Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

Viruses found in executable after compile


  • Please log in to reply
10 replies to this topic
adamisageek
  • Members
  • 20 posts
  • Last active: May 07 2008 07:59 PM
  • Joined: 05 Mar 2007
this is totally weird...
i created an executable ("ShowConsole.exe") by compiling a script i wrote in autohotkey. i've used the executable many many times with no problems. today, i made one single change to the script and it still runs fine ran by itself. the change was literally just changing a regular hotkey like this:
r::HotkeyFunction()
to require the Win key along with it like this:
#r::HotkeyFunciton()
so i proceeded to recompile the new script into a new executable. when i did so, Autohotkey gave me an "Unable to create compiled archive" error and the new executable was flagged by AVG immediately with "Trojan horse SHeur.AVHE":
Posted Image
i then uploaded the file to VirusTotal.com's online virus check and got these results:
Antivirus	Version	Last Update	Result
AVG	7.5.0.516	2008.03.22	SHeur.AVHE
eSafe	7.0.15.0	2008.03.18	suspicious Trojan/Worm
Ikarus	T3.1.1.20	2008.03.23	Trojan-Spy.Win32.Agent.bbg
NOD32v2	2967	2008.03.21	archive damaged
Panda	9.0.0.4	2008.03.23	Suspicious file
Prevx1	V2	2008.03.23	Infostealer
see the full report here:
http://www.virustota...0c4395b2d9238ac

so for gits and shiggles i did the same thing with the previous executable and got this:
Antivirus	Version	Last Update	Result
eSafe	7.0.15.0	2008.03.18	suspicious Trojan/Worm
NOD32v2	2973	2008.03.26	archive damaged
Panda	9.0.0.4	2008.03.25	Suspicious file
Prevx1	V2	2008.03.26	Trojan.Dropper
VirusBuster	4.3.26:9	2008.03.25	Worm.AutoRun.BY

and that report can be found here:
http://www.virustota...f1a7827386e5a83

i've seen some different posts here on the forums dealing with viruses found in compiled scripts, but none that matched my problem.
someone please tell me what's going on here cuz i use AHK everyday for work and home use, and i'd hate to have to start being wary of virus infected AHK compiled executables.

Lexikos
  • Administrators
  • 9844 posts
  • AutoHotkey Foundation
  • Last active:
  • Joined: 17 Oct 2006
(This has been covered in at least one of the other "compiled script virus" threads...)

While there is a possibility that something else on your system is infecting the compiled scripts, false positives are not uncommon. If you aren't using the latest version of AutoHotkey, try upgrading. If you are, try downloading an older version from the archives. If it is a false positive, usually you may avoid it by using a different version of AutoHotkeySC.bin (the base for compiled scripts) which would have a different signature.

If your AutoHotkeySC.bin file is infected, all of your compiled scripts will also be infected.

I am using AutoHotkey v1.0.47.06 and AVG Free Edition with virus definitions downloaded this morning, and it is not picking up my compiled scripts.

adamisageek
  • Members
  • 20 posts
  • Last active: May 07 2008 07:59 PM
  • Joined: 05 Mar 2007
i see...
can you (or anyone else) do me a favor and compile my script on your machine and tell me if anything comes up after an AVG scan?
you can open the .ahk script for yourself to see there aren't any harmful things in the code.
/*
Author: Adam Wright - www.adamisageek.com
Title: ShowConsole
Description:
Shows/hides console by using the tilde key.
Meant to be used with Console program and config file edited to resemble the Quake console, found in the same directory of this script.
At this point, there's no way to exit the program except for right clicking the tray icon and clicking Exit.
The same goes for the console.exe program; to exit both the user will need to manually exit both programs.
*/

;This uses the Win key + the tilde key as the console activator, change as desired
;Ex. "c::PrevTitle := ShowConsole(PrevTitle)" would use the "c" key to show/hide the console.
;go to http://www.autohotkey.com/docs/KeyList.htm for key name info
#`::PrevTitle := ShowConsole(PrevTitle)

ShowConsole(PrevTitle)
{
	WinGetActiveTitle, temptitle
	if !(InStr(temptitle, "dropdownconsole", CaseSensitive = false))
	{
		if (temptitle = "")		;this is in case the tilde is pressed while the taskbar has focus, there is no title so it needs to be manually set to the taskbar's ahk_class to regain focus when the console is brought down
			PrevTitle := "ahk_class Shell_TrayWnd"
		else
			PrevTitle = %temptitle%
	}
	DetectHiddenWindows, on
	IfWinExist ahk_class Console Main Command Window
	{
		IfWinActive ahk_class Console Main Command Window
		{
			WinActivate %PrevTitle%
			WinHide ahk_class Console Main Command Window
			Menu, TRAY, icon, quakeconsole_green.ico
		}
		else
		{
			WinShow ahk_class Console Main Command Window
			WinActivate ahk_class Console Main Command Window
			Menu, TRAY, icon, quakeconsole_black.ico
		}
	}
	else
	{
		Run "console.exe"
		DetectHiddenWindows, off
	}
	return PrevTitle
}
basically, this script is used in conjunction with a console program that runs "Quake 2-style" console whenever you press Win+tilde. the script obviously won't work for most after compiling, since you probably won't have the Console.exe program on your computer. but it should still compile, then you can run an AVG scan and let me know the results.
let me know if anything goes wrong with the compile.

meanwhile, i'll see if my home computer doesn't have the newest release of AHK (i know my work computer does).
My AutoHotKey.com username has changed to GeekyAdam

haichen
  • Members
  • 200 posts
  • Last active: Oct 20 2013 01:14 PM
  • Joined: 05 Feb 2007
Your script compiled at my PC at VirustotalAvast 4.7.1098.0 2008.03.26 -
AVG 7.5.0.516 2008.03.26 -
CAT-QuickHeal 9.50 2008.03.26 TrojanSpy.Agent.bve
ClamAV 0.92.1 2008.03.26 -
Ikarus T3.1.1.20 2008.03.26 Trojan-Spy.Win32.Agent.bqt
NOD32v2 2974 2008.03.26 archive damaged
Panda 9.0.0.4 2008.03.25 Suspicious file
Prevx1 V2 2008.03.26 Generic.Malware
TheHacker 6.2.92.255 2008.03.26 Trojan/Spy.Agent.btl
VBA32 3.12.6.3 2008.03.25 Trojan-Spy.Win32.Agent.bqtI have clamwin and avast at my PC and your compiled script is tested negativ.

