Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

Compiled scripts detected as trojans

Started by toasterking , Oct 04 2006 12:52 AM

  • Please log in to reply
13 replies to this topic
toasterking
  • Members
  • 8 posts
  • Last active: Feb 19 2008 05:05 PM
  • Joined: 04 Oct 2006
AVG Free Edition 7 for Windows just pulled its latest virus definitions file today on my Win9x box, and now whenever a compiled (.exe) AutoHotkey script runs, AVG detects it as the trojan horse PSW.Agent.CRB, prevents it from running, and prompts for options to eradicate it. If I click the Heal button, it actually just moves it to the Virus Vault and deletes the original. Running a plain-text .ahk file works fine; it's just the compiled scripts that AVG catches. Has anyone else experienced this? It seemed to just start today. I've been a faithful user of AVG Free for about 6 years now, but if it comes down to dropping AutoHotkey or switching AntiVirus software, AVG will be gone in a heartbeat.
#1 - Posted 04 October 2006 - 12:52 AM
slomz
  • Members
  • 601 posts
  • Last active: Mar 30 2008 12:54 AM
  • Joined: 03 Sep 2006
Well it depends what the script does. If it grabs information about your internal hard drive or changes files or .dll's in ur comp it could be detected as an infected virus.
#2 - Posted 04 October 2006 - 02:28 AM
.AHK
  • Members
  • 657 posts
  • Last active: Nov 27 2008 04:10 AM
  • Joined: 26 Apr 2006
Read this link:
http://www.autohotke...1132&highlight=
My compiled script was reported to be a possible keylogger by spysweeper. It updates no system files, registry, or anything (self contained .exe). It was considered most likely this happened due to AHK keyboard hook, which is mistaken as a keylogger.
#3 - Posted 04 October 2006 - 02:35 AM
JohnnyNitrox
  • Members
  • 10 posts
  • Last active: Nov 01 2006 09:56 PM
  • Joined: 28 Sep 2006
Could it possibly be because it says Created by "Hidden Trojan" perhaps it reads the code and sees that specific word and it niltches it because of that small fact.
#4 - Posted 04 October 2006 - 03:10 AM
You all rock!
slomz
  • Members
  • 601 posts
  • Last active: Mar 30 2008 12:54 AM
  • Joined: 03 Sep 2006
No, if a anti virus program would do that it would be a pretty shitty anti virus program.
#5 - Posted 04 October 2006 - 03:14 AM
silveredge78
  • Members
  • 499 posts
  • Last active: Mar 14 2014 03:19 AM
  • Joined: 25 Jul 2006
Have you tested this for various compiled scripts? Or just the one?

I just made sure I had the latest updates for AVG 7.1.407, as well as the latest virus definitions. I then ran some of the compiled scripts I have (Yam and Guess-It). I had nothing come up. I even tried a script I have written that I normally use as an *.ahk, compiled it and again nothing came up for me.

Has anyone else had this problem?
#6 - Posted 04 October 2006 - 03:24 AM
SilverEdge78
toasterking
  • Members
  • 8 posts
  • Last active: Feb 19 2008 05:05 PM
  • Joined: 04 Oct 2006
Solved it.

I finally attempted what I perhaps should have tried first -- I uninstalled my version of AutoHotkey (1.0.43.08) and installed the latest version (1.0.44.14). The scripts which were already compiled are still detected as containing the trojan, but if I recompile the same scripts with 1.0.44.14, AVG is now fine with them.

I first tested running/recompiling the scripts on a different system also already running AHK 1.0.43.08 in Windows XP SP2 and had the same problem with AVG. I then tested on a system already running AHK 1.0.43.09 in Windows XP SP2 and had no problems. It was then that I uninstalled/updated AHK on the original machine to 1.0.44.14, and it's been smooth sailing since. So I assume something changed between AutoHotkey 1.0.43.08 and 1.0.43.09 that changed the behaviour that AVG is suspicious of. Nothing in the "Recent Changes" in the help file looks obvious.

In a related incident, McAfee VirusScan 8.0 started trashing my compiled AutoIt3 scripts at work today, claiming that they contain the trojan StartPage-JR. I'm still working on that -- several customers on the network have had problems today because the logon script couldn't run an AutoIt3 script that assists in our Exchange2003 migration.
#7 - Posted 04 October 2006 - 03:11 PM
SKAN
  • Administrators
  • 9115 posts
  • Last active:
  • Joined: 26 Dec 2005

Running a plain-text .ahk file works fine; it's just the compiled scripts that AVG catches. Has anyone else experienced this?


