Steve2000 Posted October 17, 2006 Author Posted October 17, 2006 I've just downloaded the latest AVG virus patterns and reinstalled AutoIT2. It looks like its ok now. Phew! With luck my customers won't notice. I know that the virus checkers have to key on a pattern but that realy doesn't excuse them for this sort of thing. There are loads of programs around that ship with embedded run time code. Microsoft MFC when compiled as a static library comes to mind and there must be loads of other similar examples. I guess that AutoIT is just an excellent tool for writing viruses quickly in and that's because it's an awesome tool. This problem has made me think twice about what I'm doing though. Stev
Helge Posted October 17, 2006 Posted October 17, 2006 I've just downloaded the latest AVG virus patterns and reinstalled AutoIT2.What ? This was for v2 ? That's odd. They still can't leave old v2 alone can they...Oh, and why did you post this in v3-forum then ?
JSThePatriot Posted October 17, 2006 Posted October 17, 2006 I have done some tests and it appears that it is only found as a virus when trying to compile via SciTe. If I just bring up the compiler and browse for a script to compile it appears to work fine.That may have to do with the UPX being performed or not. I know it is very common for Virus companies to just block UPX programs due to it being used on plenty of virii.JS AutoIt Links File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out. ComputerGetInfo UDF's Updated! 11-23-2006 External Links Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)
Steve2000 Posted October 17, 2006 Author Posted October 17, 2006 What ? This was for v2 ? That's odd. They still can't leave old v2 alone can they...Oh, and why did you post this in v3-forum then ?Whoops, slip of the fingers. I meant AutoIT3
RACooper Posted October 17, 2006 Posted October 17, 2006 (edited) I just downloaded and installed the latest AutoIt3 and SciTE last night on my laptop (with AVG 7.5), and got errors on SciteConfig.exe, UpdateDefs.exe, AutoIt3Wrapper.exe and AutoItSC.bin. I threw all those files to VirusTotal and had these results:-=-=-=-=-=-=-=-=-=-=-=-=-Complete scanning result of "SciteConfig.exe", received in VirusTotal at 10.17.2006, 07:43:16 (CET).Antivirus Version Update ResultAVG 386 10.16.2006 I-Worm/Generic.AQCCAT-QuickHeal 8.00 10.16.2006 I-Worm.Quatim.AUNA 1.83 10.16.2006 Worm.Win32.Sohanad.bAditional InformationFile size: 241811 bytesMD5: de748c8d6fb003f230cad30cf80a96a0SHA1: b50f10581546d1bd0ce164bf2deff645f2e3d3a4packers: UPXpackers: UPXpackers: UPX-=-=-=-=-=-=-=-=-=-=-=-=-Complete scanning result of "UpdateDefs.exe", received in VirusTotal at 10.17.2006, 07:48:37 (CET).Antivirus Version Update ResultAVG 386 10.16.2006 I-Worm/Generic.AQCCAT-QuickHeal 8.00 10.16.2006 I-Worm.Quatim.AUNA 1.83 10.16.2006 Worm.Win32.Sohanad.bAditional InformationFile size: 191072 bytesMD5: 73a4052fad14a18f6a03b3c5e1044365SHA1: 6b92bcacd266999a287b74d661a57115682e2aebpackers: UPXpackers: UPXpackers: UPX-=-=-=-=-=-=-=-=-=-=-=-=-Complete scanning result of "AutoIt3Wrapper.exe", received in VirusTotal at 10.17.2006, 07:59:28 (CET).Antivirus Version Update ResultAVG 386 10.16.2006 I-Worm/Generic.AQCCAT-QuickHeal 8.00 10.16.2006 I-Worm.Quatim.AUNA 1.83 10.16.2006 Worm.Win32.Sohanad.bAditional InformationFile size: 298070 bytesMD5: e3aefc16098557a8ff30636e10b3faaaSHA1: ca283fa63efe39168f6f9d46cb08398a3d690034packers: UPXpackers: UPXpackers: UPX-=-=-=-=-=-=-=-=-=-=-=-=-Complete scanning result of "AutoItSC.bin", received in VirusTotal at 10.17.2006, 08:05:31 (CET).Antivirus Version Update ResultAVG 386 10.16.2006 I-Worm/Generic.AQCUNA 1.83 10.16.2006 Worm.Win32.Sohanad.bAditional InformationFile size: 382464 bytesMD5: 7c48e7bdb2e365c14e4cda7662d300d1SHA1: 84d5128419e4c0c6f5987ff4a23515864da4de23-=-=-=-=-=-=-=-=-=-=-=-=-So it's not just AVG. I posted this to one of the malware boards that I frequent and one of the analysts there said this:I would guess it is these registry entries it doesn't likeSoftware\Microsoft\Windows\CurrentVersion\ThemeManager "Compositing"Control Panel\Desktop "LameButtonText"HKEY_CURRENT_USER\Software\Hiddensoft\AutoIT3\Aut2Exe\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat"HKEY_CURRENT_USER\Software\Hiddensoft\AutoIT3\Aut2Exe\Registry\Machine\Software\Classes\CLSID\ {750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32 ""HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions "ProductType"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar\Registry\ Machine\Software\Classes\CLSID\{03c036f1-a186-11d0-824a-00aa005b4383}\InProcServer32 ""HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar\Registry\ Machine\Software\Classes\CLSID\{00bb2763-6a77-11d0-a535-00c04fd7d062}\InProcServer32 "" this one "DisableAppCompat" and I've seeen that quite a bit with some malware so that could be what AVG is picking up onSo what is DisableAppCompat, and why does AutoIt3 set this registry entry?Oh, and AVG has updated their defs to fix the FP. Edited October 17, 2006 by RACooper
