Sign in to follow this  
Followers 0
Valuater

Trojan Horse... in Autoit exe files

33 posts in this topic

I just recently updated my Beta and Scite 3/4 days ago and since then my virus scan has deleted all my compiled scripts... ( normal... even the older exe's ), however this time it is after the SciTE Updatedefs.exe

AVG Antivirus V

File Ver 7.1.0.394 6/12/2006

Autoit Beta Ver 3.1.1.126

SciTE Ver 1.69

6/2/2006

*** Updated installer with SciTE v1.69.

*** Updated Beta definitions to AutoIt3 v 3.1.1.125.

always fun

8)


NEWHeader1.png

Share this post


Link to post
Share on other sites



I just recently updated my Beta and Scite 3/4 days ago and since then my virus scan has deleted all my compiled scripts... ( normal... even the older exe's ), however this time it is after the SciTE Updatedefs.exe

AVG Antivirus V

File Ver 7.1.0.394 6/12/2006

Autoit Beta Ver 3.1.1.126

SciTE Ver 1.69

always fun

8)

wow, I was just talking to a friend about something like this. Does this mean that someone use autoit to write a virus/Trogen and antivirus companies see it to be autoit not the individual exe?

[center]AutoIT + Finger Print Reader/Scanner = COOL STUFF -> Check Out Topic![/center][center][font=Arial Black]Check out ConsultingJoe.com[/font][/center][center]My Scripts~~~~~~~~~~~~~~Web Protocol Managing - Simple WiFi Scanner - AutoTunes - Remote PC Control V2 - Audio SpectrascopePie Chart UDF - At&t's TTS - Custom Progress Bar - Windows Media Player Embed[/center]

Share this post


Link to post
Share on other sites

[center]Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.[/center]

Share this post


Link to post
Share on other sites

All of your compiled scripts? That must be very annoying!


My Programs:AInstall - Create a standalone installer for your programUnit Converter - Converts Length, Area, Volume, Weight, Temperature and Pressure to different unitsBinary Clock - Hours, minutes and seconds have 10 columns each to display timeAutoIt Editor - Code Editor with Syntax Highlighting.Laserix Editor & Player - Create, Edit and Play Laserix LevelsLyric Syncer - Create and use Synchronised Lyrics.Connect 4 - 2 Player Connect 4 Game (Local or Online!, Formatted Chat!!)MD5, SHA-1, SHA-256, Tiger and Whirlpool Hash Finder - Dictionary and Brute Force FindCool Text Client - Create Rendered ImageMy UDF's:GUI Enhance - Enhance your GUIs visually.IDEA File Encryption - Encrypt and decrypt files easily! File Rename - Rename files easilyRC4 Text Encryption - Encrypt text using the RC4 AlgorithmPrime Number - Check if a number is primeString Remove - remove lots of strings at onceProgress Bar - made easySound UDF - Play, Pause, Resume, Seek and Stop.

Share this post


Link to post
Share on other sites

avast! says to is no viruses at AutoIt.exe, I checked yesterday whole PC.

What is virus name?

i542


I can do signature me.

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

avast! says to is no viruses at AutoIt.exe, I checked yesterday whole PC.

What is virus name?

i542

I use avast! and ClamWin no issues so far.

I have had one instance with avast, but it was quickly taken care of and it didnt delete all my files.

wow, I was just talking to a friend about something like this. Does this mean that someone use autoit to write a virus/Trogen and antivirus companies see it to be autoit not the individual exe?

Yes that is the case. Or they are just blocking the UPX part of an autoit exe.

JS

Edited by JSThePatriot

AutoIt Links

File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out.

ComputerGetInfo UDF's Updated! 11-23-2006

External Links

Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)

Share this post


Link to post
Share on other sites

This is why everyone should refuse to help any potential malicious coders. :D


Share this post


Link to post
Share on other sites

I just finished a full scan of my computer. I also use AVG. I am completely up to date on everything. UpdateDefs.exe was flagged as being a generic trojan horse just like for Valuator. Looks like this could be the beginning of the end...


Share this post


Link to post
Share on other sites

I just finished a full scan of my computer. I also use AVG. I am completely up to date on everything. UpdateDefs.exe was flagged as being a generic trojan horse just like for Valuator. Looks like this could be the beginning of the end...

Pessimism is as non-healthy for a community as actually writing some of those apps that cause this type of stuff.

[center]Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.[/center]

Share this post


Link to post
Share on other sites

Will recompile it with the latest version for the next release......

You can do the same with the au3 file in the Defs subdir if you need to update the files to the latest Beta defs...


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Pessimism is as non-healthy for a community as actually writing some of those apps that cause this type of stuff.

Then could you tell me what the optimistic side of this would be? Because I don't see it. All I see is that my programs are potentially going to start getting flagged as a virus, and it pisses me off. :D


Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

Then could you tell me what the optimistic side of this would be? Because I don't see it. All I see is that my programs are potentially going to start getting flagged as a virus, and it pisses me off. :P

Well, I think you know my standing on those types of issues, I'm none the happier than you. But, If you notice that just a bit after you posted the pessimistic post, that Jdeb had a solution (as I knew he would... is why I posted it... He's always on top of SciTe). I'm just saying that you've posted some good posts/help/scripts, and that tends to have people look up to you, then unbeknownst (<< did I spell that right? :D ) to you, now you have a forum responsibility you didn't ask for or maybe even want. And when you talk negative like that, some could take it literally. We all can only do "our" part to keep the integrity of AutoIt/SciTe safe from harms way, but that part could have massive results positive or negative. That's all I meant (all I meant, I typed a damn dissertation :D ).

