Disclaimer - I do not write this to damage GOG reputation or to spread panic, but to raise awareness about the problem and to limit possible spread of the virus.

Filename: setup_rayman_forever_2.0.0.15.exe
SHA256 hash: e2df9355175033d19d5a6b1640da3c1a4b912bf2a56abf9c4d5e084ac23f3d31

Infection report:

https://www.virustotal.com/en/file/e2df9355175033d19d5a6b1640da3c1a4b912bf2a56abf9c4d5e084ac23f3d31/analysis/1421444500/

Method: Both my local Avast installation and the online Totalvirus service reported infection of 4 files in the archive. To verify the file was not infected on my computer immediately after download, I rebooted to my encrypted Linux partition I use for work, redownloaded the file and sent it to online scan with the same result. Since four different antivirus programs reported infection (Avira, Avast, Avg and Nano-Virus), it is highly probable that the file provided by GOG service is indeed infected.

Recommendation: Gog should publish checksums of all provided files to quickly check if the file was tampered with. Meticulous scan of the whole GOG archive is highly recommended. Users should scan every file downloaded before executing it to prevent infection.
Infected files as reported by Avast:

MAPPER.EXE
RAYRUN.EXE
CLIENT.EXE
STARTUP.EXE

I doubt it actually contains infected files. Antivirus software often provides false positives.

Or it's a false positive. Just because 4 antivirus software products agree more likely means that they simply use the same detection algorithms, not necessarily that they are actually correct.

Several reports of this already:

http://www.gog.com/forum/rayman_series/trojan_virus_in_rayman_forever

http://www.gog.com/forum/rayman_series/viruses_found_during_instalation

http://www.gog.com/forum/rayman_series/are_the_rayman_forever_trojans_false_positives_or_are_they_real_but_should_be_ignored_because_the

http://raymanpc.com/forum/viewtopic.php?p=867197

http://pcgamingwiki.com/wiki/Rayman

That isn't an infected file, that's the game; Rayman is supposed to look like that. He's kind of the Salvadore Dali of platform gaming.

Even worse! It contains Rayman!

Sorry, couldn't help myself.

GoG should definitely check it out, but I imagine it's a false positive. The names of the viruses sound like it might be something to do with whatever GoG does to make the games work on modern systems.

Yes, but that's only your belief. Spreading infected files via a service with such popularity as GOG is an incident with potentially huge impact, and should not be brushed off by belief alone.

GOG administrators should contact some antivirus lab directly and ask them for detailed analysis.

SMH

As djdarko linked in his post, this is very old news and is indeed a false positive.

Dude.Its most likely a false positive. I think people have the fullest confidence GOG always checks everything is clean before offering files to its customers....

None of the links you have provided contain an actual proof that it is actually a false positive. Do you have such a proof?

I would like to hear an official comment on this matter from GOG representatives.

Well, if it's been going on for 4 years, apparently it is *not* an "incident with potential huge impact."

If you're so worried about the files, report them to the antivirus software makers yourself. They're more qualified to make the determination of danger than GOG is. And as everyone is telling you, it is actually a problem with their software. Maybe if you bug them enough, they'll finally fix it.

Edit: Oh and http://www.gog.com/forum/rayman_series/some_exe_files_marked_as_viruses_probably_false_positives_but_still/post20

Yep, I can confirm Rayman is a virus. It infected my childhood on PS1 and once I was done with it, Rayman 2 and Rayman 3 infected me during my teens on PC, such were those days. The last infection I got was with Rayman M, I'm not sure what happened after that, but the infection stopped.

We've all been through it at some point, deal with it guys.

Well it was developed by Ubisoft, so that's the problem.

You are of course aware that those are DOS executables which won't even run on Windows since XP and will only be launched in the emulated environment of DOSBox where they can't even possibly do any harm, right? Even if they weren't actually false positives (which they most definitely are), right?

Edit: Oh, damn, the executables causing the FALSE POSITIVES are actually Windows applications. My bad.

Yes, I intend to do precisely that. I will wait for a few days for official statement from GOG, then I will request comment from the antivirus companies.

The fact that it goes on for 4 years is irrelevant. I work as a system administrator and I deal with infected computers spewing portscans, spam, bruteforce ssh attacks, DNS floods, etc. every day, and each time I contact a user with infected computer/server and provide evidence, I am confronted with a very surprised person. "Me? Rubbish, my computer is fine!"

There are over million of infected computers worldwide working as zombies in various botnets.

Belief is not enough. Only facts matter.

Online services should treat such incidents seriously, thoroughly and responsibly.
Even DOS executable can contain virus payload that will be executed first, infecting the system.