Page 1 of 2

trojan in autohotkey installer?

Posted: 13 Feb 2016, 14:37
by gallaxhar
Today windows defender 2/13/2016 found varpes.m!plock trojan in autohotkey .exe files
I'm guessing it's a false positive, but I want to make sure other people with windows defender is getting this too, and some trojan didn't inject into my AHK install..
Image
Image

Re: trojan in autohotkey installer?

Posted: 13 Feb 2016, 19:25
by Pulover
Got the same warning on the 1.1.23.00 installer.

Re: trojan in autohotkey installer?

Posted: 14 Feb 2016, 11:49
by Thomas69
Same problem here.

I really wonder if it is just a false alarm or if the installation file got infected somehow.

Re: trojan in autohotkey installer?

Posted: 14 Feb 2016, 13:54
by Thomas69
Or maybe...maybe there are some trojans based on autohotkey and it is really a false positive.

Re: trojan in autohotkey installer?

Posted: 14 Feb 2016, 14:50
by Peter2
Current check of AutoHotkey112301.zip on Virustotal.com shows 0 alerts:
https://www.virustotal.com/de/file/f606 ... 455479320/

Re: trojan in autohotkey installer?

Posted: 14 Feb 2016, 15:07
by Pronto
I have the Ahk2Exe compiler installed, and curiously enough, the very same trojan was reported by MS Security Essentials (virus db version 1.213.6205.0) in ANSI 32-bit.bin, AutoHotkeySC.bin and Unicode 32-bit.bin, but not in the generated executable file. :crazy:
It must be a false positive.

Re: trojan in autohotkey installer?

Posted: 15 Feb 2016, 05:33
by lexikos
When these (suspected) false positives occur, it would be helpful if users were to submit the files in question to their antivirus vendor for analysis. The following page has an extensive list of details for submitting false positives to various antivirus vendors:
http://www.techsupportalert.com/content ... endors.htm

Re: trojan in autohotkey installer?

Posted: 16 Feb 2016, 09:32
by JoeWinograd
I just ran AutoHotkey112301_Install.exe through VirusTotal (although it had already been analyzed a few hours ago) and it reports 7 detections out of 54:
https://www.virustotal.com/en/file/a043 ... 455631818/

"McAfee" is one of the detections, but "Microsoft" isn't. However, I don't know what VT means by "Microsoft", as my MSE scan does show the detection:

Image

It's interesting that Peter2's run of AutoHotkey112301.zip through VT showed 0 detections, while my run of AutoHotkey112301_Install.exe through VT showed 7. Regards, Joe

Re: trojan in autohotkey installer?

Posted: 16 Feb 2016, 21:30
by lexikos
It is interesting that both "infections" were given the name "Win32/Varpes.M!plock". I suspect they are actually unrelated.

The installer is a 7-zip self-extractor; specifically "7zS2.sfx", iirc. I compiled it with TinyCC, making it maybe 30-40KB smaller than compiling with VS. The source code contains a couple of minor customisations for error handling and launching "AutoHotkeyU32.exe Installer.ahk" instead of setup.exe. (I left setup.exe because it's easier to instruct users to click on, and doesn't seem to take any extra space due to compression of redundant data.)

I uploaded the base executable produced by TinyCC to VT yesterday, and iirc it got 7 detections. This is without any AutoHotkey data, and no code in common with AutoHotkey.exe.

I could change compilers again to try to evade the false positives, but it isn't a solution let alone a permanent one, and I'm against the idea on principle.

Re: trojan in autohotkey installer?

Posted: 18 Feb 2016, 17:15
by gwarble
Since "releasing" EitherMouse years ago, most of my false positive reports from users have been Avast, some Kalypso, but today was the first someone reported a Microsoft false positive...

1.1.23.1, same Varpes.M detected

I always instruct users to report it (but doubt they do) and i have done so myself a few times over the years

Re: trojan in autohotkey installer?

