root root 234917 Mar  7 17:55 AllPajamas.7z

root@fileserver:~/tmp# /usr/bin/clamscan *
/root/tmp/5fa20d12_PajamaJam1.package: OK
/root/tmp/5fc92b0c_PajamaJam2.package: OK
/root/tmp/AllPajamas.7z: OK

----------- SCAN SUMMARY -----------
Known viruses: 8686298
Engine version: 0.103.10
Scanned directories: 0
Scanned files: 3
Infected files: 0
Data scanned: 0.89 MB
Data read: 0.54 MB (ratio 1.66:1)
Time: 14.716 sec (0 m 14 s)
Start Date: 2024:03:09 12:46:06
End Date:   2024:03:09 12:46:20

So nothing sneaked in while uploading, it's just *something* inside those package files is triggering Windows Defender.

I had NO idea that this has happened to other of my uploads. I have read thousands of reddit posts that say how wacatac is a really common false positive. I'm curious how this happened and what is triggering windows defender to freak out.
I'm guessing they're all safe and people can download them, as long as they resume the download?
I checked the package files, but it's all really normal. Does Chrome freakout with the other files too? I'm curious to know as no one reported this issue.

Cats are the cutest creatures. And the most stubborn.

FuryCat

Instructor

Original Poster

#5

9th Mar 2024 at 1:03 PM

Quote: Originally posted by Tashiketh

Also this upload https://db.modthesims.info/d/682480...emale-sims.html

Only the first file there says it has a virus. All the rest are fine.

Are you using some weird compressorizer or something? The package files seem file though since the site is able to read them for the Information tab. I also checked other creators who have recently uploaded and all of the other stuff is fine. It's only your stuff, but not all of it.

I'm really only using 7zip. I havent done anything weird to the zip files. I'm really weirded out about this.

Cats are the cutest creatures. And the most stubborn.

Tashiketh

Warrior Gryphon

site owner

#6

9th Mar 2024 at 1:11 PM Last edited by Tashiketh : 9th Mar 2024 at 1:25 PM.

For all of the uploads I reported Chrome does not allow download of the files I indicated. So yeah it's a really common false positive.

If I look inside one of the package files I see:

Code:

(venv) root@fileserver:~/tmp# dbpf l 5fa20d12_PajamaJam1.package
DBPF: v1.2 | Index: v7.2, 7 entries @ 0x2bcec, size 168 bytes | Game: The Sims 2 (TS2) | HiInstance: True Holes: 3

key                                   name         size    truesize      offset  compression                   
------------------------------------  -----  ----------  ----------  ----------  ------------------------------
0C560F39::5FA20D12::0000000100000000  BINX          130         193      178758  CompressionType.CHECK         
AC506764::5FA20D12::0000000100000000  SKIN          124         124      178972  CompressionType.NONE          
53545223::5FA20D12::0000000100000000  STR#           25          83      178938  CompressionType.CHECK         
EBCF3E27::5FA20D12::0000000100000000  GZPS          399         690         531  CompressionType.CHECK         
49596978::5FA20D12::FF55B1A07FB7C73C  TXMT          366         550          96  CompressionType.CHECK         
E86B1EEF::E86B1EEF::286B1F0300000000  DIR           100         100      179336  CompressionType.NONE          
1C4A276C::5FA20D12::FF1853FC5A1680BD  TXTR       177810     1048722         939  CompressionType.CHECK

Interestingly enough, if I extract them in Linux and manually copy the .package files to Windows, they scan fine:

So this indicates it's the actual .7z. If you make them .zip then it works fine. (I attached a .zip file of the AllPajamas.7z and it can be downloaded fine)

Edit to add: Added a .7z version

Okay so yeah the .7z version is definitely the culprit, not the package files inside. (See the attached .7z for proof)

You should recompress them all as .zip and it'll work fine!

Screenshots

Attached files:

	AllPajamas.zip (276.8 KB, 1 downloads)
	AllPajamas.7z (229.5 KB, 3 downloads)

Story books are full of fairy tales, of Kings and Queens, and the bluest skies.

FuryCat

Instructor

Original Poster

#7

9th Mar 2024 at 1:27 PM

Quote: Originally posted by Tashiketh

For all of the uploads I reported Chrome does not allow download of the files I indicated. So yeah it's a really common false positive.

