JSThePatriot

Are my AutoIt EXEs really infected?

156 posts in this topic

#141 ·  Posted

Today, MSSE marked one of my applications as Trojan:Win32/Zelrune.C!cl. :no:

2 people like this

Share this post


Link to post
Share on other sites



#142 ·  Posted

@giangnguyen

I don't think you'd get much response from them, they haven't released an update to the software in about 4 years. They've only updated the virus definitions recently.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

#144 ·  Posted

source: MsgBox(1,"","hi")

compiled by right click+compile for x86

https://virustotal.com/en/file/2922e3bf83b2bc1dd19ab42748ef24e0fbf27a9dbc8696825cf86b11547deeee/analysis/1464834505/

Uh oh, found some more. Not sure if that is by AutoIt though. But they don't have twister on VT, I used majyx scanner.

Here is the twister detection: https://scan.majyx.net/scans/result/f1feb3a899de723057ac539d0ddc3b3f841bc8ce
As you can see, it is detected as 

W32.HackKMS.L.yvrm

Share this post


Link to post
Share on other sites

#145 ·  Posted

Have a look in signature from @BetaLeaf he has a tool for reporting false/positive.

Share this post


Link to post
Share on other sites

#146 ·  Posted

Awesome, people noticed me! Lol no but thanks for mentioning my tool. Makes me feel accomplished. Tools in the signature below. 

1 person likes this

My Scripts:

False Positive Reporter - Mass email all anti virus vendors with an attachment of your program for easy whitelisting.

PortableApps.com App Creation Wizard  - A simple GUI-based Wizard for creating PortableApps.

AutoISO  - Automatic ISO Image creation using ImgBurn.

SoundBoard - Play any song or sound you want at the press of a hotkey

Share this post


Link to post
Share on other sites

#147 ·  Posted

additional thing: if u pack with UPX it detects as AutoIt Packed.

Share this post


Link to post
Share on other sites
On 02/06/2016 at 3:34 AM, giangnguyen said:

source: MsgBox(1,"","hi")

compiled by right click+compile for x86

https://virustotal.com/en/file/2922e3bf83b2bc1dd19ab42748ef24e0fbf27a9dbc8696825cf86b11547deeee/analysis/1464834505/

Uh oh, found some more. Not sure if that is by AutoIt though. But they don't have twister on VT, I used majyx scanner.

Here is the twister detection: https://scan.majyx.net/scans/result/f1feb3a899de723057ac539d0ddc3b3f841bc8ce
As you can see, it is detected as 

W32.HackKMS.L.yvrm

 

giangnguyen,

Not sure how long you've been around autoit but 3/56 flags from VT is nothing to worry about, or any other similar site that uses the "many fools in a room" logic to formulate an opinion.

Share this post


Link to post
Share on other sites
8 hours ago, Mobius said:

giangnguyen,

Not sure how long you've been around autoit but 3/56 flags from VT is nothing to worry about, or any other similar site that uses the "many fools in a room" logic to formulate an opinion.

 

I know 3/56 is not much, I know, but I prefer to have my clean files not detected by AVs.

Share this post


Link to post
Share on other sites

The main AutoIt3.exe rarely gets flagged (sometimes on each new version). So if I were writing public software I'd play it safe and distribute AutoIt3.exe and compile the script as .a3x. Least chance of flagging.

Share this post


Link to post
Share on other sites

#151 ·  Posted (edited)

uninstall the autoit. fix isue registry with ccleaner. restart computer. install agains.

HOT nhất năm 2016 với dịch vụ thiết kế web giá rẻ của IUL, khi bạn thiết kế web hà nội sẽ được tặng ngay một khóa học hướng dẫn các bán hàng trên facebook hoặc bán hàng trực tuyến hay sử dụng các dịch vụ web khác của chúng tôi ví dụ như: thiết kế web du lịch khách sạn, thiết kế web công ty, thiết kế web trọn gói giá rẻ, thiết kế web theo yêu cầu, thiet ke web responsive, thiết kế website bất động sản nhà đất,.. Chương trình khuyến mãi sẽ kết thức vào ngày 20/10/2016 vì thế các bạn hãy nhanh tay tham gia trường trình để nhận thưởng nhé.

