Sign in to follow this  
Followers 0
emdy

Autoit complied exe detect as a TrojanDownload?

27 posts in this topic

#1 ·  Posted (edited)

Scan your compiled exe file at http://virusscan.jotti.org/ then post the result here please.. Thank you..

Every compiled exe i made, when i send to Jotti Virus Scan, it said its a Trojan.DownLoader.3281!!

I also tired other people program and scan.. still got the same result..

what going on??

can someone try this out??

Got to Jotti Virus Scan and scan your own compiled exe..

Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5 b2255dd45ee77d672569911f5d655208

Packers detected: UPX

Scanner results

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

UNA Found nothing

VBA32 Found Trojan.DownLoader.3281

Sorry moderators but i guess i post in the wrong section.. :)

Edited by emdy

Share this post


Link to post
Share on other sites



:)False Alarm :evil:

The reason you're getting these results is because some assholes make viruses with AutoIt, so the people who make your virus protector just mark every compiled autoit script as a virus. This doesn't mean your virus company isn't good, just means it's lazy.

perhaps take a look here:

http://www.autoitscript.com/forum/index.php?showtopic=13133


FootbaG

Share this post


Link to post
Share on other sites

layer can you help me out?

can u pls scan 1 of your compiled exe to that url and copy/paste it here?

coz im being ban in some forum coz they think i posted a trojan!!

coz i wanna see if we get the same result or not..

pls

Share this post


Link to post
Share on other sites

layer can you help me out?

can u pls scan 1 of your compiled exe to that url and copy/paste it here?

coz im being ban in some forum coz they think i posted a trojan!!

coz i wanna see if we get the same result or not..

pls

<{POST_SNAPBACK}>

I'll gladly help, but, I'm unsure of what you want me to do, could you explain a little more?

Thanks


FootbaG

Share this post


Link to post
Share on other sites

I'll gladly help, but, I'm unsure of what you want me to do, could you explain a little more?

Thanks

<{POST_SNAPBACK}>

just scan any of your compiled exe at http://virusscan.jotti.org/

then copy and paste the result here..

thank you. :)

Share this post


Link to post
Share on other sites

Sure! Will post back the results when the scan is complete :)


FootbaG

Share this post


Link to post
Share on other sites

Ok, here are my results on a simple MsgBox exe.

File:  test.exe 

Status:  INFECTED/MALWARE 

MD5  69b25c140741504d78b4e0980e761e08 

Packers detected:  UPX

Scanner results 

AntiVir  Found nothing

ArcaVir  Found nothing

Avast  Found nothing

AVG Antivirus  Found nothing

BitDefender  Found nothing

ClamAV  Found nothing

Dr.Web  Found nothing

F-Prot Antivirus  Found W32/Agent.QY 

Fortinet  Found nothing

Kaspersky Anti-Virus  Found nothing

NOD32  Found nothing

Norman Virus Control  Found nothing

UNA  Found nothing

VBA32  Found Trojan.Win32.Agent.fd 

But no worries, as I said before, some anti virus companies mark all compiled autoit scripts as a virus/trojan because of one that someone else made... Stupid I know, but don't worry, it's nothing.

Cheers :)


FootbaG

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

hmm how come your result is diffrence from mine?

i got a Trojan.DownLoader.3281

and you got a Trojan.Win32.Agent.fd

hmm...

your autoit version is??

mine is 3.1.1

Edited by emdy

Share this post


Link to post
Share on other sites

Yea, mine is 3.1.1 and I got two results if you looked closely :) But as the site stated, the results may not always be correct. Don't know what else to say except I know AutoIt is clean...


FootbaG

Share this post


Link to post
Share on other sites

oh yeah.. u got 2 lol..

hmm... think i need more evidence to show that poor judgement was made.

Share this post


Link to post
Share on other sites

oh yeah.. u got 2 lol..

hmm... think i need more evidence to show that poor judgement was made.

<{POST_SNAPBACK}>

Send them to the website. Show them it is a scripting utility, and people have the right to make their own programs.

Also as with any language that can be compiled there is always room for malware/spyware. That doesnt mean all the executables should be blocked. That virus company should retract their statement about AutoIt and check for things the script may be able to do. Like modify system files.

I am sorry that people are being so naive and banning you and such.

JS


AutoIt Links

File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out.

ComputerGetInfo UDF's Updated! 11-23-2006

External Links

Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)

Share this post


Link to post
Share on other sites

All i wanted to do is to contribute to the gaming community..

To share some stuff i've made..

And all i got was a lousy ban and he said...

Before we approve this file, could somebody explain the reason TrojanDownloader is in an autoit script? As far as I know, it doesn't belong there.

EDIT: Approval denied.

My computer didn't like your file (to simply put it).

Closed and warned.

what a jerk (to simply put it) :)

Share this post


Link to post
Share on other sites

Well I am sorry to say that there are such dumb people in the world. I guess every VBS should be blocked from being used and every ActiveX script, and so on down the list. There are always going to be people that mess it up for those of us that keep it clean.

