GameSpy Arcade Linked on Download.com Infected With Nimda
Stuart Udall (stuart_at_cyberdelix.net) noted the following on the Incidents mailing list: I bring to your most urgent attention that the copy of Gamespy Arcade 1.09 available on download.com at the address
62178
om%2Fsoftware%2Finstall%2FArcadeInstallFull109.EXE
(HNS Note: URL above is wrapped for better viewing purposes)
is infected with the W32/Nimda.gen@MM virus, as detected by
NAI/McAfee Viruscan.
The full URL of the infected file is:
http://launch.gamespyarcade.com/software/install/ArcadeInstallFull109.EXE
According to download.com, as of my writing, this file has been downloaded 112806 times from download.com since April 29, 2002.
The virus infected my computer after I downloaded and executed the program via http://www.download.com/ at around 21:45PM, and I’m justing finishing the cleanup now – it’s 3:15AM and counting, thank you very much.
I do understand that the file is actually served from gamespy.com, but it was only by carefully inspecting the URLs served by download.com that this becomes evident. A less savvy user wouldn’t make the distinction.
I suggest that every night, a download.com robot downloads each file download.com serves, and scans it.
Meanwhile, I suggest the guilty party at gamespy be shot.
Karen Cobb, Customer Service Manager at GameSpy Industries replied on the same mailing list: “Thanks for alerting us to the possible presence of a virus in the GameSpy Arcade Installer. We verified that the GameSpy Arcade Installer did indeed contain the W32.Nimda.E@mm virus shortly after receiving your e-mail. The infected file was immediately replaced with a virus-free version of the installer.”
Information on Nimda family of worms can be found over here:
http://www.net-security.org/virus_item.php?id=4171
Nimda Removal tools:
+ BitDefender AntiNimda
+ Symantec Nimda.A Removal Tool
+ Symantec Nimda.E Removal Tool