Sign in to follow this  
Followers 0
Trystian

W32/Mucomm.A!Trojan in AutoIT3 compiled scripts?

10 posts in this topic

It seems that since my last Anti-Virus signature update, eTrust AV7 (Inoculate sig #23.69.27) is identifying ALL my compiled AutoIT3 scripts as the W32/Mucomm.A!Trojan.

Has anyone else had this issue in the last 24 hours?

If so, this needs to be resolved ASAP. If there is actually a trojan in the compiler, or perhaps somehow my compiled scripts are registering false positives all of a sudden. Neither McAfee, nor Norton AV have shown any indications of anything wrong, only with eTrust.

I looked on the web, and couldn't find anything on this "trojan", so I'm not sure what to do ATM besides post here about this issue. Any additional information would be greatly appreciated.

Thanks,

-T

Share this post


Link to post
Share on other sites



As you say, this issue must be resolved immediately... But the ones to resolve it shoud be Computer Associates...

Not the first time AV software wrongfully report programs as virus.


CheersNobby

Share this post


Link to post
Share on other sites

The same problem, the same signatur version. :(

So, I wrote a message to CA with a compiled autoIT Script. When I know more, I will tell you.

Share this post


Link to post
Share on other sites

It seems that since my last Anti-Virus signature update, eTrust AV7 (Inoculate sig #23.69.27) is identifying ALL my compiled AutoIT3 scripts as the W32/Mucomm.A!Trojan.

I've been building test EXEs and scanning them, it seems that only EXEs built with the release version of AutoIt 3.1 are being flagged, EXEs built from the (current) beta release are not detected...

More as I learn more...


Yes yes yes, there it was. Youth must go, ah yes. But youth is only being in a way like it might be an animal. No, it is not just being an animal so much as being like one of these malenky toys you viddy being sold in the streets, like little chellovecks made out of tin and with a spring inside and then a winding handle on the outside and you wind it up grrr grrr grrr and off it itties, like walking, O my brothers. But it itties in a straight line and bangs straight into things bang bang and it cannot help what it is doing. Being young is like being like one of these malenky machines.

Share this post


Link to post
Share on other sites

From what I can tell, eTrust only flags files built with the release version 3.1.1.0 of AutoIt3 as being a trojan, I've tested files built with the previous release version as well as with the beta and eTrust finds nothing.


Yes yes yes, there it was. Youth must go, ah yes. But youth is only being in a way like it might be an animal. No, it is not just being an animal so much as being like one of these malenky toys you viddy being sold in the streets, like little chellovecks made out of tin and with a spring inside and then a winding handle on the outside and you wind it up grrr grrr grrr and off it itties, like walking, O my brothers. But it itties in a straight line and bangs straight into things bang bang and it cannot help what it is doing. Being young is like being like one of these malenky machines.

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

wat u mean when u compile any script its say virus or autoit is a trojan virus

Edited by asimzameer

Share this post


Link to post
Share on other sites

I've been watching the eTrust AV site and there's still no information about what W32/Mucomm.A!Trojan is supposed to be. The most newly discovered threat on the page has a date of 5/20/05 and is detected by their AV signature version 23.69.26, which is one build before the version cited above.

Maybe there'll be more info later or tomorrow. It's my belief that Mucomm could actually be an AutoIt3 script EXE built using AutoIt 3.1.0.0, and that the CA AV engineers were sloppy. I don't care what their argument or defense might be in calling any AutoIt 3.1.0.0 EXE a trojan, the fact is that, as things are, that a threat script could be rebuilt with another version of AutoIt and it will evade detection; they need to target the script portion of the EXE or use some other method of detection.


Yes yes yes, there it was. Youth must go, ah yes. But youth is only being in a way like it might be an animal. No, it is not just being an animal so much as being like one of these malenky toys you viddy being sold in the streets, like little chellovecks made out of tin and with a spring inside and then a winding handle on the outside and you wind it up grrr grrr grrr and off it itties, like walking, O my brothers. But it itties in a straight line and bangs straight into things bang bang and it cannot help what it is doing. Being young is like being like one of these malenky machines.

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

In the InoculateIT signature Version 23.69.29 is the issue solved. :(

-- Here a part of the CA Mail ---

Dear x y,

This is to notify you of the results of your submission, issue number 569291.

With regards to the file "Inventory Install.exe" submitted by you on 21 May 23:24:08 (Australian Eastern Standard Time), we have updated our signature files to resolve the false positive problem of the InoculateIT engine.

Edited by goeli

Share this post


Link to post
Share on other sites

Outstanding.


Yes yes yes, there it was. Youth must go, ah yes. But youth is only being in a way like it might be an animal. No, it is not just being an animal so much as being like one of these malenky toys you viddy being sold in the streets, like little chellovecks made out of tin and with a spring inside and then a winding handle on the outside and you wind it up grrr grrr grrr and off it itties, like walking, O my brothers. But it itties in a straight line and bangs straight into things bang bang and it cannot help what it is doing. Being young is like being like one of these malenky machines.

Share this post


Link to post
Share on other sites

In the InoculateIT signature Version 23.69.29 is the issue solved.  :(

-- Here a part of the CA Mail ---

Dear x y,

This is to notify you of the results of your submission, issue number 569291.

With regards to the file "Inventory Install.exe" submitted by you on 21 May 23:24:08 (Australian Eastern Standard Time), we have updated our signature files to resolve the false positive problem of the InoculateIT engine.

<{POST_SNAPBACK}>

Awesome. Thank you goeli for submitting the issue to CA. I've verified sig 23.69.29 as well, and my compiled scripts are no longer being flagged as trojans (or anything else).

Good work,

-Trystian

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0