We just have to show them that what we do is for real and show the world what they are missing, because if the 'world' thinks it is missing something it wants to join in.

JS


AutoIt Links

File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out.

ComputerGetInfo UDF's Updated! 11-23-2006

External Links

Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

Well I am sorry to say that there are such dumb people in the world. I guess every VBS should be blocked from being used and every ActiveX script, and so on down the list. There are always going to be people that mess it up for those of us that keep it clean.

We just have to show them that what we do is for real and show the world what they are missing, because if the 'world' thinks it is missing something it wants to join in.

JS

<{POST_SNAPBACK}>

I just compiled my StartUpSentinel program and scanned it. I got the same result as emdy.

Why did they have tarnish AutoIts rep like this??? :)

AntiVir  Found nothing

ArcaVir  Found nothing

Avast  Found nothing

AVG Antivirus  Found nothing

BitDefender  Found nothing

ClamAV  Found nothing

Dr.Web  Found nothing

F-Prot Antivirus  Found nothing

Fortinet  Found nothing

Kaspersky Anti-Virus  Found nothing

NOD32  Found nothing

Norman Virus Control  Found nothing

UNA  Found nothing

VBA32  Found Trojan.DownLoader.3281

  

Edited by SolidSnake

HKTunes:Softpedia | GoogleCodeLyricToy:Softpedia | GoogleCodeRCTunes:Softpedia | GoogleCodeMichtaToolsProgrammer n. - An ingenious device that turns caffeine into code.

Share this post


Link to post
Share on other sites

I just compiled my ___ and scaned it. Here are the results.

AntiVir  Found nothing 
ArcaVir  Found nothing 
Avast  Found nothing 
AVG Antivirus  Found nothing 
BitDefender  Found nothing 
ClamAV  Found nothing 
Dr.Web  Found nothing 
F-Prot Antivirus  Found nothing 
Fortinet  Found nothing 
Kaspersky Anti-Virus  Found nothing 
NOD32  Found nothing 
Norman Virus Control  Found nothing 
UNA  Found nothing 
VBA32  Found Trojan.DownLoader.3281

Why did they have tarnish AutoIts rep like this??? :evil:

<{POST_SNAPBACK}>

:D

you got the same result as mine..

i think it gotta do something with the compiler..

a blank .au3 when compiled will still show the same result.. :)

Share this post


Link to post
Share on other sites

Why did I get different results with a compiled AutoIt script with the normal template from ScItE and a "MsgBox(0, "Test", "Test")" ? Weird... 3.1.1 too... WinXP SP2


FootbaG

Share this post


Link to post
Share on other sites

I'm assuming then that it is the UPX wrapper possibly causing the problem, or is it specifically targeting AU3-compiled scripts?


Writing AutoIt scripts since
_DateAdd("d", -2, _NowCalcDate())

Share this post


Link to post
Share on other sites

at least today an empty script give the following result with the beta. THe official release found the VBA32 Found Trojan.DownLoader.3281 which can be considered from my point of view as a false alarm. (I rebuilt the official release from the source and it do the same)

File:  empty AU3 script.exe 

Status:  MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) 

MD5  98e97d105d72ae32b3a993a16125b469 

Packers detected:  UPX

Scanner results 

AntiVir  Found nothing

ArcaVir  Found nothing

Avast  Found nothing

AVG Antivirus  Found nothing

BitDefender  Found nothing

ClamAV  Found nothing

Dr.Web  Found nothing

F-Prot Antivirus  Found nothing

Fortinet  Found nothing

Kaspersky Anti-Virus  Found nothing

NOD32  Found nothing

Norman Virus Control  Found nothing

UNA  Found nothing

VBA32  Found nothing

Share this post


Link to post
Share on other sites

Speaking of I run AntiVir all the time. It is the best virus scanner I have found todate, and it has no issue with my scripts as this latest post suggests.

They have apparently just blocked all AutoIt scripts.

JS


AutoIt Links

File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out.

ComputerGetInfo UDF's Updated! 11-23-2006

External Links

Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)

Share this post


Link to post
Share on other sites

Already an issue at http://www.autoitscript.com/forum/index.php?showtopic=13133 with Computer Associates - false positive in InoculateIT as well, but not Vet Anti-Virus.

Easy enough to do - just use the contents of AUTOISC.BIN as your signature recognition pattern and all AutoIT compiled scripts will be quarantined! Lazy, I suspect on the part of the anti-virus researchers. Puts me in a spot as I have deadlines to meet and my scripts are getting deleted from under me.

Not happy. :)

Comment: I read in these forums about help required for keyloggers and remappers, and ways to circumvent normal Windows operations and wonder how many of these questions are by the 'script kiddies' as the anti-nasty industry likes to term malicious hwackers? Are we helping the wrong people some of the time?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0