If I look inside one of the package files I see:

Code:

(venv) root@fileserver:~/tmp# dbpf l 5fa20d12_PajamaJam1.package
DBPF: v1.2 | Index: v7.2, 7 entries @ 0x2bcec, size 168 bytes | Game: The Sims 2 (TS2) | HiInstance: True Holes: 3

key                                   name         size    truesize      offset  compression                   
------------------------------------  -----  ----------  ----------  ----------  ------------------------------
0C560F39::5FA20D12::0000000100000000  BINX          130         193      178758  CompressionType.CHECK         
AC506764::5FA20D12::0000000100000000  SKIN          124         124      178972  CompressionType.NONE          
53545223::5FA20D12::0000000100000000  STR#           25          83      178938  CompressionType.CHECK         
EBCF3E27::5FA20D12::0000000100000000  GZPS          399         690         531  CompressionType.CHECK         
49596978::5FA20D12::FF55B1A07FB7C73C  TXMT          366         550          96  CompressionType.CHECK         
E86B1EEF::E86B1EEF::286B1F0300000000  DIR           100         100      179336  CompressionType.NONE          
1C4A276C::5FA20D12::FF1853FC5A1680BD  TXTR       177810     1048722         939  CompressionType.CHECK

Interestingly enough, if I extract them in Linux and manually copy the .package files to Windows, they scan fine:

So this indicates it's the actual .7z. If you make them .zip then it works fine. (I attached a .zip file of the AllPajamas.7z and it can be downloaded fine)

Edit to add: Added a .7z version

Hmm, this is pretty weird. I suppose everytime I upload something I'll compress it to zip. I still dont know why 7z is being weird and causing windows defender to scream about it. I guess this is solved. Will I have to re-zip all affected downloads?

Cats are the cutest creatures. And the most stubborn.

Tashiketh

Warrior Gryphon

site owner

#8

9th Mar 2024 at 1:28 PM

Yes, you'll have to re-zip all of the affected ones. I don't know why .7z is doing it either, but since it's also when I compress it to .7z it means it's nothing you did specifically. It's just a weird oddity.

Story books are full of fairy tales, of Kings and Queens, and the bluest skies.

FuryCat

Instructor

Original Poster

#9

9th Mar 2024 at 2:06 PM Last edited by FuryCat : 9th Mar 2024 at 2:21 PM.

Quote: Originally posted by Tashiketh

Yes, you'll have to re-zip all of the affected ones. I don't know why .7z is doing it either, but since it's also when I compress it to .7z it means it's nothing you did specifically. It's just a weird oddity.

If I use the 7zip compressor program but change the file extension to .zip, will that fix the problem? Or will I have to change compressing programs altogether?
Edit: Actually, whenever I download an affected file it seems to be fine. I tried downloading the BeltedCoat outfit and also the Artsy Like You tops but they don't craze Chrome nor Windows Defender.

Cats are the cutest creatures. And the most stubborn.

Tashiketh

Warrior Gryphon

site owner

#10

9th Mar 2024 at 9:36 PM

You can't just change the file extension manually, but if you right click the package files, then select 7-Zip, then Add to "blahblah".zip then it'll make an actual .zip file and be fine.

Or just use the in built windows compression and use it that way.

Story books are full of fairy tales, of Kings and Queens, and the bluest skies.

FuryCat

Instructor

Original Poster

#11

10th Mar 2024 at 8:13 AM Last edited by FuryCat : 10th Mar 2024 at 9:29 AM.

Quote: Originally posted by Tashiketh

You can't just change the file extension manually, but if you right click the package files, then select 7-Zip, then Add to "blahblah".zip then it'll make an actual .zip file and be fine.

Or just use the in built windows compression and use it that way.

Yeah, that's what I meant, sorry for not phrasing it correctly. I couldnt find the windows compression so I'll stick to the 7zip method.

I'm confused as Chrome now allows me to download the affected files including the most problematic one and Windows Defender doesnt notify me of anything. This is all really bizarre.

Cats are the cutest creatures. And the most stubborn.

Blackgryffin

Instructor

#12

10th Mar 2024 at 2:01 PM

Just coming to report the same problem on my latest update : https://modthesims.info/d/588966/al...24-updated.html
It is also a 7zip and it got me worried since I'm on a Mac : no reason to have that kind of file. I've tried looking for it in hidden files, it is not even showing up.
Someone suggested my account might have been hacked and the 7zip swapped with a corrupted one.
Obviously, Chrome lets me to download the file : never seen Chrome stop me to download anything, not sure we have that protection on Mac ( or it is rarely triggered ? )

Edit : I did not remove the 7zip ( in case anyone wants to make some test ) and uploaded a zip of the exact same folder ...

I make sims worlds ... can you believe it ?

FuryCat

Instructor

Original Poster

#13

10th Mar 2024 at 2:08 PM Last edited by FuryCat : 10th Mar 2024 at 3:14 PM.

Quote: Originally posted by Blackgryffin

Just coming to report the same problem on my latest update : https://modthesims.info/d/588966/al...24-updated.html
It is also a 7zip and it got me worried since I'm on a Mac : no reason to have that kind of file. I've tried looking for it in hidden files, it is not even showing up.
Someone suggested my account might have been hacked and the 7zip swapped with a corrupted one.
Obviously, Chrome lets me to download the file : never seen Chrome stop me to download anything, not sure we have that protection on Mac ( or it is rarely triggered ? )

Is the virus wacatac? I've seen its really common this month or so. If you go to the antivirus subreddit there are people asking for help with this stupid wacatac file. It's more than often a false alarm. I still dont know why 7z triggers this problem, but just change the files to zip and it will work.

