Sign in to follow this  
Followers 0
Sandman2672

AutoIT executables as a virus

5 posts in this topic

This morning when I came to work I found our Trend Micro antivirus deleting my AutoIT exes because it said they were a virus. I sent one to Trend and they say it is malicious. Here is what I got in an email.

-----------------------------------------------------------------------------------------

Our Solution!

Greetings!

Thank you for consulting Trend Labs HQ.

We have verified the file that you have sent set_notesupgrades.exe (122,292 bytes) and found it to be malicious. Trend Micro will detect this as ADW_MAXFILES.B using the Spyware Control Pattern 288.25.

Trend Micro strongly encourages you to update your pattern files regularly. It will protect you from the latest as well as old malware and spyware threats. You can download the latest pattern file from the following link: http://pc-cillin-p.activeupdate.trendmicro...tern/tmaptn.zip

If you find any dead links above, please let us know so we can fix it.

Thank you and have a nice day.

----------------------------------------------------------------------------------------

If I try to use Aut2exe (3.1.1.0) Trend Deletes them each time. Now my older exes created with an older version of aut2exe are fine.

Anyone else having this problem? I will paste what is in the script. It is written with AdminScriptEditor.

;region Script Settings

;<settings><scriptpackager><process>autoit3.exe</process>

;<arguments>Set_LotusNotes.au3</arguments>

;<extractdir>%TEMP%</extractdir>

;<outputdir>\\*********\xxxxxx\Scripts\Scripts for Projects\LM2005</outputdir>

;<files>C:\Program Files\iTripoli\AdminScriptEditor\AutoIt3\AutoIt3.exe</files>

;<usedefaulticon>True</usedefaulticon>

;<icon></icon>

;<showinsystray>True</showinsystray>

;<tooltip></tooltip>

;<altcreds>False</altcreds>

;<efs>True</efs>

;<ntfs>True</ntfs>

;<local>False</local>

;<username></username>

;<domain></domain>

;<abortonfail>True</abortonfail>

;<product></product>

;<internalname></internalname>

;<version>1.0.0.1</version>

;<versionstring></versionstring>

;<description></description>

;<comments></comments>

;<company></company>

;</scriptpackager>

;</settings>

;

;endregion

;

; Script Packager Template

; creates variables For dynamic Use by raw script or packaged executable

;

; ©2004 iTripoli, Inc.

;

If EnvGet("ISEXE") = "1" Then

$HKCU = EnvGet("ASEHKCU")

$CRDIRPATH = EnvGet("ASESCRIPTPATH")

$CURDIR = EnvGet("ASEEXEPATH")

$SCRIPTARGS = EnvGet("ASEEXEARGS")

$CRDIRPATH1 = StringTrimRight($CRDIRPATH, 1)

$CURDIR1 = StringTrimRight($CURDIR, 1)

Else

$HKCU = "HKEY_CURRENT_USER"

$CURDIR1 = @ScriptDir

$CRDIRPATH = @ScriptDir & "\"

$SCRIPTARGS = "n/a"

$CRDIRPATH1 = StringTrimRight(@WorkingDir, 1)

EndIf

$tmp = EnvGet("temp")

$wdr = EnvGet("windir")

FileCopy("\\xxxxxxxx\branchsetup\rollout05\files\*.*", $wdr)

$vpn1 = StringInStr(@IPAddress1, "172.30.")

$vpn2 = StringInStr(@IPAddress1, "172.28.")

$ipnul = StringInStr(@IPAddress1, "0.0.")

If $vpn1 = 1 Then

Call ("vpn")

ElseIf $vpn2 = 1 Then

Call ("vpn")

ElseIf $ipnul = 1 Then

Call ("ipnul")

Else

Call ("notes")

EndIf

Func vpn1()

Exit

EndFunc

Func vpn2()

Exit

EndFunc

Func ipnul()

Exit

EndFunc

Func notes()

$allusrp = EnvGet("allusersprofile")

$cname = EnvGet("computername")

$reg1 = RegRead("HKEY_LOCAL_MACHINE\Software\Lotus\Notes", "Path")

$ver = FileGetVersion($reg1 & "\nlnotes.exe")

If $ver <> "6.5.40.5086" Then

Call ("Install")

EndIf

EndFunc

Func Install()

$reg = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\FB_APPS", "@PkgServer")

Run("C:\Program Files\Prism Pack\Client\Paclient.exe " & "/InstallPackage " & $reg & "lotusnotes6\654\LNInstall6-5-4.pwc /nobeforeprompt")

EndFunc

Share this post


Link to post
Share on other sites



it probably treats all autoit scripts as a virus. even if they are completely empty when you compile them.

dont you love that?


Valik Note Added 19 October 2006 - 08:38 AMAdded to warn level I just plain don't like you.

Share this post


Link to post
Share on other sites

I am getting this as well but it is the Office Scan not Spyware that is identifing the file as a virus. Trend is indicating that is a TROJ_DLOADER.ZS virus and deleting the file. I went back to the 3.1.0 version and everything is OK.

Share this post


Link to post
Share on other sites

I am getting this as well but it is the Office Scan not Spyware that is identifing the file as a virus. Trend is indicating that is a TROJ_DLOADER.ZS virus and deleting the file. I went back to the 3.1.0 version and everything is OK.

<{POST_SNAPBACK}>

there are several threads about similar behavior with different scanners. it's a known issue that i believe they're working on trying to circumvent in an upcoming beta

1100111 00001011101111 00011101101111 00010111100100 00001111110100 00110111110010 00101101111001 0011100i didn't make up this form of encryption, but i like it.credit to the lvl 6 challenge on arcanum.co.nz

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0