No! I never had in any of the AHK Versions :shock:

Currently using AVG Free Edition 7.1.407 on Windows 2000 SP4

Regards, :)
#8 - Posted 04 October 2006 - 05:51 PM
kWo4Lk1.png
Seclinix
  • Members
  • 160 posts
  • Last active: Apr 09 2007 09:05 PM
  • Joined: 25 Sep 2006
omg i get the same dam thing except mine says warning new.mal found this is an PUP (potentially unwanted program) it is McAfee!!!!!!!!!!!!
#9 - Posted 05 March 2007 - 07:58 PM
You can download Runescape Macro's From
My Website
Virus codes for those anti-virus programmers
Visit the forum
toasterking
  • Members
  • 8 posts
  • Last active: Feb 19 2008 05:05 PM
  • Joined: 04 Oct 2006
I have found that virus definitions in many popular antivirus software apps seem to erroneously detect UPX-compressed executables (like compiled AutoHotkey scripts) as trojans because so many simple trojans have been written and compiled using UPX. AutoIt3 has an option in the compression menu of its "Script to EXE Converter" app to disable UPX compression, which effectively avoids this situation albeit producing a larger executable file, but I see no such similar option in AutoHotkey 1.0.43.09's converter app.[/quote]
#10 - Posted 06 March 2007 - 05:59 PM
koro
  • Members
  • 61 posts
  • Last active: Jan 19 2010 01:48 AM
  • Joined: 24 Sep 2006
I use regularly my own script (compiled) and Antivir Personal Edition Classic. Today, apparently after the latest upgrade, it Antivir claimed that my script IS the trojan "Autoit.AE". What is surprising is that this is not speculative; it doesn't say "it could be a trojan"; it says it is one. Should I report this to the antivir team so that they fix it?
#11 - Posted 06 March 2007 - 06:43 PM
Zippo()
  • Guests
  • Last active:
  • Joined: --

...my script IS the trojan "Autoit.AE"...


I did a search for Autoit.AE and finally got to this page:
http://www.viruslist...a?virusid=36567

Looks like some scripts may be getting flagged as variants of Trojan.Win32.Autoit.a if they contain similar characteristics. UPX compression is noted in the virus definition as well.

Or maybe you just wanted to learn to 'Dupe', whatever the hell that is :D
#12 - Posted 06 March 2007 - 08:12 PM
SKAN
  • Administrators
  • 9115 posts
  • Last active:
  • Joined: 26 Dec 2005

AutoIt3 has an option in the compression menu of its "Script to EXE Converter" app to disable UPX compression, which effectively avoids this situation albeit producing a larger executable file, but I see no such similar option in AutoHotkey 1.0.43.09's converter app.


Renaming UPX.EXE will disable compression. One may toggle between names like:

F2::

IFExist, C:\Program Files\AutoHotkey\Compiler\UPX.EXE
   FileMove, C:\Program Files\AutoHotkey\Compiler\UPX.EXE, C:\Program Files\AutoHotkey\Compiler\UPX.XXX
Else
IFExist, C:\Program Files\AutoHotkey\Compiler\UPX.XXX
   FileMove, C:\Program Files\AutoHotkey\Compiler\UPX.XXX, C:\Program Files\AutoHotkey\Compiler\UPX.EXE

Return

:)
#13 - Posted 07 March 2007 - 03:55 AM
[email protected]
  • Guests
  • Last active:
  • Joined: --
Hello,

I had the same problem! Since last week two of my AHK .exe files are detected as "Autoit.AE" ! I am using that tools since six mounth and never had any warning!

I just changed in my compile.ahk, that I am using, a different filename as output. Thats ist since this change I have no problems anymore.

At the second file this worked as well!

Can someone do a Xcheck for me?

You can download the file at: http://www.flightprep.de/MOTNE.zip

Please try, If this file is detected as "Autoit.AE"! I am using Bitdefender Antivirus 10. I thought that it is just my antivirus program and its present
virus signature!

I will write parallel to that to the Bitdefender Company to receive further information. I will keep you informed!


