Compiled AutoHotkey scripts detected as virus by AVG

SecurityAnalysis · **Posted:** January 14th, 2008, 11:41 pm

AVG found two viruses:

Code:

Object:
C:\RECYCLERS\S-1-5-21-1343024091-725345543-839522115-500\Dc396.exe
Infected:
Virus identified Worm/Autoit.LM
Deleted

Object:
C:\RECYCLERS\S-1-5-21-1343024091-725345543-839522115-500\Dc402.exe
Infected:
Virus identified Worm/Autoit.LM
Deleted

Are they real viruses or false positives? If they are real, is there any way I can find out what they do? Is there any risk that information has been stolen from my computer, like login details or credit card numbers?

Conquer · **Posted:** January 15th, 2008, 12:21 am

This is a FAQ. Search the forum before posting.

ManaUser · **Joined:** May 24th, 2007, 3:45 am **Posts:** 1121

Conquer wrote:

This is a FAQ.

No it isn't. This is only the second time someone has asked about that particular "virus". It does look like it's been pretty well settled as a false positive though:
http://www.autohotkey.com/forum/viewtopic.php?t=27423

neXt · **Joined:** March 19th, 2007, 12:43 am **Posts:** 532

NLI-Conquer · **Posted:** January 16th, 2008, 1:20 am

Aw snap ma boi neXt has got my back..

I meant viruses are a FAQ, ManaUser. Obviously I didn't mean that "Worm/Autoit.LM"s are.

WrongSectionAlert · **Posted:** January 16th, 2008, 1:28 am

--> General Chat :roll:

Moderator!: Moved.

trik · **Joined:** July 15th, 2007, 1:43 am **Posts:** 1320

Whomever is the WrongSectionAlert guest, needs to stop. We all know what section topics belong in. If it needs to be moved, a mod will find and move it. As for this topic, it will do in either the General Chat or Ask For Help forums. The reason being:

Quote:

ManaUser · **Joined:** May 24th, 2007, 3:45 am **Posts:** 1121

NLI-Conquer wrote:

I meant viruses are a FAQ, ManaUser. Obviously I didn't mean that "Worm/Autoit.LM"s are.

It's been said before but I'll say it again. It would be dangerous to assume all AutoHotkey related virus alerts are false positives. There have been viruses written in AutoHotkey before and it's also possible there could be copies of AutoHotkey infected with some other virus floating around out there.

So even though a continuous series of "Is this a real virus?" "Is this a real virus?" posts might be annoying, it's better than jumping to the conclusion that none of them are real. Besides, it doesn't make up a significant volume of posts anyway.

WrongSectionAlert · **Posted:** January 16th, 2008, 2:30 am

Quote:

If it needs to be moved, a mod will find and move it

Indeed. As our moderators are smart enough to qualify a thread, it's up to them to decide. Once they find'm within a flood of threads. And for that one and only reason the WSA has been created. So, lets wait for a Moderator.
If this thread will 'survive' at its current position, fine - if not, it'll be fine too. Nothing personal.

'WrongSectionAlert' means not necessarily that it's completely wrong within its current area, but it could make more sense to be dropped at another section.

Your/this thread isn't about that ...
a) you need help with AHK Code to analize a virus/write a virus.
b) a request within an anti virus forum to discuss that topic in detail
... so what?

Quote:

It has to do with AutoHotkey, and this person needs help with it.

My PC dropped from my desk. Now I can't code any AHK scripts. Would this issue qualify my request for AHKs 'Ask for Help'? I guess no.

Quote:

Most of these topics related to viruses in AutoHotkey are posted in the General Chat

Guess why? a)+b)? Correct!

BoBo¨ · **Posted:** January 16th, 2008, 2:53 am

Quote:

So even though a continuous series of "Is this a real virus?" "Is this a real virus?" posts might be annoying, it's better than jumping to the conclusion that none of them are real. Besides, it doesn't make up a significant volume of posts anyway.

If 9 out of 10 are false alarms, it won't make sense to act this way.

Do you think to promote again & again & again something similar like - "AHK is a virus" - will be of any benefit for the community or AHKs reputation outside of this forum? I don't think so.

Ignorants will ignore your warning anyway. And those who are aware of the risk won't need that information that 'special' way.

trik · **Joined:** July 15th, 2007, 1:43 am **Posts:** 1320

WrongSectionAlert wrote:

My PC dropped from my desk. Now I can't code any AHK scripts. Would this issue qualify my request for AHKs 'Ask for Help'? I guess no.

Actually..You can post in the Ask For Help forum about that, because you dropping your computer may not be the problem for your computer not running AutoHotkey scripts.

Edit:

When searching for the following terms:

AutoHotkey Virus, 27 matches were found in the Ask For Help forum where as only 7 were found in the General Chat forum.

Lexikos · **Posted:** January 16th, 2008, 6:19 am

A google for "AutoIt.LM" turns up:

DonationCoder.com: AltTab Fingertips v1.3 - 14 Jan 08

Ampa wrote:

I compiled your script on my own machine, with the latest version of AHK, and AVG now likes the EXE!

HAVA :: free program: automatically schedule recordings (and OTR)

Jamey wrote:

My best guess at this point is that - in fact - ALL EXE's compiled using the last version of the AutoHotKey scripting engine (which is what I had used to compile before) just began being flagged by AVG scans in the last couple days (or thereabouts) -- I mean to say, it has nothing to do with my own script or my own computer -- And the very latest version of AHK (version 1.0.47.05) does not generate any complaints from AVG.

I can confirm that my scripts compiled with v1.0.47.04 were being flagged as viruses, but not after re-compiling them with v1.0.47.05. I guess 05 has a different signature. (Still, these apparent false positives are a pain...)

ManaUser · **Joined:** May 24th, 2007, 3:45 am **Posts:** 1121

I guess it's not critical since it only effects an outdated version, but Has anyone reported this to AVG? I can if nobody else wants to, but I don't have that version of AutoHotkey installed at the moment and they want a sample sent in.

Here's a page on how to report false positives in AVG (free version, which I assume we're talking about.)
http://forum.grisoft.cz/freeforum/read. ... kpage=,sv=

BoBo¨ · **Posted:** January 16th, 2008, 12:17 pm

Quote:

I can if nobody else wants to, but I don't have that version of AutoHotkey installed at the moment and they want a sample sent in.

[Archive]

[AutoHotkey_1.0.45.04.exe]

ManaUser · **Joined:** May 24th, 2007, 3:45 am **Posts:** 1121

Thanks. But I downloaded that and compiled a script with it, but AVG didn't detect anything amiss.

Can someone who noticed this problem before please update their virus definitions and see if it's still happening?

AutoHotkey Community

Compiled AutoHotkey scripts detected as virus by AVG

Who is online