Stuart Udall (stuart_at_cyberdelix.net) noted the following on the Incidents mailing list: I bring to your most urgent attention that the copy of Gamespy Arcade 1.09 available on download.com at the address

http://download.com.com/redir?pid=10107395&merid=62178&mfgid=
62178 10107395&ontId=20&destUrl=http%3A%2F%2Flaunch.gamespyarcade.c
om%2Fsoftware%2Finstall%2FArcadeInstallFull109.EXE

(HNS Note: URL above is wrapped for better viewing purposes)

is infected with the W32/Nimda.gen@MM virus, as detected by
NAI/McAfee Viruscan.

The full URL of the infected file is:

http://launch.gamespyarcade.com/software/install/ArcadeInstallFull109.EXE

According to download.com, as of my writing, this file has been downloaded 112806 times from download.com since April 29, 2002.

The virus infected my computer after I downloaded and executed the program via http://www.download.com/ at around 21:45PM, and I'm justing finishing the cleanup now - it's 3:15AM and counting, thank you very much.

I do understand that the file is actually served from gamespy.com, but it was only by carefully inspecting the URLs served by download.com that this becomes evident. A less savvy user wouldn't make the distinction.

I suggest that every night, a download.com robot downloads each file download.com serves, and scans it.

Meanwhile, I suggest the guilty party at gamespy be shot.



Karen Cobb, Customer Service Manager at GameSpy Industries replied on the same mailing list: "Thanks for alerting us to the possible presence of a virus in the GameSpy Arcade Installer. We verified that the GameSpy Arcade Installer did indeed contain the W32.Nimda.E@mm virus shortly after receiving your e-mail. The infected file was immediately replaced with a virus-free version of the installer."

Information on Nimda family of worms can be found over here:
http://www.net-security.org/virus_item.php?id=4171

Nimda Removal tools:
+ BitDefender AntiNimda
+ Symantec Nimda.A Removal Tool
+ Symantec Nimda.E Removal Tool