Chrome too allows me to download affected files for some reason. It's all very weird.

-------------
To creators:

If you have this problem, it's not your fault. It's not something you did, it is a weird oddity that happens with 7zip, and it can happen to any file (It has been reported by users who have made apps themselves and their antivirus notifying them of it.). Chances are, a file called wacatac is probably what your antivirus will say it is. This is probably not harmful as you made the file yourself.

Inform people by putting up a notice in your upload's description!! This is important. Inform your downloaders that this is NOT dangerous and that once the 7z files have been replaced with zip, they can safely download and that this is a false alarm.

Replace all the 7z files with zip files. The primary culprit is 7z. zip files work fine and alleviate the issue.

Test your old upload by redownloading it. This will not always work and Chrome may allow you to download it, but if it says virus detected then it's the false positive wacatac file.

Make a habit of compressing your files into zip instead of 7z. This will save you time obviously from replacing the files again and again.

If you are still scared, run a full scan on your PC. It's probably only a false alarm. Wacatac is an incredibly common false positive: If you tested and downloaded the affected file, just quarantine and remove it right away and you'll be safe.

To downloaders:

If you download something and it says virus detected, here's what to do:

Inform the creator kindly and do not resume the download. Do not blame them for this, this isnt a virus and 7z is the actual problem. We still dont know why 7z causes this but it's certainly not the creator's fault.

Link to this thread in the feedback comment you will make. This thread can be helpful to those who have this issue.

Cats are the cutest creatures. And the most stubborn.

o19

Lab Assistant

#14

23rd Mar 2024 at 4:28 PM

This issue also affects '.zip' and '.rar' files. Converting the zip format itself doesn't work at all.
An update of MS Defender patterns seems to help or make the situation even worse.

With Firefox one should be able to download such files .

FuryCat

Instructor

Original Poster

#15

23rd Mar 2024 at 5:05 PM

@o19 To me, it doesn't happen anymore, and this is why I don't understand this issue. It's weird considering sometimes it works, sometimes it doesn't.
Have you got an upload which displays a false positive notification and it's not 7zip?

Cats are the cutest creatures. And the most stubborn.

o19

Lab Assistant

#16

24th Mar 2024 at 1:29 AM

I still have the '.rar' file and it downloads without any issues now. It contains only three plain Python files (not compiled), nested quite deep into sub folders. Anyhow I can't share the file.
The things which change daily on Windows are the Defender patterns so I suspect that MS added pattern which have matched way too much.

FuryCat

Instructor

Original Poster

#17

24th Mar 2024 at 10:17 AM

Quote: Originally posted by o19

I still have the '.rar' file and it downloads without any issues now. It contains only three plain Python files (not compiled), nested quite deep into sub folders. Anyhow I can't share the file.
The things which change daily on Windows are the Defender patterns so I suspect that MS added pattern which have matched way too much.

The "virus" is marked "!ml" which means windows marked it as a trojan based on its machine learning, so it's very possible this happened.
This happens with python files commonly, if you search for this in reddit you'll find people who made python files themselves that when they downloaded them they get marked with this exact same "trojan" without having anything in them.

Cats are the cutest creatures. And the most stubborn.

flaxzune

Test Subject

#18

4th Apr 2024 at 10:22 AM

I checked the package files, but it's all really normal. Does Chrome freakout with the other files too? I'm curious to know as no one reported this issue.

FuryCat

Instructor

Original Poster

#19

4th Apr 2024 at 12:24 PM Last edited by FuryCat : 7th Apr 2024 at 9:09 AM.

Quote: Originally posted by flaxzune

I checked the package files, but it's all really normal. Does Chrome freakout with the other files too? I'm curious to know as no one reported this issue.

There is (was?) a virus called "wacatac.b!ml" which windows false identifies archives having it. There appear to be quite a lot of variations from wacatac.h!ml to wacatac.g!ml. The !ml suffix means that Windows identified it using its machine learning only, which also means it can just be a false alarm which ALSO happened in this case. Confusing, right?

We thought it was only happening witn 7zip but it appears to happen to all archives but not everytime. I tried downloading one of my past affected files and it did not happen.
Wacatac IS a real virus. It is a trojan

BUT

it is very easy for Windows to get confused on this because the virus probably uses similar things with archives. If you search wacatac up you will see cases of it. I am assuming this is a new one as people report having it now.
Because MTS needs archive files, there is of course the chance of windows falsely accusing the files of having it.
Chrome and all browsers will freak out with these but only sometimes; the problem does not occur now, at least for me, which I am saying for only me as there have been recent issues with this.

Criteria for false or true wacatac:

True wacatac:

Does not leave if attempted to be quarantined and removed.
False wacatac:

Gets removed if attempted to quarantine and remove.

In some cases, this is the opposite. The true virus leaves and the false virus stays, but it was different from me.

Here is a post about it: https://answers.microsoft.com/en-us...94-625a3402d26a

Cats are the cutest creatures. And the most stubborn.

Sign in to Mod The Sims