 |
AutoHotkey Community
Let's help each other out
|
| View previous topic :: View next topic |
| Author |
Message |
adamisageek
Joined: 05 Mar 2007
Posts: 20
Location: Erie, PA
|
 Posted: Wed Mar 26, 2008 7:01 am Post subject: Viruses found in executable after compile |
 |
|
this is totally weird...
i created an executable ("ShowConsole.exe") by compiling a script i wrote in autohotkey. i've used the executable many many times with no problems. today, i made one single change to the script and it still runs fine ran by itself. the change was literally just changing a regular hotkey like this:
| Code: | | r::HotkeyFunction() |
to require the Win key along with it like this:
| Code: | | #r::HotkeyFunciton() |
so i proceeded to recompile the new script into a new executable. when i did so, Autohotkey gave me an "Unable to create compiled archive" error and the new executable was flagged by AVG immediately with "Trojan horse SHeur.AVHE":
i then uploaded the file to VirusTotal.com's online virus check and got these results:
| Code: | Antivirus Version Last Update Result
AVG 7.5.0.516 2008.03.22 SHeur.AVHE
eSafe 7.0.15.0 2008.03.18 suspicious Trojan/Worm
Ikarus T3.1.1.20 2008.03.23 Trojan-Spy.Win32.Agent.bbg
NOD32v2 2967 2008.03.21 archive damaged
Panda 9.0.0.4 2008.03.23 Suspicious file
Prevx1 V2 2008.03.23 Infostealer |
see the full report here:
http://www.virustotal.com/analisis/bf6458e238f777fd50c4395b2d9238ac
so for gits and shiggles i did the same thing with the previous executable and got this:
| Code: | Antivirus Version Last Update Result
eSafe 7.0.15.0 2008.03.18 suspicious Trojan/Worm
NOD32v2 2973 2008.03.26 archive damaged
Panda 9.0.0.4 2008.03.25 Suspicious file
Prevx1 V2 2008.03.26 Trojan.Dropper
VirusBuster 4.3.26:9 2008.03.25 Worm.AutoRun.BY |
and that report can be found here:
http://www.virustotal.com/analisis/2019e344a3b9de5a5f1a7827386e5a83
i've seen some different posts here on the forums dealing with viruses found in compiled scripts, but none that matched my problem.
someone please tell me what's going on here cuz i use AHK everyday for work and home use, and i'd hate to have to start being wary of virus infected AHK compiled executables. |
|
| Back to top |
|
 |
Lexikos
Joined: 17 Oct 2006
Posts: 2364
Location: Australia, Qld
|
| Posted: Wed Mar 26, 2008 8:23 am Post subject: |
|
|
(This has been covered in at least one of the other "compiled script virus" threads...)
While there is a possibility that something else on your system is infecting the compiled scripts, false positives are not uncommon. If you aren't using the latest version of AutoHotkey, try upgrading. If you are, try downloading an older version from the archives. If it is a false positive, usually you may avoid it by using a different version of AutoHotkeySC.bin (the base for compiled scripts) which would have a different signature.
If your AutoHotkeySC.bin file is infected, all of your compiled scripts will also be infected.
I am using AutoHotkey v1.0.47.06 and AVG Free Edition with virus definitions downloaded this morning, and it is not picking up my compiled scripts. |
|
| Back to top |
|
|
adamisageek
Joined: 05 Mar 2007
Posts: 20
Location: Erie, PA
|
| Posted: Wed Mar 26, 2008 2:46 pm Post subject: |
|
|
i see...
can you (or anyone else) do me a favor and compile my script on your machine and tell me if anything comes up after an AVG scan?
you can open the .ahk script for yourself to see there aren't any harmful things in the code.
| Code: | /*
Author: Adam Wright - www.adamisageek.com
Title: ShowConsole
Description:
Shows/hides console by using the tilde key.
Meant to be used with Console program and config file edited to resemble the Quake console, found in the same directory of this script.
At this point, there's no way to exit the program except for right clicking the tray icon and clicking Exit.
The same goes for the console.exe program; to exit both the user will need to manually exit both programs.
*/
;This uses the Win key + the tilde key as the console activator, change as desired
;Ex. "c::PrevTitle := ShowConsole(PrevTitle)" would use the "c" key to show/hide the console.
;go to http://www.autohotkey.com/docs/KeyList.htm for key name info
#`::PrevTitle := ShowConsole(PrevTitle)
ShowConsole(PrevTitle)
{
WinGetActiveTitle, temptitle
if !(InStr(temptitle, "dropdownconsole", CaseSensitive = false))
{
if (temptitle = "") ;this is in case the tilde is pressed while the taskbar has focus, there is no title so it needs to be manually set to the taskbar's ahk_class to regain focus when the console is brought down
PrevTitle := "ahk_class Shell_TrayWnd"
else
PrevTitle = %temptitle%
}
DetectHiddenWindows, on
IfWinExist ahk_class Console Main Command Window
{
IfWinActive ahk_class Console Main Command Window
{
WinActivate %PrevTitle%
WinHide ahk_class Console Main Command Window
Menu, TRAY, icon, quakeconsole_green.ico
}
else
{
WinShow ahk_class Console Main Command Window
WinActivate ahk_class Console Main Command Window
Menu, TRAY, icon, quakeconsole_black.ico
}
}
else
{
Run "console.exe"
DetectHiddenWindows, off
}
return PrevTitle
} |
basically, this script is used in conjunction with a console program that runs "Quake 2-style" console whenever you press Win+tilde. the script obviously won't work for most after compiling, since you probably won't have the Console.exe program on your computer. but it should still compile, then you can run an AVG scan and let me know the results.
let me know if anything goes wrong with the compile.
meanwhile, i'll see if my home computer doesn't have the newest release of AHK (i know my work computer does).