An empty compiled ahkscript gives also 8 positives with virustotal.

I also tried a compiled empty script without upx:
NOD32v2 2975 2008.03.26 archive damaged
VBA32 3.12.6.3 2008.03.25 Trojan-Spy.Win32.Agent.bqtAnd the same is for your script without upx.

And here the results for upx.exe itself:eSafe 7.0.15.0 2008.03.18 suspicious Trojan/Worm
Panda 9.0.0.4 2008.03.25 Suspicious file
My conclusion is, that Virusscanners have a problem with upx.
But I think this isn't new.

And here some more results vom Virustotal:
AutohotkeySC.bin alone has only one positiv in Virustotal:
VBA32 3.12.6.3 2008.03.25 Trojan-Spy.Win32.Agent.bqtOne of my own fresh compiled scripts is shown as following:eSafe 7.0.15.0 2008.03.18 suspicious Trojan/Worm
Ikarus T3.1.1.20 2008.03.26 Trojan-Spy.Win32.Agent.bqt
NOD32v2 2975 2008.03.26 archive damaged
Prevx1 V2 2008.03.26 Generic.Malware
VBA32 3.12.6.3 2008.03.25 Trojan-Spy.Win32.Agent.bqtthis is the result for ahk2exe:eSafe 7.0.15.0 2008.03.18 suspicious Trojan/Worm
Ikarus T3.1.1.20 2008.03.26 Win32.SuspectCrc
and for autohotkey.exe:eSafe 7.0.15.0 2008.03.18 suspicious Trojan/Worm
Panda 9.0.0.4 2008.03.25 Suspicious file


adamisageek
  • Members
  • 20 posts
  • Last active: May 07 2008 07:59 PM
  • Joined: 05 Mar 2007
wow, that was exactly the info i was looking for, thanks much for going out of your way to put that in detail for all of us! :)
(if a mod notices a lot of posts about supposed virus scans after compile, you might want to sticky this thread, its very informative)

i guess my next step is getting around AVG scanning it as a virus. i didn't check if i have the newest AHK release yet at home (at work now), so i'll do that when i get home.
also,

If it is a false positive, usually you may avoid it by using a different version of AutoHotkeySC.bin (the base for compiled scripts) which would have a different signature.

if need be, how would i go about using a different version of AutoHotkeySC.bin? i have no idea what the file is or what it's used for.

lastly, can someone post a link to where i can learn more about "upx" and what it is? i have no idea what it is at this point.

Lexikos
  • Administrators
  • 9844 posts
  • AutoHotkey Foundation
  • Last active:
  • Joined: 17 Oct 2006
As I said, AutoHotkeySC.bin is the base for all compiled scripts. It is basically a slightly scaled-down version of AutoHotkey.exe which Ahk2Exe appends the actual (encrypted and compressed) script to.

Each version of AutoHotkey has a different version of AutoHotkeySC.bin. (It can be found in the same directory as Ahk2Exe.) Either get a different version from the archive as mentioned, or download the AutoHotkey source and compile AutoHotkeySC.bin yourself.

<!-- m -->http://upx.sourceforge.net/<!-- m -->

adamisageek
  • Members
  • 20 posts
  • Last active: May 07 2008 07:59 PM
  • Joined: 05 Mar 2007
you guys were totally right; i was still using AHK version 1.0.47.05. after upgrading to version 1.0.47.06, the script compiled perfectly with no AVG errors!

thanks for all your help! AHK and the AHK Community rox!
My AutoHotKey.com username has changed to GeekyAdam

Beauty
  • Members
  • 5 posts
  • Last active: Apr 02 2010 07:59 PM
  • Joined: 20 Nov 2008
Yes, the results of virustotal scans are terrible.
I compiled an empty script without code (just with a comment line).
Then 30% of the virus engines tells this would be a bad progam. Trojan.Downloader, Win-Trojan/Autorun, ...)

Nice would be, if the compiling GUI Ahk2Exe.exe would have an option to disable compressing with UPX.
This could be integrated to the setup file.

Also drag&drop for scripts would be nice (-;

SKAN
  • Administrators
  • 9115 posts
  • Last active:
  • Joined: 26 Dec 2005

Ahk2Exe.exe would have an option to disable compressing with UPX.


You may delete/rename upx.exe to disable compression.
Alternately, you may use a hotkey to toggle upx.exe renaming.

:)
kWo4Lk1.png

VxE
  • Moderators
  • 3622 posts
  • Last active: Dec 24 2015 02:21 AM
  • Joined: 07 Oct 2006
Script: add a "Compile (no UPX)" option to your shell

ruespe
  • Members
  • 567 posts
  • Last active: Dec 01 2014 07:59 PM
  • Joined: 17 Jun 2008
<!-- m -->http://www.autohotke... ... mpiler gui<!-- m -->
Update of 2008-11-05
+ New: separate "No UPX" option (compression settings has to be reset)