JSThePatriot Posted October 17, 2006 Posted October 17, 2006 (edited) I bore of this...Yes... it is a horrible virus... run, as fast as you can. Get a fire extinguisher and hose down your PC...Seriously... it is a bad virus definition from AVG... a "false positive"... Email AVG and tell them to fix it.Lar.Valik made a sticky about Virii. I hope this helps diminish the number of posts, and if not it can be linked to all of them Edit: For future reference the post can be found at: http://www.autoitscript.com/forum/index.php?showtopic=34658JS Edited October 17, 2006 by JSThePatriot AutoIt Links File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out. ComputerGetInfo UDF's Updated! 11-23-2006 External Links Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)
i542 Posted October 17, 2006 Posted October 17, 2006 (edited) Sereached Google for:IM-Worm.Win32.Sohanad.bType Worm Type Description A Worm is a malicious program that spreads itself without any user intervention. Worms are similar to viruses in that they self-replicate. Unlike viruses, however, worms spread without attaching to or infecting other programs and files. A Worm can spread across computer networks via security holes on vulnerable machines connected to the network. Worms can also spread through email by sending copies of itself to everyone in the user's address book. A Worm may consume a large amount of system resources and cause the machine to become noticeably sluggish and unreliable. Some Worms may be used to compromise infected machines and download additional malicious software. Category Worm.GenericCategory Description A Worm is a malicious program that spreads itself without any user intervention. Worms are similar to viruses in that they self-replicate. Unlike viruses, however, worms spread without attaching to or infecting other programs and files. A Worm can spread across computer networks via security holes on vulnerable machines connected to the network. Worms can also spread through email by sending copies of itself to everyone in the user's address book. A Worm may consume a large amount of system resources and cause the machine to become noticeably sluggish and unreliable. Some Worms may be used to compromise infected machines and download additional malicious software. Level High Level Description High risk threats are typically installed without user interaction through security exploits, and can severely compromise system security. Such threats may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These threats may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer. Advice Type RemoveFile TracesWe have a problem.i542EDIT: AVG on my PC detects this virus too...avast! (defs 30 days old) says no viruses. Confused... Edited October 17, 2006 by i542 I can do signature me.
GaryFrost Posted October 17, 2006 Posted October 17, 2006 see post above yours SciTE for AutoItDirections for Submitting Standard UDFs Don't argue with an idiot; people watching may not be able to tell the difference.
RACooper Posted October 17, 2006 Posted October 17, 2006 (edited) We have a problem.i542Yes. We have three AV companies falsely identifying AutoIt executables as malicious software. AVG has fixed the issue (this time); maybe someone who uses CAT-Quickheal and UNA can report this to them, as well? Edited October 17, 2006 by RACooper
Dule Barbul Posted October 17, 2006 Posted October 17, 2006 That's great to hear. Apart from downloading it, how did you know that the problem was fixed?SteveI don't know, I wait for new update, download it and try!Dusan
RACooper Posted October 17, 2006 Posted October 17, 2006 I tested the four "suspect" files against today's AVG update, and it does not detect them this time. All four come back as clean.
JayJay Posted October 17, 2006 Posted October 17, 2006 I'm glad for this quick fix. Started my computer before I got to work and it was like WTF??
edan Posted October 17, 2006 Posted October 17, 2006 avast still say that there is a virus in scite... what can i do ?
Paulie Posted October 17, 2006 Posted October 17, 2006 (edited) My umbrella had a hole in it once... I got a new umbrella.Lar. Personally, this has never happened to me, i use Zone Labs, pretty nice Edited October 17, 2006 by Paulie
JSThePatriot Posted October 17, 2006 Posted October 17, 2006 Personally, this has never happened to me, i use Zone Labs, pretty niceI didnt know ZoneLabs had started offering such a wide selection. I have always been a fan of their Firewall when I had a need for one.JS AutoIt Links File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out. ComputerGetInfo UDF's Updated! 11-23-2006 External Links Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)
Paulie Posted October 17, 2006 Posted October 17, 2006 (edited) I didnt know ZoneLabs had started offering such a wide selection. I have always been a fan of their Firewall when I had a need for one.JS'Zone Labs Security Suite' lolBeats alot of Anti-virus programs I've 'endured' previously Edited October 18, 2006 by Paulie
xcal Posted October 18, 2006 Posted October 18, 2006 Probably don't want to be mentioning 'cracks' out in the open...just saying. How To Ask Questions The Smart Way
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now