trojan in autohotkey installer?

Get help with using AutoHotkey (v1.1 and older) and its commands and hotkeys
gallaxhar
Posts: 143
Joined: 03 Sep 2014, 06:35

trojan in autohotkey installer?

13 Feb 2016, 14:37

Today windows defender 2/13/2016 found varpes.m!plock trojan in autohotkey .exe files
I'm guessing it's a false positive, but I want to make sure other people with windows defender is getting this too, and some trojan didn't inject into my AHK install..
Image
Image
User avatar
Pulover
Posts: 612
Joined: 29 Sep 2013, 19:51
Location: Brazil
Contact:

Re: trojan in autohotkey installer?

13 Feb 2016, 19:25

Got the same warning on the 1.1.23.00 installer.
Rodolfo U. Batista
Pulover's Macro Creator - Automation Tool (Recorder & Script Writer)
Thomas69

Re: trojan in autohotkey installer?

14 Feb 2016, 11:49

Same problem here.

I really wonder if it is just a false alarm or if the installation file got infected somehow.
Thomas69

Re: trojan in autohotkey installer?

14 Feb 2016, 13:54

Or maybe...maybe there are some trojans based on autohotkey and it is really a false positive.
Peter2
Posts: 325
Joined: 21 Sep 2014, 14:38
Location: CH

Re: trojan in autohotkey installer?

14 Feb 2016, 14:50

Current check of AutoHotkey112301.zip on Virustotal.com shows 0 alerts:
https://www.virustotal.com/de/file/f606 ... 455479320/
Peter (AHK Beginner) / Win 10 x64, AHK Version v1.1.33
Pronto

Re: trojan in autohotkey installer?

14 Feb 2016, 15:07

I have the Ahk2Exe compiler installed, and curiously enough, the very same trojan was reported by MS Security Essentials (virus db version 1.213.6205.0) in ANSI 32-bit.bin, AutoHotkeySC.bin and Unicode 32-bit.bin, but not in the generated executable file. :crazy:
It must be a false positive.
lexikos
Posts: 9560
Joined: 30 Sep 2013, 04:07
Contact:

Re: trojan in autohotkey installer?

15 Feb 2016, 05:33

When these (suspected) false positives occur, it would be helpful if users were to submit the files in question to their antivirus vendor for analysis. The following page has an extensive list of details for submitting false positives to various antivirus vendors:
http://www.techsupportalert.com/content ... endors.htm
User avatar
JoeWinograd
Posts: 2182
Joined: 10 Feb 2014, 20:00
Location: U.S. Central Time Zone

Re: trojan in autohotkey installer?

16 Feb 2016, 09:32

I just ran AutoHotkey112301_Install.exe through VirusTotal (although it had already been analyzed a few hours ago) and it reports 7 detections out of 54:
https://www.virustotal.com/en/file/a043 ... 455631818/

"McAfee" is one of the detections, but "Microsoft" isn't. However, I don't know what VT means by "Microsoft", as my MSE scan does show the detection:

Image

It's interesting that Peter2's run of AutoHotkey112301.zip through VT showed 0 detections, while my run of AutoHotkey112301_Install.exe through VT showed 7. Regards, Joe
lexikos
Posts: 9560
Joined: 30 Sep 2013, 04:07
Contact:

Re: trojan in autohotkey installer?

16 Feb 2016, 21:30

It is interesting that both "infections" were given the name "Win32/Varpes.M!plock". I suspect they are actually unrelated.

The installer is a 7-zip self-extractor; specifically "7zS2.sfx", iirc. I compiled it with TinyCC, making it maybe 30-40KB smaller than compiling with VS. The source code contains a couple of minor customisations for error handling and launching "AutoHotkeyU32.exe Installer.ahk" instead of setup.exe. (I left setup.exe because it's easier to instruct users to click on, and doesn't seem to take any extra space due to compression of redundant data.)

I uploaded the base executable produced by TinyCC to VT yesterday, and iirc it got 7 detections. This is without any AutoHotkey data, and no code in common with AutoHotkey.exe.

I could change compilers again to try to evade the false positives, but it isn't a solution let alone a permanent one, and I'm against the idea on principle.
User avatar
gwarble
Posts: 524
Joined: 30 Sep 2013, 15:01

Re: trojan in autohotkey installer?

18 Feb 2016, 17:15

Since "releasing" EitherMouse years ago, most of my false positive reports from users have been Avast, some Kalypso, but today was the first someone reported a Microsoft false positive...

1.1.23.1, same Varpes.M detected

I always instruct users to report it (but doubt they do) and i have done so myself a few times over the years
EitherMouse - Multiple mice, individual settings . . . . www.EitherMouse.com . . . . forum . . . .
LorenAmelang
Posts: 6
Joined: 25 Feb 2016, 12:40

Re: trojan in autohotkey installer?

