Jump to content

Are my AutoIt exes really infected?


Recommended Posts

@giangnguyen

I don't think you'd get much response from them, they haven't released an update to the software in about 4 years. They've only updated the virus definitions recently.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites

source: MsgBox(1,"","hi")

compiled by right click+compile for x86

https://virustotal.com/en/file/2922e3bf83b2bc1dd19ab42748ef24e0fbf27a9dbc8696825cf86b11547deeee/analysis/1464834505/

Uh oh, found some more. Not sure if that is by AutoIt though. But they don't have twister on VT, I used majyx scanner.

Here is the twister detection: https://scan.majyx.net/scans/result/f1feb3a899de723057ac539d0ddc3b3f841bc8ce
As you can see, it is detected as 

W32.HackKMS.L.yvrm

Link to comment
Share on other sites

On 02/06/2016 at 3:34 AM, giangnguyen said:

source: MsgBox(1,"","hi")

compiled by right click+compile for x86

https://virustotal.com/en/file/2922e3bf83b2bc1dd19ab42748ef24e0fbf27a9dbc8696825cf86b11547deeee/analysis/1464834505/

Uh oh, found some more. Not sure if that is by AutoIt though. But they don't have twister on VT, I used majyx scanner.

Here is the twister detection: https://scan.majyx.net/scans/result/f1feb3a899de723057ac539d0ddc3b3f841bc8ce
As you can see, it is detected as 

W32.HackKMS.L.yvrm

 

giangnguyen,

Not sure how long you've been around autoit but 3/56 flags from VT is nothing to worry about, or any other similar site that uses the "many fools in a room" logic to formulate an opinion.

wtfpl-badge-1.png

Link to comment
Share on other sites

8 hours ago, Mobius said:

giangnguyen,

Not sure how long you've been around autoit but 3/56 flags from VT is nothing to worry about, or any other similar site that uses the "many fools in a room" logic to formulate an opinion.

 

I know 3/56 is not much, I know, but I prefer to have my clean files not detected by AVs.

Link to comment
Share on other sites

  • Administrators

The main AutoIt3.exe rarely gets flagged (sometimes on each new version). So if I were writing public software I'd play it safe and distribute AutoIt3.exe and compile the script as .a3x. Least chance of flagging.

Link to comment
Share on other sites

  • 2 weeks later...

uninstall the autoit. fix isue registry with ccleaner. restart computer. install agains.

HOT nhất năm 2016 với dịch vụ thiết kế web giá rẻ của IUL, khi bạn thiết kế web hà nội sẽ được tặng ngay một khóa học hướng dẫn các bán hàng trên facebook hoặc bán hàng trực tuyến hay sử dụng các dịch vụ web khác của chúng tôi ví dụ như: thiết kế web du lịch khách sạn, thiết kế web công ty, thiết kế web trọn gói giá rẻ, thiết kế web theo yêu cầu, thiet ke web responsive, thiết kế website bất động sản nhà đất,.. Chương trình khuyến mãi sẽ kết thức vào ngày 20/10/2016 vì thế các bạn hãy nhanh tay tham gia trường trình để nhận thưởng nhé.

Edited by yennhikorea

Công ty thiết kế web bán hàng online trực tuyến giá rẻ miễn phí

Link to comment
Share on other sites

Trong, what do you try to say?

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

On 6/20/2016 at 11:36 AM, yennhikorea said:

uninstall the autoit. fix isue registry with ccleaner. restart computer. install agains.

That's not going to fix the detection of issue. It is probably a combination of the unpacking of the autoit engine on execution and certain functions in your script. 

 

 

Link to comment
Share on other sites

Hey guys. Want to help improve False Positive Reporter?

If you see any emails that aren't on the list below, please Private Message me so I can add it to the list.