The program is a little tool for airlinepilots to convert runway status.
Here is the code, so you can see that is nothing dangerous in:
START:
table1= Runway deposit ( Table 1)`nNIL Clear and dry`n1. Damp                      5. Wet snow`n2. Wet or water patches 6. Slush`n3. Rime or frost covered  7. Ice`n(less than 1mm depth)    8. Compacted snow`n4. Dry snow                  9. Frozen ruts or ridges
table2= Measured braking coefficient or Estimated BA`n0.40 and above   Good                 5`n0.39 to 0.36       Medium / Good    4`n0.35 to 0.30       Medium              3`n0.29 to 0.26       Medium / Poor     2`n0.25 and below   Poor                  1`n9                      Unreliable           9
Gui, Font, S12 CDefault, Verdana
Gui, Add, Text, x16 y20 w370 h30 , Please enter MOTNE Code!
Gui, Add, Edit, x16 y70 w300 h30 vcode, 
Gui, Add, Button, x356 y60 w100 h40 vTranslate gButtons, Translate
Gui, Add, Text, x16 y130 w220 h30 , SNOTAM CODE
Gui, Add, Text, x16 y170 w90 h20 , A) EDDV
Gui, Add, Text, x16 y200 w240 h20 , B)02110630
Gui, Add, Text, x16 y230 w240 h20 , C) 09
Gui, Add, Text, x16 y260 w240 h20 , F) 46/46/46
Gui, Add, Text, x16 y290 w240 h20 , G) 02/02/02
Gui, Add, Text, x16 y320 w240 h20 , H) 54/45/42
Gui, Add, Text, x16 y350 w240 h20 , N) SLIPPERY
Gui, Add, Text, x16 y380 w270 h20 , T)BOTH RWYS DEICED`, SANDED
Gui, Add, Text, x16 y410 w240 h20 , R) SLIPPERY
Gui, Add, Text, x296 y170 w300 h20 , A 4 Ltr. ICAO Airport Locator
Gui, Add, Text, x296 y200 w300 h20 , B Day – Month - Time
Gui, Add, Text, x296 y230 w300 h20 , C RWY Designator
Gui, Add, Text, x296 y260 w300 h20 , F Type of Deposit ( Table 1)
Gui, Add, Text, x296 y290 w300 h20 , G Main Depth (mm)
Gui, Add, Text, x296 y320 w300 h20 , H Braking Condition
Gui, Add, Text, x296 y350 w300 h20 , N Deposit on TWY (Coding like „F“)
Gui, Add, Text, x296 y380 w300 h20 , T Plain language remarks
Gui, Add, Text, x296 y410 w300 h20 , R Apron (Coding like „F“)
Gui, Font, S10 CDefault, Verdana
Gui, Add, Edit, x496 y30 w480 h110 vResult ,
Gui, Add, Edit, x626 y170 w360 h140 , %table1%
Gui, Add, Edit, x626 y320 w360 h130 , %table2%
Gui, Add, Text, x16 y450 w1000 h50 , J.Heuer <www.flightprep.de> © 2007`nThe author is not responsible for any consequences resulting from the use of this program !!! Licence see www.flightprep.de !
Gui, Show, x7 y142 h500 w1009, MOTNE & SNOTAM Translator v.1.0
Return
 Buttons:
If A_GuiControl = Translate
Gui, Submit, NoHide 
StringMid, DD, code, 1, 2
StringMid, E, code, 3, 1
StringMid, C, code, 4, 1
StringMid, ee, code, 5,2
StringMid, BB, code, 7,2
If DD > 87
{
If DD = 88
	RWY = all RWYs
If DD = 99
	RWY = Report not updated
}
else
{
If DD > 50
{
	
	EnvSub,DD,50
	If DD = 0
		DD = 36
	If DD = 00
		DD = 36
	If DD < 10
	RWY = 0%DD%R
	else
	RWY = %DD%R
}
else
{
If DD = 0
	DD = 36
If DD = 00
	DD = 36
RWY = %DD%(L)
}
}

If E = 0
	Deposit = clear & dry
If E = 1
	Deposit = Damp
If E = 2
	Deposit = Wet or Water patches
If E = 3
	Deposit = Rime or Frost
If E = 4
	Deposit = Dry snow
If E = 5
	Deposit = Dry snow
If E = 6
	Deposit = Wet snow
If E = 7
	Deposit = Ice
If E = 8
	Deposit = Compacted or rolled Snow
If E = 9
	Deposit = Frozen ruts or ridges
If E = /
	Deposit = not reported
	
If C = 1
	Contamination := "< 10%"
If C = 2
	Contamination := "10 - 25%"
If C = 5
	Contamination := "25 - 50%"
If C = 9
	Contamination := "51 - 100%"

If ee < 91
	Depth = %ee% mm
If ee = 92
	Depth = 10 cm
If ee = 93
	Depth = 15 cm
If ee = 94
	Depth = 20 cm
If ee = 95
	Depth = 25 cm	
If ee = 96
	Depth = 30 cm
If ee = 97
	Depth = 35 cm
If ee = 98
	Depth = 40 cm
If ee = 99
	Depth = RWY clsd
If ee = //
	Depth = not significant
	
If BB < 70
{
	If BB > 40
		BrakingAction = %BB% good
	If BB < 39
		BrakingAction = %BB% med. - good	
	If BB < 35
		BrakingAction = %BB% medium	
	If BB < 29
		BrakingAction = %BB% med. - poor	
	If BB < 25
		BrakingAction = %BB% poor		
}		
If BB = 95
	BrakingAction = good ( >0,4)
If BB = 94
	BrakingAction = med. - good (0,39 - 0,36)
If BB = 93
	BrakingAction = medium (0,35 - 0,30)
If BB = 92
	BrakingAction = med. - poor (0,29 - 0,26)
If BB = 91
	BrakingAction = poor ( < 0,25)
If BB = 99
	BrakingAction = unreliable
If BB = //
	BrakingAction = Rwy not operational
	
output = Rwy: %RWY%`nDeposit:%Deposit%`nContamin.:%Contamination%`nDepth:%Depth%`nBrak.Action:%BrakingAction%
	
If code contains //99//
	output = Rwy clearance in progress
If code contains //////
	output = Airport closed
If code contains CLRD//
	output = all RWYs OK	

GuiControl,,Result,Your MOTNE CODE means:`n%output%

Goto,ENDE

GuiClose:
ExitApp

ENDE:


Thanks !

regards Jan
#14 - Posted 09 April 2007 - 04:56 PM
Back to Ask for Help
  1. AutoHotkey Community
  2. AutoHotkey
  3. Ask for Help