trojan in autohotkey installer?

Get help with using AutoHotkey and its commands and hotkeys
gallaxhar
Posts: 143
Joined: 03 Sep 2014, 06:35

trojan in autohotkey installer?

Post by gallaxhar » 13 Feb 2016, 14:37

Today windows defender 2/13/2016 found varpes.m!plock trojan in autohotkey .exe files
I'm guessing it's a false positive, but I want to make sure other people with windows defender is getting this too, and some trojan didn't inject into my AHK install..
Image
Image
User avatar
Pulover
Posts: 366
Joined: 29 Sep 2013, 19:51
Location: Brazil
Contact:

Re: trojan in autohotkey installer?

Post by Pulover » 13 Feb 2016, 19:25

Got the same warning on the 1.1.23.00 installer.
Rodolfo U. Batista
Pulover's Macro Creator - Automation Tool (Recorder & Script Writer)
Thomas69

Re: trojan in autohotkey installer?

Post by Thomas69 » 14 Feb 2016, 11:49

Same problem here.

I really wonder if it is just a false alarm or if the installation file got infected somehow.
Thomas69

Re: trojan in autohotkey installer?

Post by Thomas69 » 14 Feb 2016, 13:54

Or maybe...maybe there are some trojans based on autohotkey and it is really a false positive.
Peter2
Posts: 219
Joined: 21 Sep 2014, 14:38
Location: CH
Contact:

Re: trojan in autohotkey installer?

Post by Peter2 » 14 Feb 2016, 14:50

Current check of AutoHotkey112301.zip on Virustotal.com shows 0 alerts:
https://www.virustotal.com/de/file/f606 ... 455479320/
Peter (AHK Beginner) / Win 7 x64, AHK Version v1.1.22.xx
Pronto

Re: trojan in autohotkey installer?

Post by Pronto » 14 Feb 2016, 15:07

I have the Ahk2Exe compiler installed, and curiously enough, the very same trojan was reported by MS Security Essentials (virus db version 1.213.6205.0) in ANSI 32-bit.bin, AutoHotkeySC.bin and Unicode 32-bit.bin, but not in the generated executable file. :crazy:
It must be a false positive.
lexikos
Posts: 6175
Joined: 30 Sep 2013, 04:07
GitHub: Lexikos

Re: trojan in autohotkey installer?

Post by lexikos » 15 Feb 2016, 05:33

When these (suspected) false positives occur, it would be helpful if users were to submit the files in question to their antivirus vendor for analysis. The following page has an extensive list of details for submitting false positives to various antivirus vendors:
http://www.techsupportalert.com/content ... endors.htm
JoeWinograd
Posts: 1056
Joined: 10 Feb 2014, 20:00

Re: trojan in autohotkey installer?

Post by JoeWinograd » 16 Feb 2016, 09:32

I just ran AutoHotkey112301_Install.exe through VirusTotal (although it had already been analyzed a few hours ago) and it reports 7 detections out of 54:
https://www.virustotal.com/en/file/a043 ... 455631818/

"McAfee" is one of the detections, but "Microsoft" isn't. However, I don't know what VT means by "Microsoft", as my MSE scan does show the detection:

Image

It's interesting that Peter2's run of AutoHotkey112301.zip through VT showed 0 detections, while my run of AutoHotkey112301_Install.exe through VT showed 7. Regards, Joe
lexikos
Posts: 6175
Joined: 30 Sep 2013, 04:07
GitHub: Lexikos

Re: trojan in autohotkey installer?

Post by lexikos » 16 Feb 2016, 21:30

It is interesting that both "infections" were given the name "Win32/Varpes.M!plock". I suspect they are actually unrelated.

The installer is a 7-zip self-extractor; specifically "7zS2.sfx", iirc. I compiled it with TinyCC, making it maybe 30-40KB smaller than compiling with VS. The source code contains a couple of minor customisations for error handling and launching "AutoHotkeyU32.exe Installer.ahk" instead of setup.exe. (I left setup.exe because it's easier to instruct users to click on, and doesn't seem to take any extra space due to compression of redundant data.)

I uploaded the base executable produced by TinyCC to VT yesterday, and iirc it got 7 detections. This is without any AutoHotkey data, and no code in common with AutoHotkey.exe.

I could change compilers again to try to evade the false positives, but it isn't a solution let alone a permanent one, and I'm against the idea on principle.
gwarble
Posts: 240
Joined: 30 Sep 2013, 15:01

Re: trojan in autohotkey installer?

Post by gwarble » 18 Feb 2016, 17:15

Since "releasing" EitherMouse years ago, most of my false positive reports from users have been Avast, some Kalypso, but today was the first someone reported a Microsoft false positive...

1.1.23.1, same Varpes.M detected

I always instruct users to report it (but doubt they do) and i have done so myself a few times over the years
EitherMouse - Multiple mice, individual settings . . . . www.EitherMouse.com . . . . forum . . . .
LorenAmelang
Posts: 1
Joined: 25 Feb 2016, 12:40

Re: trojan in autohotkey installer?

