Today windows defender 2/13/2016 found varpes.m!plock trojan in autohotkey .exe files
I'm guessing it's a false positive, but I want to make sure other people with windows defender is getting this too, and some trojan didn't inject into my AHK install..
trojan in autohotkey installer?
Re: trojan in autohotkey installer?
Got the same warning on the 1.1.23.00 installer.
Rodolfo U. Batista
Pulover's Macro Creator - Automation Tool (Recorder & Script Writer)
Pulover's Macro Creator - Automation Tool (Recorder & Script Writer)
Re: trojan in autohotkey installer?
Same problem here.
I really wonder if it is just a false alarm or if the installation file got infected somehow.
I really wonder if it is just a false alarm or if the installation file got infected somehow.
Re: trojan in autohotkey installer?
Or maybe...maybe there are some trojans based on autohotkey and it is really a false positive.
Re: trojan in autohotkey installer?
Current check of AutoHotkey112301.zip on Virustotal.com shows 0 alerts:
https://www.virustotal.com/de/file/f606 ... 455479320/
https://www.virustotal.com/de/file/f606 ... 455479320/
Peter (AHK Beginner) / Win 10 x64, AHK Version v1.1.33
Re: trojan in autohotkey installer?
I have the Ahk2Exe compiler installed, and curiously enough, the very same trojan was reported by MS Security Essentials (virus db version 1.213.6205.0) in ANSI 32-bit.bin, AutoHotkeySC.bin and Unicode 32-bit.bin, but not in the generated executable file.
It must be a false positive.
It must be a false positive.
Re: trojan in autohotkey installer?
When these (suspected) false positives occur, it would be helpful if users were to submit the files in question to their antivirus vendor for analysis. The following page has an extensive list of details for submitting false positives to various antivirus vendors:
http://www.techsupportalert.com/content ... endors.htm
http://www.techsupportalert.com/content ... endors.htm
- JoeWinograd
- Posts: 2182
- Joined: 10 Feb 2014, 20:00
- Location: U.S. Central Time Zone
Re: trojan in autohotkey installer?
I just ran AutoHotkey112301_Install.exe through VirusTotal (although it had already been analyzed a few hours ago) and it reports 7 detections out of 54:
https://www.virustotal.com/en/file/a043 ... 455631818/
"McAfee" is one of the detections, but "Microsoft" isn't. However, I don't know what VT means by "Microsoft", as my MSE scan does show the detection:
It's interesting that Peter2's run of AutoHotkey112301.zip through VT showed 0 detections, while my run of AutoHotkey112301_Install.exe through VT showed 7. Regards, Joe
https://www.virustotal.com/en/file/a043 ... 455631818/
"McAfee" is one of the detections, but "Microsoft" isn't. However, I don't know what VT means by "Microsoft", as my MSE scan does show the detection:
It's interesting that Peter2's run of AutoHotkey112301.zip through VT showed 0 detections, while my run of AutoHotkey112301_Install.exe through VT showed 7. Regards, Joe
Re: trojan in autohotkey installer?
It is interesting that both "infections" were given the name "Win32/Varpes.M!plock". I suspect they are actually unrelated.
The installer is a 7-zip self-extractor; specifically "7zS2.sfx", iirc. I compiled it with TinyCC, making it maybe 30-40KB smaller than compiling with VS. The source code contains a couple of minor customisations for error handling and launching "AutoHotkeyU32.exe Installer.ahk" instead of setup.exe. (I left setup.exe because it's easier to instruct users to click on, and doesn't seem to take any extra space due to compression of redundant data.)
I uploaded the base executable produced by TinyCC to VT yesterday, and iirc it got 7 detections. This is without any AutoHotkey data, and no code in common with AutoHotkey.exe.
I could change compilers again to try to evade the false positives, but it isn't a solution let alone a permanent one, and I'm against the idea on principle.
The installer is a 7-zip self-extractor; specifically "7zS2.sfx", iirc. I compiled it with TinyCC, making it maybe 30-40KB smaller than compiling with VS. The source code contains a couple of minor customisations for error handling and launching "AutoHotkeyU32.exe Installer.ahk" instead of setup.exe. (I left setup.exe because it's easier to instruct users to click on, and doesn't seem to take any extra space due to compression of redundant data.)
I uploaded the base executable produced by TinyCC to VT yesterday, and iirc it got 7 detections. This is without any AutoHotkey data, and no code in common with AutoHotkey.exe.
I could change compilers again to try to evade the false positives, but it isn't a solution let alone a permanent one, and I'm against the idea on principle.
Re: trojan in autohotkey installer?
Since "releasing" EitherMouse years ago, most of my false positive reports from users have been Avast, some Kalypso, but today was the first someone reported a Microsoft false positive...
1.1.23.1, same Varpes.M detected
I always instruct users to report it (but doubt they do) and i have done so myself a few times over the years
1.1.23.1, same Varpes.M detected
I always instruct users to report it (but doubt they do) and i have done so myself a few times over the years
EitherMouse - Multiple mice, individual settings . . . . www.EitherMouse.com . . . . forum . . . .
