Oblivion suddenly trying to access the internet (virus?) : IV

» Thu May 03, 2012 8:43 am

Hi everybody,

since a couple of days my Oblivion.exe is trying to access the internet when starting up.
This happens only sporadically (approx. once per 5 game starts), but it has never done this before!

According to my firewall logs, it's trying to access the IP 224.0.0.22 (igmp.mcast.net).
To be safe, I've told my firewall to block it.

Does anybody know where this comes from? Have I caught some virus by installing a mod? Or is it "mostly harmless" (as Douglas Adams might have called it)?

Note that I am using BUDA20's Fake Fullscreen Mod (http://www.tesnexus.com/downloads/file.php?id=38800), which means that I usually start Oblivion_Fullscreen.exe, which then invokes Oblivion.exe.
However, I consider it unlikely that this could be the reason, because:
- the firewall alert always derives from Oblivion.exe, not from Oblivion_Fullscreen.exe
- I haven't changed neither of both files for months, but the firewall alerts started only a few days ago (roughly 2 weeks)

I've run thorough virus scans, of course (with Comodo and MS Security Essentials). But none of them revealed any threat.

Thanks for any help!

» Thu May 03, 2012 12:55 pm

Found some information myself already:

http://www.spywareinfoforum.com/index.php?/topic/43918-igmpmcastnet/page__view__findpost__p__229719
These guys are stating that it is indeed "mostly harmless", though I do not really understand what they mean.

On one of the sites, which are linked there, there's some explanation for what stands behind those "multicast addresses" starting with 224.x.x.x:
http://www.freesoft.org/CIE/RFC/1700/5.htm

INTERNET MULTICAST ADDRESSES

Host Extensions for IP Multicasting [RFC1112] specifies the
extensions required of a host implementation of the Internet Protocol
(IP) to support multicasting. Current addresses are listed below.

The range of addresses between 224.0.0.0 and 224.0.0.255, inclusive,
is reserved for the use of routing protocols and other low-level
topology discovery or maintenance protocols, such as gateway discovery
and group membership reporting. Multicast routers should not forward
any multicast datagram with destination addresses in this range,
regardless of its TTL.

So I suppose that in my case it has to do with my recent move (with a new DSL router setup). I am still a bit uncertain, because I believe that the firewall messages started before my move, but I can't tell for sure.

Anyway, it doesn't seem to do any harm to block the internet access for Oblivion.exe, so I'l leave it that way.

Hope this is helpful for others.
Any more feedback still appreciated!

» Thu May 03, 2012 5:26 am

Multicasting is harmless, can cause be annoying if you maintain a firewall.

While its odd that Oblivon is requesting a multcast feed.

You can always tell your Router's SPI firewall to automatically filter multicast requests and that may prevent your firewall from alerting you. Obviously, you only what do you this if you don't need multicasting allows for other purposes. Multicast is usually NOT filtered by default.