Posted: 25 Feb 2016, 14:48
by LorenAmelang
Apparently writing a new downloaded zip to my Installers folder triggered a Defender scan of the whole folder, that suddenly decided an AutoHotkey install file from over a month ago was malware. Definitions have not been updated since Feb 12 - why now?

-----
Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Items:
file:C:\Users\loren\Installers X\AutoHotkey112300_Install.exe
Get more information about this item online.
Win32/Pocyx.B!plock
-----

Wonder why I got "Pocyx" instead of "Varpes"...

Despite the dialog text saying I need to delete it, the file is already deleted.

It was here before:
Directory of D:\Surface Book Image\Installers X
01/16/2016 10:59 AM 3,092,112 AUTOHO~1.EXE AutoHotkey112300_Install.exe

Gone now, definitely not hidden or system... Thankfully it is not attacking the actual program or scripts!

Re: trojan in autohotkey installer?

Posted: 25 Feb 2016, 18:09
by JoeWinograd
Hi Loren,
I just got the same here on a W10 Pro 64-bit system:

Image

Regards, Joe

Re: trojan in autohotkey installer?

Posted: 28 Feb 2016, 20:55
by rgal7
Just yesterday my W10 Pro started to throw up a lot of Parite.B reports. Happened again today:
Image

And I reported AU3_Spy.exe online as a false positive at https://www.microsoft.com/en-us/securit ... ubmit.aspx

which resulted in :
Image

Hope that helps someone.

Re: trojan in autohotkey installer?

Posted: 28 Feb 2016, 23:47
by joedf
Thanks for the help with the false positive report. :) AHK has had many problems with AV software over the years. :(

Re: trojan in autohotkey installer?

Posted: 29 Feb 2016, 01:09
by lexikos
"This program is dangerous and replicates by infecting other files" very strongly indicates that you may have a virus, which has coincidentally infected the AutoHotkey files. Were all of the detections AutoHotkey.exe/compiled scripts?

Re: trojan in autohotkey installer?

Posted: 29 Feb 2016, 16:14
by joedf
lexikos wrote:"This program is dangerous and replicates by infecting other files" very strongly indicates that you may have a virus, which has coincidentally infected the AutoHotkey files. Were all of the detections AutoHotkey.exe/compiled scripts?
ahhhh :facepalm: :crazy: :( ... I don't even know anymore.... :cry:

Re: trojan in autohotkey installer?

Posted: 02 Mar 2016, 09:55
by guest3456
lexikos wrote:Were all of the detections AutoHotkey.exe/compiled scripts?
I only distribute compiled scripts, and all of my users that were complaining about Windows Defender detections were all on Win10. I'm guessing the heuristics matching are different on Win10.

That said, my webhost also complained and took my site offline, saying I was spreading malware. :evil:

Re: trojan in autohotkey installer?

Posted: 21 Apr 2016, 14:46
by JoeWinograd
I don't know if anything was done in 1.1.23.05 to address this issue specifically, but, fwiw, I just did a scan of AutoHotkey112305_Install.exe with Windows Defender in W10/64-bit (Windows 10 Pro Insider Preview, Version 1511, Build 14279.1000) and it came up clean:
Scan completed on 399 items. No threats were detected on your PC during this scan.
Regards, Joe

Re: trojan in autohotkey installer?

Posted: 21 Apr 2016, 15:14
by joedf
Please post the file hashes :)

Re: trojan in autohotkey installer?

Posted: 21 Apr 2016, 15:40
by JoeWinograd
CRC32(SFV): 9F3A54AB
MD5: 74FDBAF763D4B30C87DBE566C257095B
SHA1: B5528EAE1B59C37F20A8BF6D4D72ABEE7A4D4F48
SHA256: 849626ED9888C5F3CC1B10C960B4D40BC5C4C499E9D7F9DD1CEB90B32EF622F3
SHA512: F287973800F679A04090E90DCA9A3060D58B120ED1B8A96F626A693FB0E91E00F9F78E5EFFD955BD7F259BC1A7FD049F21FBC1326FEDC972854054286E03C384