Post by LorenAmelang » 25 Feb 2016, 14:48

Apparently writing a new downloaded zip to my Installers folder triggered a Defender scan of the whole folder, that suddenly decided an AutoHotkey install file from over a month ago was malware. Definitions have not been updated since Feb 12 - why now?

-----
Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Items:
file:C:\Users\loren\Installers X\AutoHotkey112300_Install.exe
Get more information about this item online.
Win32/Pocyx.B!plock
-----

Wonder why I got "Pocyx" instead of "Varpes"...

Despite the dialog text saying I need to delete it, the file is already deleted.

It was here before:
Directory of D:\Surface Book Image\Installers X
01/16/2016 10:59 AM 3,092,112 AUTOHO~1.EXE AutoHotkey112300_Install.exe

Gone now, definitely not hidden or system... Thankfully it is not attacking the actual program or scripts!
JoeWinograd
Posts: 1056
Joined: 10 Feb 2014, 20:00

Re: trojan in autohotkey installer?

Post by JoeWinograd » 25 Feb 2016, 18:09

Hi Loren,
I just got the same here on a W10 Pro 64-bit system:

Image

Regards, Joe
rgal7
Posts: 1
Joined: 28 Feb 2016, 20:38

Re: trojan in autohotkey installer?

Post by rgal7 » 28 Feb 2016, 20:55

Just yesterday my W10 Pro started to throw up a lot of Parite.B reports. Happened again today:
Image

And I reported AU3_Spy.exe online as a false positive at https://www.microsoft.com/en-us/securit ... ubmit.aspx

which resulted in :
Image

Hope that helps someone.
User avatar
joedf
Posts: 6486
Joined: 29 Sep 2013, 17:08
Facebook: J0EDF
Google: +joedf
GitHub: joedf
Location: Canada, Quebec
Contact:

Re: trojan in autohotkey installer?

Post by joedf » 28 Feb 2016, 23:47

Thanks for the help with the false positive report. :) AHK has had many problems with AV software over the years. :(
lexikos
Posts: 6175
Joined: 30 Sep 2013, 04:07
GitHub: Lexikos

Re: trojan in autohotkey installer?

Post by lexikos » 29 Feb 2016, 01:09

"This program is dangerous and replicates by infecting other files" very strongly indicates that you may have a virus, which has coincidentally infected the AutoHotkey files. Were all of the detections AutoHotkey.exe/compiled scripts?
User avatar
joedf
Posts: 6486
Joined: 29 Sep 2013, 17:08
Facebook: J0EDF
Google: +joedf
GitHub: joedf
Location: Canada, Quebec
Contact:

Re: trojan in autohotkey installer?

Post by joedf » 29 Feb 2016, 16:14

lexikos wrote:"This program is dangerous and replicates by infecting other files" very strongly indicates that you may have a virus, which has coincidentally infected the AutoHotkey files. Were all of the detections AutoHotkey.exe/compiled scripts?
ahhhh :facepalm: :crazy: :( ... I don't even know anymore.... :cry:
guest3456
Posts: 2419
Joined: 09 Oct 2013, 10:31

Re: trojan in autohotkey installer?

Post by guest3456 » 02 Mar 2016, 09:55

lexikos wrote:Were all of the detections AutoHotkey.exe/compiled scripts?
I only distribute compiled scripts, and all of my users that were complaining about Windows Defender detections were all on Win10. I'm guessing the heuristics matching are different on Win10.

That said, my webhost also complained and took my site offline, saying I was spreading malware. :evil:

JoeWinograd
Posts: 1056
Joined: 10 Feb 2014, 20:00

Re: trojan in autohotkey installer?

Post by JoeWinograd » 21 Apr 2016, 14:46

I don't know if anything was done in 1.1.23.05 to address this issue specifically, but, fwiw, I just did a scan of AutoHotkey112305_Install.exe with Windows Defender in W10/64-bit (Windows 10 Pro Insider Preview, Version 1511, Build 14279.1000) and it came up clean:
Scan completed on 399 items. No threats were detected on your PC during this scan.
Regards, Joe
User avatar
joedf
Posts: 6486
Joined: 29 Sep 2013, 17:08
Facebook: J0EDF
Google: +joedf
GitHub: joedf
Location: Canada, Quebec
Contact:

Re: trojan in autohotkey installer?

Post by joedf » 21 Apr 2016, 15:14

Please post the file hashes :)
JoeWinograd
Posts: 1056
Joined: 10 Feb 2014, 20:00

Re: trojan in autohotkey installer?

Post by JoeWinograd » 21 Apr 2016, 15:40

CRC32(SFV): 9F3A54AB
MD5: 74FDBAF763D4B30C87DBE566C257095B
SHA1: B5528EAE1B59C37F20A8BF6D4D72ABEE7A4D4F48
SHA256: 849626ED9888C5F3CC1B10C960B4D40BC5C4C499E9D7F9DD1CEB90B32EF622F3
SHA512: F287973800F679A04090E90DCA9A3060D58B120ED1B8A96F626A693FB0E91E00F9F78E5EFFD955BD7F259BC1A7FD049F21FBC1326FEDC972854054286E03C384
Post Reply

Return to “Ask For Help”