Trojan in Winamp uninstaller?
 

just ran my trojan remover v6.1.7 trojan defs released today and it found this
C:\Program Files\Winamp\UninstWA.exe appears to contain: Adware.AIM.BuddyLinks
C:\Program Files\Winamp\UninstWA.exe has been deleted, or marked for deletion if it is in use.
------------------------------
7006 files scanned
1 trojanned file detected
now I downloaded Winamp 5.02 when it came out from the download link here at winamp.com so can anyone explain why this file is here or why it would be found within the uninstaller for winamp?

well, if its the buddylinks trojan than it really has nothing to do with winamp - its a trojan/virus that is transmitted via AIM. do you recall installing a "game" called Bin Laden captured or something? That's how you got infected.

why it hide itself in the winamp folder I cant say.

nope no game installs. I do remember that trojan when it first came out. I read about it over at broadband reports forums. Boy it was a mess how quickly it spread.
actually it was imbedded within the uninstall.exe itself not just in the folder.
it's weird that it would get past my AV it scans everything that comes into my system. and I don't use AIM btw.
thanks for the reply.

I just decided to run my Trojan scanner on the winamp.exe download that I still have in my downloads folder it actually found the trojan in it.

***** INDIVIDUAL FILE SCAN *****
Trojan Remover Ver 6.1.7. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 3/2/2004 1:47:53 AM
Using Database v6093
Operating System: Microsoft Windows 2000 Version: 5.0 (Build: 2195 Service Pack 4)
-----------------------------------
Carrying out individual file scan on D:\DL\Apps\Winamp\winamp502_full.exe
This file appears to contain: Adware.AIM.BuddyLinks
************************************************************

Well, I went and installed this Trojan Remover thing, including the latest update

http://www.simplysup.com/tremover/download.html

Just ran it, and this is what it had to say...

This file appears to contain: Adware.AIM.BuddyLinks

winamp502_full.exe
winamp502_pro.exe
winamp502_lite.exe
ml_ipod_02a.exe

Database description:
Sends advertisement links via AOL Instant Messenger to AIM Buddies of the infected user.


See screenshot for details.


I've a feeling that this is a false alarm/false-positive,
but we will definitely need to look further into this matter.

At first I thought it could be something to do with AOD (aol on desktop icon),
but ml_ipod_02.exe !!!
This definitely suggests "false-positive", and should be reported to the program makers (Simply Super Software).

definatly a false-positive there.

Yup. That's what I reckon...
especially seeing that no other trojan-detection software finds it :/

but... ml_ipod plugin! Heh. No way!

Update: I've sent an e-mail to the address provided here

Hey guys thanks alot for the attention to this :up: .. I've used Winamp for along time now and have always enjoyed using it..and will of course continue using it. in fact i'm jammin with it right now drinkin my coffee before I go to work.

I was thinking that it might be a false positive (I wish I had some of the previous trojan defs to try out on it but oh well. I thought it would be good to get some other opinions so that's why I came here first to the source of greatness :D

i'd assume it would false positive against any installer made with the latest nsis then.. .worth mentioning to the scanner manufacturer prehaps?

Results of email contact:


For Attn of: Nigel Thomas


Hi

Thank you for your prompt reply.

I've attached one of the files for you.
This is a zipped ml_ipod_02a.exe (iPod Support plugin installer)

The other files can be acquired by downloading the Winamp 5.02 Lite or Full installer
http://www.winamp.com/player/free.php

I've a strong feeling that this may have something to do with the new NSIS installer,
and that your Trojan Remover might produce a false-positive for any installer made with it.
http://nsis.sourceforge.net/home/


Kind regards

DJ Egg
Winamp Forums Moderator



----- Original Message -----
From: SimplySupSupport@aol.com
To: dj_egg
Sent: Tuesday, March 02, 2004 4:35 PM
Subject: Re: Winamp 5 installer detected as containg Adware.AIM.BuddyLinks


Hello dj_egg@*.com,

In reference to your comment:

> It has been brought to our attention that your Trojan
> Remover software is falsely detecting the Winamp 5.02
> installer as containing Adware.AIM.BuddyLinks
> forums.winamp.com/showthread.php?postid=1293132#post1293132
> Could you please look into this matter

Immediately. These are obviously false positives, which we shall correct as soon as possible. Please accept our apologies for this - whilst false positives are rare, they can be very unnerving.

Are you able to provide a link to one of the files detected falsely, or send us one directly, so that we can ensure we eliminate the false positive completely?

Nigel Thomas
Simply Super Software
Home: http://www.simplysup.com
Support: http://www.simplysup.com/tremover/support.html
Email: support@simplysup.com or simplysupsupport@aol.com



========Original Message========
Subj: Winamp 5 installer detected as containg Adware.AIM.BuddyLinks
Date: 02/03/2004 16:05:03 GMT Standard Time
From: dj_egg@*.com
To: simplysupsupport@aol.com
Sent from the Internet (Details)



Dear Simply Super Software

It has been brought to our attention that your Trojan Remover software is falsely detecting the Winamp 5.02 installer as containing Adware.AIM.BuddyLinks

http://forums.winamp.com/showthread.php?postid=1293132#post1293132

Could you please look into this matter

Kind regards

DJ Egg
Winamp forums moderator.

Email Update:

Thanks very much. I have now released database 6095 which should remove all these false positives. If any of your forum members report such a false positive, advise them to update to 6095 (or later) and see if the alert is still raised.

Please pass our apologies to your forum members that came up against this problem and many thanks for bringing it to our attention.

Nigel Thomas
Simply Super Software
Home: http://www.simplysup.com
Support: http://www.simplysup.com/tremover/support.html
Email: support@simplysup.com or simplysupsupport@aol.com

Wow DJ egg ... that was simply very cool on everyones part :D .. I would like to thank you for taking the time to look into this :up: and to the folks at simply super software for such a quick resolution to the false positves with a new defs :up: :D :up:
as I have always done I will always continue to talk about what a great program Winamp is and I'll let my friends know that Trojan Remover is a great program to work with also.

DJ EGG I WANT YOU TO HAVE MY BABY

That's what i call team spirit.