Jump to content

AVG Detected virus in exes


Recommended Posts

I've just downloaded the latest AVG virus patterns and reinstalled AutoIT2. It looks like its ok now. Phew! With luck my customers won't notice.

I know that the virus checkers have to key on a pattern but that realy doesn't excuse them for this sort of thing. There are loads of programs around that ship with embedded run time code. Microsoft MFC when compiled as a static library comes to mind and there must be loads of other similar examples.

I guess that AutoIT is just an excellent tool for writing viruses quickly in and that's because it's an awesome tool.

This problem has made me think twice about what I'm doing though.

Stev

Link to comment
Share on other sites

I have done some tests and it appears that it is only found as a virus when trying to compile via SciTe. If I just bring up the compiler and browse for a script to compile it appears to work fine.

That may have to do with the UPX being performed or not. I know it is very common for Virus companies to just block UPX programs due to it being used on plenty of virii.

JS

AutoIt Links

File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out.

ComputerGetInfo UDF's Updated! 11-23-2006

External Links

Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)

Link to comment
Share on other sites

I just downloaded and installed the latest AutoIt3 and SciTE last night on my laptop (with AVG 7.5), and got errors on SciteConfig.exe, UpdateDefs.exe, AutoIt3Wrapper.exe and AutoItSC.bin. I threw all those files to VirusTotal and had these results:

-=-=-=-=-=-=-=-=-=-=-=-=-

Complete scanning result of "SciteConfig.exe", received in VirusTotal at 10.17.2006, 07:43:16 (CET).

Antivirus Version Update Result

AVG 386 10.16.2006 I-Worm/Generic.AQC

CAT-QuickHeal 8.00 10.16.2006 I-Worm.Quatim.A

UNA 1.83 10.16.2006 Worm.Win32.Sohanad.b

Aditional Information

File size: 241811 bytes

MD5: de748c8d6fb003f230cad30cf80a96a0

SHA1: b50f10581546d1bd0ce164bf2deff645f2e3d3a4

packers: UPX

packers: UPX

packers: UPX

-=-=-=-=-=-=-=-=-=-=-=-=-

Complete scanning result of "UpdateDefs.exe", received in VirusTotal at 10.17.2006, 07:48:37 (CET).

Antivirus Version Update Result

AVG 386 10.16.2006 I-Worm/Generic.AQC

CAT-QuickHeal 8.00 10.16.2006 I-Worm.Quatim.A

UNA 1.83 10.16.2006 Worm.Win32.Sohanad.b

Aditional Information

File size: 191072 bytes

MD5: 73a4052fad14a18f6a03b3c5e1044365

SHA1: 6b92bcacd266999a287b74d661a57115682e2aeb

packers: UPX

packers: UPX

packers: UPX

-=-=-=-=-=-=-=-=-=-=-=-=-

Complete scanning result of "AutoIt3Wrapper.exe", received in VirusTotal at 10.17.2006, 07:59:28 (CET).

Antivirus Version Update Result

AVG 386 10.16.2006 I-Worm/Generic.AQC

CAT-QuickHeal 8.00 10.16.2006 I-Worm.Quatim.A

UNA 1.83 10.16.2006 Worm.Win32.Sohanad.b

Aditional Information

File size: 298070 bytes

MD5: e3aefc16098557a8ff30636e10b3faaa

SHA1: ca283fa63efe39168f6f9d46cb08398a3d690034

packers: UPX

packers: UPX

packers: UPX

-=-=-=-=-=-=-=-=-=-=-=-=-

Complete scanning result of "AutoItSC.bin", received in VirusTotal at 10.17.2006, 08:05:31 (CET).

