Autoit complied exe detect as a TrojanDownload?

[emdy]

Scan your compiled exe file at http://virusscan.jotti.org/ then post the result here please.. Thank you..

Every compiled exe i made, when i send to Jotti Virus Scan, it said its a Trojan.DownLoader.3281!!

I also tired other people program and scan.. still got the same result..

what going on??

can someone try this out??

Got to Jotti Virus Scan and scan your own compiled exe..

Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5 b2255dd45ee77d672569911f5d655208

Packers detected: UPX

Scanner results

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

UNA Found nothing

VBA32 Found Trojan.DownLoader.3281

Sorry moderators but i guess i post in the wrong section..

Edited July 4, 2005 by emdy

[layer]

False Alarm

The reason you're getting these results is because some assholes make viruses with AutoIt, so the people who make your virus protector just mark every compiled autoit script as a virus. This doesn't mean your virus company isn't good, just means it's lazy.

perhaps take a look here:

http://www.autoitscript.com/forum/index.php?showtopic=13133

[emdy]

layer can you help me out?

can u pls scan 1 of your compiled exe to that url and copy/paste it here?

coz im being ban in some forum coz they think i posted a trojan!!

coz i wanna see if we get the same result or not..

pls

[layer]

layer can you help me out?

can u pls scan 1 of your compiled exe to that url and copy/paste it here?

coz im being ban in some forum coz they think i posted a trojan!!

coz i wanna see if we get the same result or not..

pls

<{POST_SNAPBACK}>

I'll gladly help, but, I'm unsure of what you want me to do, could you explain a little more?

Thanks

[emdy]

I'll gladly help, but, I'm unsure of what you want me to do, could you explain a little more?

Thanks

<{POST_SNAPBACK}>

just scan any of your compiled exe at http://virusscan.jotti.org/

then copy and paste the result here..

thank you.

[layer]

Sure! Will post back the results when the scan is complete

[layer]

Ok, here are my results on a simple MsgBox exe.

File:  test.exe 

Status:  INFECTED/MALWARE 

MD5  69b25c140741504d78b4e0980e761e08 

Packers detected:  UPX

Scanner results 

AntiVir  Found nothing

ArcaVir  Found nothing

Avast  Found nothing

AVG Antivirus  Found nothing

BitDefender  Found nothing

ClamAV  Found nothing

Dr.Web  Found nothing

F-Prot Antivirus  Found W32/Agent.QY 

Fortinet  Found nothing

Kaspersky Anti-Virus  Found nothing

NOD32  Found nothing

Norman Virus Control  Found nothing

UNA  Found nothing

VBA32  Found Trojan.Win32.Agent.fd 

But no worries, as I said before, some anti virus companies mark all compiled autoit scripts as a virus/trojan because of one that someone else made... Stupid I know, but don't worry, it's nothing.

Cheers

[emdy]

hmm how come your result is diffrence from mine?

i got a Trojan.DownLoader.3281

and you got a Trojan.Win32.Agent.fd

hmm...

your autoit version is??

mine is 3.1.1

Edited July 4, 2005 by emdy

[layer]

Yea, mine is 3.1.1 and I got two results if you looked closely But as the site stated, the results may not always be correct. Don't know what else to say except I know AutoIt is clean...

[emdy]

oh yeah.. u got 2 lol..

hmm... think i need more evidence to show that poor judgement was made.

[JSThePatriot]

oh yeah.. u got 2 lol..

hmm... think i need more evidence to show that poor judgement was made.

<{POST_SNAPBACK}>

Send them to the website. Show them it is a scripting utility, and people have the right to make their own programs.

Also as with any language that can be compiled there is always room for malware/spyware. That doesnt mean all the executables should be blocked. That virus company should retract their statement about AutoIt and check for things the script may be able to do. Like modify system files.

I am sorry that people are being so naive and banning you and such.

JS

[emdy]

All i wanted to do is to contribute to the gaming community..

To share some stuff i've made..

And all i got was a lousy ban and he said...

Before we approve this file, could somebody explain the reason TrojanDownloader is in an autoit script? As far as I know, it doesn't belong there.

EDIT: Approval denied.

My computer didn't like your file (to simply put it).

