PDA

View Full Version : Warning: Possible Trojan in latest version of Mimic Pro!



RTSchramm
09-10-2006, 04:17 PM
I hoping, I'm wrong because with the limited experience that I had with Mimic Pro, I think is an excellent program for the money. That said, here is what I experienced so far:

I just bought the Minic Pro for LW9 and the Dari and Victoria models. I download them directly from thier site. As soon as I opened the properties of the DAZMinic Pro plugin I recieved an alert that the Dari installation file was trying to access the internet. That didn't make sense because an installation program only runs once. I denied the file acess to the Internet, and Mimic Pro still worked fine. I decided delete ALL references to the Dari installation file, registry, etc. and then reboot my computer. The next time I opened the Mimic Pro properties everything seemed fine at first, then after closing and reopening Mimic Pro, I recieved another alert. This time, zone alarm detected that the Mimic Pro installation executable was trying to access the internet. This doesn't make sense either. I have been using Zone Alarm for the last five years and it is always 100% reliable and gives me predictable results. For Example it is common for a program to excess the Internet during to installation process to register the program, or check for updates, but after its installed, I never seen a program use the orignial installation program to acess Internet Explorer again, it usually opens Internet Explorer using its own process. I buy ALL of my software and use the latest versions of Norton Anti-Virus and Zone Alarm Pro. I schedule daily spyware and virus scans also.

I have notified DAZ about this and sent them the screen shots similar to the one attached to this thread. Its possible that a hacker might have compromised their web site. As a network administrator working for the DoD, I have seen this fairly often.

Has anyone else who has just recently downloaded Mimic Pro experience this same problem when using Zone Alarm Pro?

NOTE: If you are not using a firewall the checks for unauthorized outbound traffic or program access you would NEVER detect this type of behavior. Windows Firewall would not have detected this.

Also as soon as I get some feedback from DAZ, or I figure out on my own, I will post another reply ASAP as to what is going on.

From what I see so far, Minic Pro is worth the money for its ease of use. I just like to know why it is trying to access the Internet using its installation file?

Rich

Phil
09-12-2006, 08:24 AM
Various programs on Windows use parts of IE to work properly, generally for online help or to render some part of their interface.
I do not see a destination address or port on that ZA alert. Usually you would expect to see a destination address or port for something that is phoning home, or that uses local addresses (0.0.0.0 or similar) and ports for data transfer (as can be seen when LW fires up with a firewall running).

AVG from free.grisoft.com is a reasonable virus checker, if you don't have one to hand, and should put your mind at rest about trojans in executables.

RTSchramm
09-12-2006, 05:12 PM
I determined that its NOT the Mimic Pro that caused the problem, but the DARI model that I bought at the same time from the DAZ web store. I installed these two programs immediately after I downloaded them. I think the DARI installer is installing a trojan or something because after I install it, my Zone Alarm Pro does not function correctly after the first alert pops up.
If you look at the attachment of my previous thread, there is no title, and I cannot view any of the properties in the window. Also Zone Alarm has NEVER popped up on the upper left side of the screen before. Alerts have always appeared above the system tray.

ONce you install a plugin, the plugin shouldn't call the original program to launch internet explorer etc. In fact in this example, I had previously delete ALL references to the file shown in the attachment of my previous thread.

UPDATE: Since I do a weekly imaged backup with ghost I reimaged my computer and then installed Mimic Pro again. This time I DID NOT GET ANY ZONE ALARM Alerts after repeatedly opening and closing the properties of the plugin and opening and closing layout.

BUT: When I installed the Dari model for Poser 6, and then lauched LW9 and then opened up the Mimic Pro plugin properies, I was hit with a Zone Alarm Alert. This time the offending file was the Dari installation file. So I sent the data to DAZ.

So my question is WHY does the DARI installation file try to run when I open the properties panel of Mimic Pro? If I delete ALL DARI files and installation files on my computer, I get the same results: a Zone Alarm Alert pointing to the installation file that I deleted.

I can repeat this over and over agian. Mimic Pro runs fine with NO alert until I install the DARI model that I purchase from the DAZ web store.

I am an experience network administrator doing perimeter defense for the DoD for about 7 years, that is doing intrusion detection, reviewing firewall logs for suspicious activity etc.. I have been using Zone Alarm Pro in EXPERT mode for 5 years. I built my computer system two years ago. I have NEVER had a virus, trojan, or any other suspicious behavior detected on this computer until now. I do daily virus and spyware scans, and weekly ghost image backups.

Rich.

DogBoy
09-13-2006, 01:06 AM
Sorry if I'm being thick here (I haven't had coffee yet), but surely this is the standard action of DAZ model installers? It installs the model then loads an HTML file readme using your default browser.

Phil
09-13-2006, 05:32 AM
If you are that worried, look at any traffic generated to analyse what might be happening. Use VMWare's player freebie if you are concerned about compromising your system. As someone with that much experience, it should be trivial and would be more useful than hand wringing and speculation. I'm surprised that someone with so much apparent experience is unable to analyse or debug this further, before posting an alert.

In any case, the ZA prompt is typically uninformative; to my eyes, it doesn't look in any way suspicious. It's possible that the installer copied itself to %temp%, for example, but since no path is displayed, speculation is all I can offer. Perhaps 'view properties' would yield information, but there is no way to tell.

Aside from anything else, launching iexplore.exe isn't always a problem. Whether that's your default browser is another question, but even this isn't a sign of impending doom and devastation.

So...

You can either proceed and ignore the 'problem' and just assume that this is expected and harmless behaviour

or possibly use a Virtual Machine to contain any possible damage whilst proceeding and analysing what happens next (outbound traffic, if any, including destination information and content - you'll need additional software under Windows, or a BSD/OSX/linux box that can serve as a router so that you can capture the packets / check the logs).

or you can declare the thing to be completely hostile on principle and therefore return what you bought to DAZ via whatever complaints procedure they offer.

*shrug*