Sign in to follow this  
Followers 0
Xander

Scraps of virus?

10 posts in this topic

I have a short script that, on my customer's computer, gets run once a month. On the 6th month, it drops a basic PDF document to the desktop to remind that I still exist.

For the last couple of weeks, my antivirus has been reporting a "sample" of Win32:Trojan-gen. {UPX!} exists within the compiled the script.

#notrayicon
Global $txt = 'C:\windows\housecalls.ini'
$var = IniRead($txt, "NumberOfMonths", "Month", "0")
$var = $var + 1
IniWrite($txt, "NumberOfMonths", "Month", $var)
If $var < 6 Then Exit
SixMonths()
IniWrite($txt, "NumberOfMonths", "Month", 0) ;RESET COUNTER
Exit

Func SixMonths()
   FileInstall("F:\spyware\6months.pdf", @DesktopCommonDir & '\READ ME - 6 month reminder.pdf')
   Dim $iMsgBoxAnswer
$iMsgBoxAnswer = MsgBox(36,"HOUSECALLS computer services","It has been at least 6 months since Housecalls Computer Services was last here.  A simple tune-up reminder document has been placed on your desktop." & @CRLF & "" & @CRLF & "You can contact us for a service call or a tune-up at" & @CRLF & "" & @CRLF & "[email="*************@gmail.com"]*************@gmail.com[/email]")
   Sleep(10000)
EndFunc  ;==>SixMonths

; it did use INCLUDE inet.au3 but I just pasted in the needed sections to try to circumvene the error
Func INetMail($s_MailTo, $s_MailSubject, $s_MailBody)
    Return Run(StringReplace(RegRead('HKCR\mailto\shell\open\command', ''), '%1', _INetExplorerCapable('mailto:' & $s_MailTo & '?subject=' & $s_MailSubject & '&body=' & $s_MailBody))) = 0
EndFunc  ;==>_INetMail
Func _INetExplorerCapable($s_IEString)
    If StringLen($s_IEString) <= 0 Then
        Return ''
        SetError(1)
    Else
        Local $s_IEReturn
        Local $i_IECount
        Local $n_IEChar
        For $i_IECount = 1 To StringLen($s_IEString)
            $n_IEChar = '0x' & Hex(Asc(StringMid($s_IEString, $i_IECount, 1)), 2)
            If $n_IEChar < 0x21 Or $n_IEChar = 0x25 Or $n_IEChar = 0x2f Or $n_IEChar > 0x7f Then
                $s_IEReturn = $s_IEReturn & '%' & StringRight($n_IEChar, 2)
            Else
                $s_IEReturn = $s_IEReturn & Chr($n_IEChar)
            EndIf
        Next
        Return $s_IEReturn
    EndIf
EndFunc  ;==>_INetExplorerCapable

Share this post


Link to post
Share on other sites



yeah i had that same problem with a script that opened google & did a search for me...im guessing that the file just got infected i would also like to know about this though


AutoIt Console written in C#. Write au3 code right at the console :D_FileWriteToLineWrite to a specific line in a file.My UDF Libraries: MySQL UDF Library version 1.6 MySQL Database UDF's for AutoItI have stopped updating the MySQL thread above, all future updates will be on my SVN. The svn location is:kan2.sytes.net/publicsvn/mysqlnote: This will still be available, but due to my new job, and school hours, am no longer developing this udf.My business: www.hirethebrain.com Hire The Brain HireTheBrain.com Computer Consulting, Design, Assembly and RepairOh no! I've commited Scriptocide!

Share this post


Link to post
Share on other sites

Its a issue that has been addressed (some what). If you rename upx.exe in "C:\Program Files\AutoIt3\Aut2Exe\" to something else (just so its not used when compiling) It usually fixes the issue. Feel free to ask more opinions but try it and see if it fixes your issue.

Later; Lew

Share this post


Link to post
Share on other sites

Its a issue that has been addressed (some what). If you rename upx.exe in "C:\Program Files\AutoIt3\Aut2Exe\" to something else (just so its not used when compiling) It usually fixes the issue. Feel free to ask more opinions but try it and see if it fixes your issue.

Later; Lew

CDkid, it's not infected -- I can freshly compile the script, entirely replacing the old one, and I get the infected message almost immediately.

Lew, I renamed both the original UPX.exe and the beta one ... still gettin' it.

Share this post


Link to post
Share on other sites

I have a short script that, on my customer's computer, gets run once a month. On the 6th month, it drops a basic PDF document to the desktop to remind that I still exist.

For the last couple of weeks, my antivirus has been reporting a "sample" of Win32:Trojan-gen. {UPX!} exists within the compiled the script.

Win32:Trojan-gen. AVs use gen abbreviated for general. This is a pickup with overactive Heuristics, I would guess.

Share this post


Link to post
Share on other sites

your anti virus is very stupid, its assuming UPX is a virus as the compiled exe gets compressed via UPX.

best thing to do would be try to compress the exe with another program!

also try running the script using autoit without compiling it.. if it still says its a virus change your anti virus.

Share this post


Link to post
Share on other sites

best thing to do would be try to compress the exe with another program!

:lmao: Hmmm... what other packer do you suggest? ;)


[center]Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.[/center]

Share this post


Link to post
Share on other sites

Hi,

I had the same problem a couple of weeks ago. I sent the log-Files to the support center of norman virus control and told them that it is an FP (false postive).

They corrected it within the next pattern update.

So long,

Mega.

It was that fast, because I´m working in big company. :lmao:


Scripts & functions Organize Includes Let Scite organize the include files

Yahtzee The game "Yahtzee" (Kniffel, DiceLion)

LoginWrapper Secure scripts by adding a query (authentication)

_RunOnlyOnThis UDF Make sure that a script can only be executed on ... (Windows / HD / ...)

Internet-Café Server/Client Application Open CD, Start Browser, Lock remote client, etc.

MultipleFuncsWithOneHotkey Start different funcs by hitting one hotkey different times

Share this post


Link to post
Share on other sites

It's noteworthy, btw, that this is the only script I have where I get this error. I can recompile any of my common scripts and not get it.

By elimination, it makes me think that it's something in the script itself more than the packer. I've run my AV on the PDF that gets dropped to the desktop, so the 'sample' shouldn't be in there. I also find it odd that I never got this error about the file until the last week or so. I've had this script almost unchanged for close to a year.

I suppose the best option is to just "rephrase" the script to try to get away from mirroring the sample that the AV thinks is within it.

Share this post


Link to post
Share on other sites

Well to be honest it looks as if you have a smart anti-virus program. I think it was a recent update that is causing it to detect this as a virus now. I also think that perhaps that email part is causing it. Once again I stress that although I am not new to autoit, I am by no means an expert. I would do some process of elimination until it is no longer detected.

Later; Lew

P.S. Google toolbar spell check is the win!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0