Edited by yennhikorea

Công ty thiết kế web bán hàng online trực tuyến giá rẻ miễn phí

Share this post


Link to post
Share on other sites
5 minutes ago, yennhikorea said:

uninstall the autoit. fix isue registry with ccleaner. restart computer. install agains.

you are trying to say something?  nói cái L gì thế ?


“The world won’t care about your self-esteem. The world will expect you to accomplish something Before you feel good about yourself.”

Share this post


Link to post
Share on other sites

Trong, what do you try to say?


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

I'm asked, I do not say!


“The world won’t care about your self-esteem. The world will expect you to accomplish something Before you feel good about yourself.”

Share this post


Link to post
Share on other sites
On 6/20/2016 at 11:36 AM, yennhikorea said:

uninstall the autoit. fix isue registry with ccleaner. restart computer. install agains.

That's not going to fix the detection of issue. It is probably a combination of the unpacking of the autoit engine on execution and certain functions in your script. 


My Scripts:

False Positive Reporter - Mass email all anti virus vendors with an attachment of your program for easy whitelisting.

PortableApps.com App Creation Wizard  - A simple GUI-based Wizard for creating PortableApps.

AutoISO  - Automatic ISO Image creation using ImgBurn.

SoundBoard - Play any song or sound you want at the press of a hotkey

Share this post


Link to post
Share on other sites

#156 ·  Posted (edited)

Hey guys. Want to help improve False Positive Reporter?

If you see any emails that aren't on the list below, please Private Message me so I can add it to the list.

 

Spoiler

support.is@cmclab.net
samples@digital-defender.com
sample@preventon.com
support-tech@returnil.com
malwaresample@herdprotect.com
info@chicalogic.com
submit@antiy.com
avlnetwork@antiy.com
virus@arcabit.com
v3sos@ahnlab.com
virus@avast.com
virus@avira.com
virus_submission@bitdefender.com
samples@bluepointsecurity.com
malwaresubmit@avlab.comodo.com
vms@drweb.com
malware@emcosoftware.com
submit@emsisoft.com
virus@esafe.com
samples@escanav.com
submitvirus@fortinet.com
research@spy-emergency.com
viruslab@f-prot.com
labs@fsb-antivirus.com
vsamples@f-secure.com
samples@ikarus.at
submit@samples.immunet.com
newvirus@kaspersky.com
support@jiangmin.com
research@lavasoft.com
virus_research@avertlabs.com
virus@micropoint.com.cn
avsubmit@submit.microsoft.com
virus@nanoav.ru
samples@eset.com
support@noralabs.com
support@norman.com
virus_info@inca.co.kr
virus@pandasecurity.com
psafe@psafe.com
kefu@360.cn
support@rubus.co.in
newvirus@s-cop.com
samples@sophos.com
detections@spybot.info
vlab@srnmicro.com
avsubmit@symantec.com
virus@hacksoft.com.pe
virus@thirtyseven4.com
cainfo@ca.com
submit@trojanhunter.com
support@simplysup.com
virus@filseclab.com
malware-cruncher@sunbelt-software.com
viruslab@hauri.co.kr
newvirus@anti-virus.by
virus@zillya.com
huangruimin@kingsoft.com
support@aegislab.com
viruslab@quickheal.com
trojans@agnitum.com
bav@baidu.com
bkav@bkav.com.vn
samples@mysecuritywin.com
falsepositive@reasoncoresecurity.com
virus_research_gateway@avertlabs.com

 

Edited by BetaLeaf
1 person likes this

My Scripts:

False Positive Reporter - Mass email all anti virus vendors with an attachment of your program for easy whitelisting.

PortableApps.com App Creation Wizard  - A simple GUI-based Wizard for creating PortableApps.

AutoISO  - Automatic ISO Image creation using ImgBurn.

SoundBoard - Play any song or sound you want at the press of a hotkey

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now