25 Feb 2016, 14:48

Apparently writing a new downloaded zip to my Installers folder triggered a Defender scan of the whole folder, that suddenly decided an AutoHotkey install file from over a month ago was malware. Definitions have not been updated since Feb 12 - why now?

-----
Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Items:
file:C:\Users\loren\Installers X\AutoHotkey112300_Install.exe
Get more information about this item online.
Win32/Pocyx.B!plock
-----

Wonder why I got "Pocyx" instead of "Varpes"...

Despite the dialog text saying I need to delete it, the file is already deleted.

It was here before:
Directory of D:\Surface Book Image\Installers X
01/16/2016 10:59 AM 3,092,112 AUTOHO~1.EXE AutoHotkey112300_Install.exe

Gone now, definitely not hidden or system... Thankfully it is not attacking the actual program or scripts!
User avatar
JoeWinograd
Posts: 2182
Joined: 10 Feb 2014, 20:00
Location: U.S. Central Time Zone

Re: trojan in autohotkey installer?

25 Feb 2016, 18:09

Hi Loren,
I just got the same here on a W10 Pro 64-bit system:

Image

Regards, Joe
rgal7
Posts: 1
Joined: 28 Feb 2016, 20:38

Re: trojan in autohotkey installer?

28 Feb 2016, 20:55

Just yesterday my W10 Pro started to throw up a lot of Parite.B reports. Happened again today:
Image

And I reported AU3_Spy.exe online as a false positive at https://www.microsoft.com/en-us/securit ... ubmit.aspx

which resulted in :
Image

Hope that helps someone.
User avatar
joedf
Posts: 8940
Joined: 29 Sep 2013, 17:08
Location: Canada
Contact:

Re: trojan in autohotkey installer?

28 Feb 2016, 23:47

Thanks for the help with the false positive report. :) AHK has had many problems with AV software over the years. :(
Image Image Image Image Image
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
lexikos
Posts: 9560
Joined: 30 Sep 2013, 04:07
Contact:

Re: trojan in autohotkey installer?

29 Feb 2016, 01:09

"This program is dangerous and replicates by infecting other files" very strongly indicates that you may have a virus, which has coincidentally infected the AutoHotkey files. Were all of the detections AutoHotkey.exe/compiled scripts?
User avatar
joedf
Posts: 8940
Joined: 29 Sep 2013, 17:08
Location: Canada
Contact:

Re: trojan in autohotkey installer?

29 Feb 2016, 16:14

lexikos wrote:"This program is dangerous and replicates by infecting other files" very strongly indicates that you may have a virus, which has coincidentally infected the AutoHotkey files. Were all of the detections AutoHotkey.exe/compiled scripts?
ahhhh :facepalm: :crazy: :( ... I don't even know anymore.... :cry:
Image Image Image Image Image
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
guest3456
Posts: 3454
Joined: 09 Oct 2013, 10:31

Re: trojan in autohotkey installer?

02 Mar 2016, 09:55

lexikos wrote:Were all of the detections AutoHotkey.exe/compiled scripts?
I only distribute compiled scripts, and all of my users that were complaining about Windows Defender detections were all on Win10. I'm guessing the heuristics matching are different on Win10.

That said, my webhost also complained and took my site offline, saying I was spreading malware. :evil:

User avatar
JoeWinograd
Posts: 2182
Joined: 10 Feb 2014, 20:00
Location: U.S. Central Time Zone

Re: trojan in autohotkey installer?

21 Apr 2016, 14:46

I don't know if anything was done in 1.1.23.05 to address this issue specifically, but, fwiw, I just did a scan of AutoHotkey112305_Install.exe with Windows Defender in W10/64-bit (Windows 10 Pro Insider Preview, Version 1511, Build 14279.1000) and it came up clean:
Scan completed on 399 items. No threats were detected on your PC during this scan.
Regards, Joe
User avatar
joedf
Posts: 8940
Joined: 29 Sep 2013, 17:08
Location: Canada
Contact:

Re: trojan in autohotkey installer?

21 Apr 2016, 15:14

Please post the file hashes :)
Image Image Image Image Image
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
User avatar
JoeWinograd
Posts: 2182
Joined: 10 Feb 2014, 20:00
Location: U.S. Central Time Zone

Re: trojan in autohotkey installer?

21 Apr 2016, 15:40

CRC32(SFV): 9F3A54AB
MD5: 74FDBAF763D4B30C87DBE566C257095B
SHA1: B5528EAE1B59C37F20A8BF6D4D72ABEE7A4D4F48
SHA256: 849626ED9888C5F3CC1B10C960B4D40BC5C4C499E9D7F9DD1CEB90B32EF622F3
SHA512: F287973800F679A04090E90DCA9A3060D58B120ED1B8A96F626A693FB0E91E00F9F78E5EFFD955BD7F259BC1A7FD049F21FBC1326FEDC972854054286E03C384

Return to “Ask for Help (v1)”

Who is online

Users browsing this forum: mikeyww, steve88 and 190 guests