-
- Posts: 6
- Joined: 25 Feb 2016, 12:40
Re: trojan in autohotkey installer?
Apparently writing a new downloaded zip to my Installers folder triggered a Defender scan of the whole folder, that suddenly decided an AutoHotkey install file from over a month ago was malware. Definitions have not been updated since Feb 12 - why now?
-----
Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Items:
file:C:\Users\loren\Installers X\AutoHotkey112300_Install.exe
Get more information about this item online.
Win32/Pocyx.B!plock
-----
Wonder why I got "Pocyx" instead of "Varpes"...
Despite the dialog text saying I need to delete it, the file is already deleted.
It was here before:
Directory of D:\Surface Book Image\Installers X
01/16/2016 10:59 AM 3,092,112 AUTOHO~1.EXE AutoHotkey112300_Install.exe
Gone now, definitely not hidden or system... Thankfully it is not attacking the actual program or scripts!
-----
Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Items:
file:C:\Users\loren\Installers X\AutoHotkey112300_Install.exe
Get more information about this item online.
Win32/Pocyx.B!plock
-----
Wonder why I got "Pocyx" instead of "Varpes"...
Despite the dialog text saying I need to delete it, the file is already deleted.
It was here before:
Directory of D:\Surface Book Image\Installers X
01/16/2016 10:59 AM 3,092,112 AUTOHO~1.EXE AutoHotkey112300_Install.exe
Gone now, definitely not hidden or system... Thankfully it is not attacking the actual program or scripts!
- JoeWinograd
- Posts: 2182
- Joined: 10 Feb 2014, 20:00
- Location: U.S. Central Time Zone
Re: trojan in autohotkey installer?
Hi Loren,
I just got the same here on a W10 Pro 64-bit system:
Regards, Joe
I just got the same here on a W10 Pro 64-bit system:
Regards, Joe
Re: trojan in autohotkey installer?
Just yesterday my W10 Pro started to throw up a lot of Parite.B reports. Happened again today:
And I reported AU3_Spy.exe online as a false positive at https://www.microsoft.com/en-us/securit ... ubmit.aspx
which resulted in :
Hope that helps someone.
And I reported AU3_Spy.exe online as a false positive at https://www.microsoft.com/en-us/securit ... ubmit.aspx
which resulted in :
Hope that helps someone.
Re: trojan in autohotkey installer?
Thanks for the help with the false positive report. AHK has had many problems with AV software over the years.
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
Re: trojan in autohotkey installer?
"This program is dangerous and replicates by infecting other files" very strongly indicates that you may have a virus, which has coincidentally infected the AutoHotkey files. Were all of the detections AutoHotkey.exe/compiled scripts?
Re: trojan in autohotkey installer?
ahhhh ... I don't even know anymore....lexikos wrote:"This program is dangerous and replicates by infecting other files" very strongly indicates that you may have a virus, which has coincidentally infected the AutoHotkey files. Were all of the detections AutoHotkey.exe/compiled scripts?
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
Re: trojan in autohotkey installer?
I only distribute compiled scripts, and all of my users that were complaining about Windows Defender detections were all on Win10. I'm guessing the heuristics matching are different on Win10.lexikos wrote:Were all of the detections AutoHotkey.exe/compiled scripts?
That said, my webhost also complained and took my site offline, saying I was spreading malware.
- JoeWinograd
- Posts: 2182
- Joined: 10 Feb 2014, 20:00
- Location: U.S. Central Time Zone
Re: trojan in autohotkey installer?
I don't know if anything was done in 1.1.23.05 to address this issue specifically, but, fwiw, I just did a scan of AutoHotkey112305_Install.exe with Windows Defender in W10/64-bit (Windows 10 Pro Insider Preview, Version 1511, Build 14279.1000) and it came up clean:
Regards, JoeScan completed on 399 items. No threats were detected on your PC during this scan.
Re: trojan in autohotkey installer?
Please post the file hashes
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
- JoeWinograd
- Posts: 2182
- Joined: 10 Feb 2014, 20:00
- Location: U.S. Central Time Zone
Re: trojan in autohotkey installer?
CRC32(SFV): 9F3A54AB
MD5: 74FDBAF763D4B30C87DBE566C257095B
SHA1: B5528EAE1B59C37F20A8BF6D4D72ABEE7A4D4F48
SHA256: 849626ED9888C5F3CC1B10C960B4D40BC5C4C499E9D7F9DD1CEB90B32EF622F3
SHA512: F287973800F679A04090E90DCA9A3060D58B120ED1B8A96F626A693FB0E91E00F9F78E5EFFD955BD7F259BC1A7FD049F21FBC1326FEDC972854054286E03C384
MD5: 74FDBAF763D4B30C87DBE566C257095B
SHA1: B5528EAE1B59C37F20A8BF6D4D72ABEE7A4D4F48
SHA256: 849626ED9888C5F3CC1B10C960B4D40BC5C4C499E9D7F9DD1CEB90B32EF622F3
SHA512: F287973800F679A04090E90DCA9A3060D58B120ED1B8A96F626A693FB0E91E00F9F78E5EFFD955BD7F259BC1A7FD049F21FBC1326FEDC972854054286E03C384