Closed and warned.

what a jerk (to simply put it)

[JSThePatriot]

Well I am sorry to say that there are such dumb people in the world. I guess every VBS should be blocked from being used and every ActiveX script, and so on down the list. There are always going to be people that mess it up for those of us that keep it clean.

We just have to show them that what we do is for real and show the world what they are missing, because if the 'world' thinks it is missing something it wants to join in.

JS

[FuryCell]

Well I am sorry to say that there are such dumb people in the world. I guess every VBS should be blocked from being used and every ActiveX script, and so on down the list. There are always going to be people that mess it up for those of us that keep it clean.

We just have to show them that what we do is for real and show the world what they are missing, because if the 'world' thinks it is missing something it wants to join in.

JS

<{POST_SNAPBACK}>

I just compiled my StartUpSentinel program and scanned it. I got the same result as emdy.

Why did they have tarnish AutoIts rep like this???

AntiVir  Found nothing

ArcaVir  Found nothing

Avast  Found nothing

AVG Antivirus  Found nothing

BitDefender  Found nothing

ClamAV  Found nothing

Dr.Web  Found nothing

F-Prot Antivirus  Found nothing

Fortinet  Found nothing

Kaspersky Anti-Virus  Found nothing

NOD32  Found nothing

Norman Virus Control  Found nothing

UNA  Found nothing

VBA32  Found Trojan.DownLoader.3281

  

Edited July 4, 2005 by SolidSnake

[emdy]

I just compiled my ___ and scaned it. Here are the results.

AntiVir  Found nothing 
ArcaVir  Found nothing 
Avast  Found nothing 
AVG Antivirus  Found nothing 
BitDefender  Found nothing 
ClamAV  Found nothing 
Dr.Web  Found nothing 
F-Prot Antivirus  Found nothing 
Fortinet  Found nothing 
Kaspersky Anti-Virus  Found nothing 
NOD32  Found nothing 
Norman Virus Control  Found nothing 
UNA  Found nothing 
VBA32  Found Trojan.DownLoader.3281

Why did they have tarnish AutoIts rep like this???

<{POST_SNAPBACK}>

you got the same result as mine..

i think it gotta do something with the compiler..

a blank .au3 when compiled will still show the same result..

[layer]

Why did I get different results with a compiled AutoIt script with the normal template from ScItE and a "MsgBox(0, "Test", "Test")" ? Weird... 3.1.1 too... WinXP SP2

[MSLx Fanboy]

I'm assuming then that it is the UPX wrapper possibly causing the problem, or is it specifically targeting AU3-compiled scripts?

[jpm]

at least today an empty script give the following result with the beta. THe official release found the VBA32 Found Trojan.DownLoader.3281 which can be considered from my point of view as a false alarm. (I rebuilt the official release from the source and it do the same)

File:  empty AU3 script.exe 

Status:  MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) 

MD5  98e97d105d72ae32b3a993a16125b469 

Packers detected:  UPX

Scanner results 

AntiVir  Found nothing

ArcaVir  Found nothing

Avast  Found nothing

AVG Antivirus  Found nothing

BitDefender  Found nothing

ClamAV  Found nothing

Dr.Web  Found nothing

F-Prot Antivirus  Found nothing

Fortinet  Found nothing

Kaspersky Anti-Virus  Found nothing

NOD32  Found nothing

Norman Virus Control  Found nothing

UNA  Found nothing

VBA32  Found nothing

[JSThePatriot]

Speaking of I run AntiVir all the time. It is the best virus scanner I have found todate, and it has no issue with my scripts as this latest post suggests.

They have apparently just blocked all AutoIt scripts.

JS

[Confuzzled]

Already an issue at http://www.autoitscript.com/forum/index.php?showtopic=13133 with Computer Associates - false positive in InoculateIT as well, but not Vet Anti-Virus.

Easy enough to do - just use the contents of AUTOISC.BIN as your signature recognition pattern and all AutoIT compiled scripts will be quarantined! Lazy, I suspect on the part of the anti-virus researchers. Puts me in a spot as I have deadlines to meet and my scripts are getting deleted from under me.

Not happy.

Comment: I read in these forums about help required for keyloggers and remappers, and ways to circumvent normal Windows operations and wonder how many of these questions are by the 'script kiddies' as the anti-nasty industry likes to term malicious hwackers? Are we helping the wrong people some of the time?