Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

TrojanDownloader.Murlo.cve in the latest 1.1.9.2 version


  • Please log in to reply
4 replies to this topic
Timo
  • Members
  • 26 posts
  • Last active: Mar 19 2013 12:34 PM
  • Joined: 24 Mar 2012

Hello,

 

I'm worried about the results from Virustotal. I did the following today, First I downloaded the file http://l.autohotkey....y_L_Install.exe and submitted it to Virustotal

 

AutoHotkey_L_Install.exe
https://www.virustot...sis/1359887571/
Results 1/46. Jiangmin scanner found the TrojanDownloader.Murlo.cve.

Then I used the 7z to extract the files from the AutoHotkey_L_Install.exe and submitted the following extracted files to Virustotal:

AutoHotkeyU64.exe
https://www.virustot...sis/1359887720/
Results 0/46.

AutoHotkeyU32.exe
https://www.virustot...sis/1359887802/
Results 1/46. Jiangmin scanner found the TrojanDownloader.Murlo.cve.

AutoHotkeyA32.exe
https://www.virustot...sis/1359887888/
Results 0/46.

setup.exe
https://www.virustot...sis/1359888014/
Results 0/46.

AU3_Spy.exe
https://www.virustot...sis/1359888089/
Results 0/46.

Ahk2Exe.exe
https://www.virustot...sis/1359888187/
Results 0/46.

AutoHotkey.chm
https://www.virustot...sis/1359888298/
Results 0/46.
 

So, the trojan only resides in the 32 bit unicode version (but that like is the version that is mostly installed).

 

Could you please fix this issue asap.

 

With best regards,

Timo

 

 



fincs
  • Moderators
  • 1662 posts
  • Last active:
  • Joined: 05 May 2007
There is no issue: it's a false positive. AV software is known to incorrectly flag AutoHotkey as malware. If you are that worried, you can always look at its source code.

Timo
  • Members
  • 26 posts
  • Last active: Mar 19 2013 12:34 PM
  • Joined: 24 Mar 2012

I'm currently using the AutoHotkey_L Unicode 32-bit version 1.1.08.01. When I upload that exe to the Virustotal I get clean results:

https://www.virustot...sis/1359893707/

Results (0/46).

 

So, in between the AutoHotkey unicode 32 bit versions 1.1.08.01 and 1.1.9.2 something has happened. Either the Jiangmin scanner has got an issue and now reports a false positive for the current version (1.1.9.2) but not for the version 1.1.08.01. Or the trojan really is there in the current exe.

 

In the past AV software have been known to incorrectly flag AutoHotkey as malware. Today 45 AV software do not do so. And one other AV software (the Jiangmin) reports this trojan.and it reports it in only one of the exe's (the unicode 32 bit version).

 

So, to me this is very alarming.

 

Thank you very much for the link to the source code but I'm not able to take a look at it as I have not the knowledge, time nor suitable software, but my understanding is that viruses are most often injected to the compiled binaries (exe's) and not to the source code. So just looking at the source code likely would not reveal anything, one would need to complile the exe again, using a system that is known to be clean.

 

With best regards,

Timo



faqbot
  • Members
  • 997 posts
  • Last active:
  • Joined: 10 Apr 2012
So write to the makers of Jiangmin with your findings, tell them they are most likely incorrect and have THEM fix their own faulty scanner ;-)

tidbit
  • Administrators
  • 2709 posts
  • Hates playing Janitor
  • Last active: Jan 15 2016 11:37 PM
  • Joined: 09 Mar 2008

May be of interest:  An open letter for Antiviral software companies

And several other 'false positive' topics exist.

 

I think that if 1000's of people use a program and only ONE anti-virus program detects something, it is a very safe assumption to say it's a false-positive. if 50% said it was a virus, or 100%, then be afraid. But if only 1 (or 2 or 3) relatively unpopular AV detects it, ignore it.


rawr. be very afraid
*poke*
. Populate the AutoHotkey city. Pointless but somewhat fun. .