Antivirus Version Update Result

AVG 386 10.16.2006 I-Worm/Generic.AQC

UNA 1.83 10.16.2006 Worm.Win32.Sohanad.b

Aditional Information

File size: 382464 bytes

MD5: 7c48e7bdb2e365c14e4cda7662d300d1

SHA1: 84d5128419e4c0c6f5987ff4a23515864da4de23

-=-=-=-=-=-=-=-=-=-=-=-=-

So it's not just AVG. I posted this to one of the malware boards that I frequent and one of the analysts there said this:

I would guess it is these registry entries it doesn't like

Software\Microsoft\Windows\CurrentVersion\ThemeManager "Compositing"

Control Panel\Desktop "LameButtonText"

HKEY_CURRENT_USER\Software\Hiddensoft\AutoIT3\Aut2Exe\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat"

HKEY_CURRENT_USER\Software\Hiddensoft\AutoIT3\Aut2Exe\Registry\Machine\Software\Classes\CLSID\ {750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32 ""

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions "ProductType"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar\Registry\ Machine\Software\Classes\CLSID\{03c036f1-a186-11d0-824a-00aa005b4383}\InProcServer32 ""

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar\Registry\ Machine\Software\Classes\CLSID\{00bb2763-6a77-11d0-a535-00c04fd7d062}\InProcServer32 ""

this one "DisableAppCompat" and I've seeen that quite a bit with some malware so that could be what AVG is picking up on

So what is DisableAppCompat, and why does AutoIt3 set this registry entry?

Oh, and AVG has updated their defs to fix the FP.

Edited by RACooper
Link to comment
Share on other sites

I bore of this...

Yes... it is a horrible virus... run, as fast as you can. Get a fire extinguisher and hose down your PC...

Seriously... it is a bad virus definition from AVG... a "false positive"... Email AVG and tell them to fix it.

Lar.

Valik made a sticky about Virii. I hope this helps diminish the number of posts, and if not it can be linked to all of them :lmao:

Edit: For future reference the post can be found at: http://www.autoitscript.com/forum/index.php?showtopic=34658

JS

Edited by JSThePatriot

AutoIt Links

File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out.

ComputerGetInfo UDF's Updated! 11-23-2006

External Links

Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)

Link to comment
Share on other sites

Sereached Google for:

IM-Worm.Win32.Sohanad.b

Type Worm

Type Description A Worm is a malicious program that spreads itself without any user intervention. Worms are similar to viruses in that they self-replicate. Unlike viruses, however, worms spread without attaching to or infecting other programs and files. A Worm can spread across computer networks via security holes on vulnerable machines connected to the network. Worms can also spread through email by sending copies of itself to everyone in the user's address book. A Worm may consume a large amount of system resources and cause the machine to become noticeably sluggish and unreliable. Some Worms may be used to compromise infected machines and download additional malicious software.

Category Worm.Generic

Category Description A Worm is a malicious program that spreads itself without any user intervention. Worms are similar to viruses in that they self-replicate. Unlike viruses, however, worms spread without attaching to or infecting other programs and files. A Worm can spread across computer networks via security holes on vulnerable machines connected to the network. Worms can also spread through email by sending copies of itself to everyone in the user's address book. A Worm may consume a large amount of system resources and cause the machine to become noticeably sluggish and unreliable. Some Worms may be used to compromise infected machines and download additional malicious software.

Level High

Level Description High risk threats are typically installed without user interaction through security exploits, and can severely compromise system security. Such threats may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These threats may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.

Advice Type Remove

File Traces

We have a problem.

i542

EDIT: AVG on my PC detects this virus too...

avast! (defs 30 days old) says no viruses. Confused...

Edited by i542

I can do signature me.

Link to comment
Share on other sites

We have a problem.

i542

Yes. We have three AV companies falsely identifying AutoIt executables as malicious software. AVG has fixed the issue (this time); maybe someone who uses CAT-Quickheal and UNA can report this to them, as well? Edited by RACooper
Link to comment
Share on other sites

:lmao::ph34r:

Personally, this has never happened to me, i use Zone Labs, pretty nice

I didnt know ZoneLabs had started offering such a wide selection. I have always been a fan of their Firewall when I had a need for one.

JS

AutoIt Links

File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out.

ComputerGetInfo UDF's Updated! 11-23-2006

External Links

Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)

Link to comment
Share on other sites

I didnt know ZoneLabs had started offering such a wide selection. I have always been a fan of their Firewall when I had a need for one.

JS

'Zone Labs Security Suite' lol

Beats alot of Anti-virus programs I've 'endured' previously

Edited by Paulie
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...