Edit:

My grammar sucks!

Edited by SmOke_N

[center]Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.[/center]

Share this post


Link to post
Share on other sites

Then could you tell me what the optimistic side of this would be? Because I don't see it. All I see is that my programs are potentially going to start getting flagged as a virus, and it pisses me off. :D

One lesson I've learned over time is to try not to worry/"get frustrated"/"get mad" about stuff that is out of your control and not really personal to you. Just work around it and move on ....

Its not always simple but in this case its part of today's IT world were we have ppl that find pleasure to screw others with their weird ideas put into programs. You could have some respect for the early virus writers since they were REAL programmer. These days is so simple with all the macro languages, that any scriptkiddy, just relieved from his diapers, can write one...


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Yeah, you guys are right. I just really enjoy using AutoIt and so I take things a little too personally sometimes. I'll try to keep the negativity to a minimum about these issues. Thanks for the adjustment. :D

Nomad :D


Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

ewido tried this a month ago, i have norton but never any problem, except some c++ files . i hardly ever compile scripts anyways, but ewido goes crazy when i scan my computer especially with vb files, the trick is to password protect the files, or put them in exclude lists.. or not scan as much as you should :D

it's rediculous to blacklist autoit since most viruses are made in vb/c#/asm.. might as well blacklist anything that moves..

Edited by slightly_abnormal

Share this post


Link to post
Share on other sites

This is why everyone should refuse to help any potential malicious coders. :D

I see that a bit later in this thread you had an "adjustment"... that's probably best for your blood pressure. :-)

I wanted to make sure that you took note of the post where JSThePatriot mentions, "Or they are just blocking the UPX part of an autoit exe".

As I understand it, AVG (and a few other AV companies) find a virus/trojan/whatever that was packed with UPX... then they mark all files touched by this tool regardless of what the actual script does. So, you could have a compiled script with just one line: Sleep(111) and when compiled, it would be marked as bad. [i've actually done that.]

I've spent some time in the AVG forums (before I abandoned AVG in favor of avast). I cannot be sure, but it seems that whenever AVG finds any bad file that was packed with UPX - it marks all files packed with that version of UPX. In other words, a file written in a "language" other than AutoIt, but packed with UPX can trigger false positives for all AutoIt files.

http://forum.grisoft.cz/freeforum/read.php...24757#msg-24757

http://forum.grisoft.cz/freeforum/read.php...70252#msg-70252

If you jump thru all of the hoops that AVG requires for submitting a "false positive" then they will respond quickly... but, if my assumptions stated above are correct, then they way that they mark files as bad is - well - bad.

None of this is directed at you per se - it is just that you mentioned "malicious coders" and I wanted you (and others) to see that even if you cleaned the entire forum of all code - good and bad - this problem will still happen until AVG changes its detection methods.

Caveat to all of the above - I could be wrong about AVG's detection method... I did not get an answer from them when I posed this question to them directly some time back. Perhaps they don't discuss such things with parties unkown to them.


[size="1"][font="Arial"].[u].[/u][/font][/size]

Share this post


Link to post
Share on other sites

I see that a bit later in this thread you had an "adjustment"... that's probably best for your blood pressure. :-)

I wanted to make sure that you took note of the post where JSThePatriot mentions, "Or they are just blocking the UPX part of an autoit exe".

As I understand it, AVG (and a few other AV companies) find a virus/trojan/whatever that was packed with UPX... then they mark all files touched by this tool regardless of what the actual script does. So, you could have a compiled script with just one line: Sleep(111) and when compiled, it would be marked as bad. [i've actually done that.]

I've spent some time in the AVG forums (before I abandoned AVG in favor of avast). I cannot be sure, but it seems that whenever AVG finds any bad file that was packed with UPX - it marks all files packed with that version of UPX. In other words, a file written in a "language" other than AutoIt, but packed with UPX can trigger false positives for all AutoIt files.

http://forum.grisoft.cz/freeforum/read.php...24757#msg-24757

http://forum.grisoft.cz/freeforum/read.php...70252#msg-70252

If you jump thru all of the hoops that AVG requires for submitting a "false positive" then they will respond quickly... but, if my assumptions stated above are correct, then they way that they mark files as bad is - well - bad.

None of this is directed at you per se - it is just that you mentioned "malicious coders" and I wanted you (and others) to see that even if you cleaned the entire forum of all code - good and bad - this problem will still happen until AVG changes its detection methods.

Caveat to all of the above - I could be wrong about AVG's detection method... I did not get an answer from them when I posed this question to them directly some time back. Perhaps they don't discuss such things with parties unkown to them.

Sorry, I've been offline. I'm not saying that you are wrong, but I have a question in regards to your post. The file that has been detected as a trojan was installed by SciTe. So it's been there since my last SciTe update. If it were packed with UPX and that's why it's being flagged, then why wouldn't it have flagged a false positive at the first scan I did after a fresh install instead of waiting until now?

This is a serious question, I'd really like to know.

Nomad :D


Share this post


Link to post
Share on other sites

From what ive noticed its in the exe compiler of scite.

Share this post


Link to post
Share on other sites

#20 ·  Posted (edited)

From what ive noticed its in the exe compiler of scite.

:D there is no "Exe compiler" in SciTE... SciTE is an Editor that is used as a shell around the available utilities. If you mean aut2exe.exe, that comes with the AutoIt3 installer ..... Edited by JdeB

Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0