Sign in to follow this  
Followers 0
Guest gilles_stp

Webroot SpySweer detects Trojan horse in V3

12 posts in this topic

Hi!

I don't know where is the problem, whether it's in Webroot's SpySweeper (latest version, spyware definitions up to date) or if AutoIt V3 (latest version downloaded on 2005/07/29) has the trojan horse detected by SpySweeper, but even after downloading a fresh version of Autoit V3 from your site, if I start a scan, SpySweeper points every time to AutoIt3.exe, signals the presence of a Trojan horse and wants to remove AutoIt3.exe and every link pointing to it !

Webroot SpySweeper's version is : "Program Version 4.0.3 (Build 359) Using Spyware Definitions 506".

Here is a partial log :

21:03:  Found Trojan Horse: trojan downloader matcash

21:03:  autoit3.exe (ID = 119348)

21:03:  run script.lnk (ID = 119348)

21:03:  check for updates.lnk (ID = 119348)

21:03: File Sweep Complete, Elapsed Time: 00:01:14

21:03: Full Sweep has completed.  Elapsed time 00:03:43

21:03: Traces Found: 3

********

And this is what SpySweeper says when it looks at AutoIt3.exe or any link pointing to it:

Step 2: Remove

Select items to remove and hold in the quarantine folder

  trojan downloader matcash

  c:\program files\autoit3\autoit3.exe

  c: \documents and settings\all users\start menu\programs\utilitaires\autoit v3\run script.lnk

  c: \documents and settings\all users\start menu\programs\utilitaires\autoit v3\extras\check for updates.ink

View more details online  Select All  Deselect All                              Next >

Details

Name: trojan downloader matcash

Location: 3 traces found in various locations.

Fingerprint Type: Exact Match    Category:  Trojan Horse

Full Sweep has completed. Elapsed time 00:03:43

Traces Found: 3

Trojan downloader matcash (Trojan Horse)

Trojan Downloader Matcash is a downloader that may download other treats on your computer.

Thanks for looking at it!

Gilles

Share this post


Link to post
Share on other sites



Unfortunately this is a show of ignorance on the anti-virus vendors' part.

To put it simply, some people use AutoIt to create compiled scripts that act like viruses. Virus vendors then see a piece of code within the script common to all compiled AutoIt scripts and mark any file containing that code as a virus.

I would suggest instructing your vendor that this is a false alarm. Here are some links to similar threads for more information:

Share this post


Link to post
Share on other sites

Thanks for taking the time to inform us of this though, Gilles! :)

Alex, I slightly disagree with you -- it's not really a matter of ignorance. It wouldn't be fair for anti-virus vendors to have to examine every piece of submitted code for a common base, but on the other hand they should be expected to remove AutoIt-related virus alerts from their databases when they are better informed.

To the Documentation Force: this kind of scenario is an ugly reality that won't go away. Perhaps some mentioning of this should be done somewhere on the AutoIt website so that considerate people such as Gilles don't waste their time registering on the boards to alert us of another false alarm.

Share this post


Link to post
Share on other sites

I've had a couple of initial emails from CA and Kaspersky asking about AutoItscript formats - so we'll see if there is anything I can do to help those AV programs to not jump all over AutoIt scripts...

Share this post


Link to post
Share on other sites

Maybe you should use Lavasoft's Ad-aware instead. It certainly seems to work better, does an active scan... and best of all, doesn't complain about AutoIT v3 in anyway shape or form.


"... and the Lord said to John, "Come forth and ye shall receive eternal life," but instead John came fifth and won a toaster."

Share this post


Link to post
Share on other sites

I have the same problem :whistle:


Sapiente vince, rex, noli vincere ferro!

Share this post


Link to post
Share on other sites

K, Try this:

goto: http://support.webroot.com/ics/support/KBL...asp?folderID=15

Then select item "7. How can I stop Spy Sweeper from quarantining a particular product?"

Unbelievable -- Jon's perfectly-formed URL doesn't work as a point of entry to the site. I can't imagine what their software's like if you can't even link to a Knowledge Base article directly.

Webroot Support Center > Spy Sweeper (link list on left) > 7. How can I stop Spy Sweeper from quarantining a particular product?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0