_________________
My AutoHotKey.com username has changed to GeekyAdam |
|
| Back to top |
|
|
haichen
Joined: 05 Feb 2007
Posts: 97
Location: Osnabrück, Germany
|
| Posted: Wed Mar 26, 2008 5:51 pm Post subject: |
|
|
Your script compiled at my PC at VirustotalAvast 4.7.1098.0 2008.03.26 -
AVG 7.5.0.516 2008.03.26 -
CAT-QuickHeal 9.50 2008.03.26 TrojanSpy.Agent.bve
ClamAV 0.92.1 2008.03.26 -
Ikarus T3.1.1.20 2008.03.26 Trojan-Spy.Win32.Agent.bqt
NOD32v2 2974 2008.03.26 archive damaged
Panda 9.0.0.4 2008.03.25 Suspicious file
Prevx1 V2 2008.03.26 Generic.Malware
TheHacker 6.2.92.255 2008.03.26 Trojan/Spy.Agent.btl
VBA32 3.12.6.3 2008.03.25 Trojan-Spy.Win32.Agent.bqt
I have clamwin and avast at my PC and your compiled script is tested negativ.
An empty compiled ahkscript gives also 8 positives with virustotal.
I also tried a compiled empty script without upx:
NOD32v2 2975 2008.03.26 archive damaged
VBA32 3.12.6.3 2008.03.25 Trojan-Spy.Win32.Agent.bqt
And the same is for your script without upx.
And here the results for upx.exe itself:eSafe 7.0.15.0 2008.03.18 suspicious Trojan/Worm
Panda 9.0.0.4 2008.03.25 Suspicious file
My conclusion is, that Virusscanners have a problem with upx.
But I think this isn't new.
And here some more results vom Virustotal:
AutohotkeySC.bin alone has only one positiv in Virustotal:
VBA32 3.12.6.3 2008.03.25 Trojan-Spy.Win32.Agent.bqt
One of my own fresh compiled scripts is shown as following:eSafe 7.0.15.0 2008.03.18 suspicious Trojan/Worm
Ikarus T3.1.1.20 2008.03.26 Trojan-Spy.Win32.Agent.bqt
NOD32v2 2975 2008.03.26 archive damaged
Prevx1 V2 2008.03.26 Generic.Malware
VBA32 3.12.6.3 2008.03.25 Trojan-Spy.Win32.Agent.bqt
this is the result for ahk2exe:eSafe 7.0.15.0 2008.03.18 suspicious Trojan/Worm
Ikarus T3.1.1.20 2008.03.26 Win32.SuspectCrc
and for autohotkey.exe:eSafe 7.0.15.0 2008.03.18 suspicious Trojan/Worm
Panda 9.0.0.4 2008.03.25 Suspicious file
|
|
| Back to top |
|
|
adamisageek
Joined: 05 Mar 2007
Posts: 20
Location: Erie, PA
|
| Posted: Wed Mar 26, 2008 6:02 pm Post subject: |
|
|
wow, that was exactly the info i was looking for, thanks much for going out of your way to put that in detail for all of us! 
(if a mod notices a lot of posts about supposed virus scans after compile, you might want to sticky this thread, its very informative)
i guess my next step is getting around AVG scanning it as a virus. i didn't check if i have the newest AHK release yet at home (at work now), so i'll do that when i get home.
also,
| Lexikos wrote: | | If it is a false positive, usually you may avoid it by using a different version of AutoHotkeySC.bin (the base for compiled scripts) which would have a different signature. |
if need be, how would i go about using a different version of AutoHotkeySC.bin? i have no idea what the file is or what it's used for.
lastly, can someone post a link to where i can learn more about "upx" and what it is? i have no idea what it is at this point. |
|
| Back to top |
|
|
Lexikos
Joined: 17 Oct 2006
Posts: 2364
Location: Australia, Qld
|
| Posted: Wed Mar 26, 2008 10:12 pm Post subject: |
|
|
As I said, AutoHotkeySC.bin is the base for all compiled scripts. It is basically a slightly scaled-down version of AutoHotkey.exe which Ahk2Exe appends the actual (encrypted and compressed) script to.
Each version of AutoHotkey has a different version of AutoHotkeySC.bin. (It can be found in the same directory as Ahk2Exe.) Either get a different version from the archive as mentioned, or download the AutoHotkey source and compile AutoHotkeySC.bin yourself.
http://upx.sourceforge.net/ |
|
| Back to top |
|
|
adamisageek
Joined: 05 Mar 2007
Posts: 20
Location: Erie, PA
|
| Posted: Thu Mar 27, 2008 3:22 am Post subject: |
|
|
you guys were totally right; i was still using AHK version 1.0.47.05. after upgrading to version 1.0.47.06, the script compiled perfectly with no AVG errors!
thanks for all your help! AHK and the AHK Community rox!
_________________
My AutoHotKey.com username has changed to GeekyAdam |
|
| Back to top |
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