 

Spoiler

support.is@cmclab.net
samples@digital-defender.com
sample@preventon.com
support-tech@returnil.com
malwaresample@herdprotect.com
info@chicalogic.com
submit@antiy.com
avlnetwork@antiy.com
virus@arcabit.com
v3sos@ahnlab.com
virus@avast.com
virus@avira.com
virus_submission@bitdefender.com
samples@bluepointsecurity.com
malwaresubmit@avlab.comodo.com
vms@drweb.com
malware@emcosoftware.com
submit@emsisoft.com
virus@esafe.com
samples@escanav.com
submitvirus@fortinet.com
research@spy-emergency.com
viruslab@f-prot.com
labs@fsb-antivirus.com
vsamples@f-secure.com
samples@ikarus.at
submit@samples.immunet.com
newvirus@kaspersky.com
support@jiangmin.com
research@lavasoft.com
virus_research@avertlabs.com
virus@micropoint.com.cn
avsubmit@submit.microsoft.com
virus@nanoav.ru
samples@eset.com
support@noralabs.com
support@norman.com
virus_info@inca.co.kr
virus@pandasecurity.com
psafe@psafe.com
kefu@360.cn
support@rubus.co.in
newvirus@s-cop.com
samples@sophos.com
detections@spybot.info
vlab@srnmicro.com
avsubmit@symantec.com
virus@hacksoft.com.pe
virus@thirtyseven4.com
cainfo@ca.com
submit@trojanhunter.com
support@simplysup.com
virus@filseclab.com
malware-cruncher@sunbelt-software.com
viruslab@hauri.co.kr
newvirus@anti-virus.by
virus@zillya.com
huangruimin@kingsoft.com
support@aegislab.com
viruslab@quickheal.com
trojans@agnitum.com
bav@baidu.com
bkav@bkav.com.vn
samples@mysecuritywin.com
falsepositive@reasoncoresecurity.com
virus_research_gateway@avertlabs.com

 

Edited by BetaLeaf

 

 

Link to comment
Share on other sites

  • 1 year later...

According to my tests:

  • Some AVs will flag the exe file as virus if it does not have icon file
  • #AutoIt3Wrapper_Res_Description=
    • if this is empty then some AVs will flag the file as virus
    • If this is not empty then some AVs + other AVs will flag the file as virus.. I guess it happens if the name is something that AVs know as virus
  • Need to delete from the #AutoIt3Wrapper_Res_Description , #AutoIt3Wrapper_Res_Comment=
    Any string that telling the AVs what the file is. And need to leave #AutoIt3Wrapper_Res_Description=
    With some string. otherwise some AVs will detect it as virus.. So I wrote string that is the program version..
Edited by Guest
Link to comment
Share on other sites

On 8/11/2017 at 8:44 AM, Skysnake said:

@BetaLeaf, maybe remove this one from your list?

PSafe (PSafe) 
Aug 10, 10:09 -03 
Hello Team,

We don't support Windows anymore, our AV for Windows platform was discontinued.

Thank you for your contact and if you have any questions, feel free to reach me.

Best regards,
Thomas

Skysnake

Thanks for reporting in. It has been fixed.

In the future, please submit an issue on GitHub.

https://github.com/BetaLeaf/False-Positive-Reporter/releases/tag/1.3.2

Changelog:

  • Removed PSafe from the list of Anti-Virus Vendors.
  • Anti-Virus Vendor list and Banned Extensions list will now automatically update from this repository.
  • You can now configure FPR.exe by simply double clicking on FPR.exe.
  • Config FPR.exe removed (See above.)
  • Update FPR.exe now updates FPR.exe to the latest version, instead of only updating the Anti-Virus Vendor list.
Edited by BetaLeaf
Since the list is now automatically updated on the repository, you can update it yourself and submit a pull request.

 

 

Link to comment
Share on other sites

Just don't trust that the information on VirusTotal is accurate for any purposes.

http://www.csoonline.com/article/3216765/security/heres-why-the-scanners-on-virustotal-flagged-hello-world-as-harmful.html

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites

  • Melba23 changed the title to Are my AutoIt exes really infected?
  • Melba23 pinned this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...