Are my AutoIt exes really infected?

[Tripredacus]

Today, MSSE marked one of my applications as Trojan:Win32/Zelrune.C!cl.

[BrewManNH]

@giangnguyen

I don't think you'd get much response from them, they haven't released an update to the software in about 4 years. They've only updated the virus definitions recently.

[AutoBert]

Post the link to analysis of https://virustotal.com/

[giangnguyen]

source: MsgBox(1,"","hi")

compiled by right click+compile for x86

https://virustotal.com/en/file/2922e3bf83b2bc1dd19ab42748ef24e0fbf27a9dbc8696825cf86b11547deeee/analysis/1464834505/

Uh oh, found some more. Not sure if that is by AutoIt though. But they don't have twister on VT, I used majyx scanner.

Here is the twister detection: https://scan.majyx.net/scans/result/f1feb3a899de723057ac539d0ddc3b3f841bc8ce
As you can see, it is detected as 

W32.HackKMS.L.yvrm

[AutoBert]

Have a look in signature from @BetaLeaf he has a tool for reporting false/positive.

[EmilyLove]

Awesome, people noticed me! Lol no but thanks for mentioning my tool. Makes me feel accomplished. Tools in the signature below. 

[giangnguyen]

additional thing: if u pack with UPX it detects as AutoIt Packed.

[Mobius]

On 02/06/2016 at 3:34 AM, giangnguyen said:

source: MsgBox(1,"","hi")

compiled by right click+compile for x86

https://virustotal.com/en/file/2922e3bf83b2bc1dd19ab42748ef24e0fbf27a9dbc8696825cf86b11547deeee/analysis/1464834505/

Uh oh, found some more. Not sure if that is by AutoIt though. But they don't have twister on VT, I used majyx scanner.

Here is the twister detection: https://scan.majyx.net/scans/result/f1feb3a899de723057ac539d0ddc3b3f841bc8ce
As you can see, it is detected as 

W32.HackKMS.L.yvrm

 

giangnguyen,

Not sure how long you've been around autoit but 3/56 flags from VT is nothing to worry about, or any other similar site that uses the "many fools in a room" logic to formulate an opinion.

[giangnguyen]

8 hours ago, Mobius said:

giangnguyen,

Not sure how long you've been around autoit but 3/56 flags from VT is nothing to worry about, or any other similar site that uses the "many fools in a room" logic to formulate an opinion.

 

I know 3/56 is not much, I know, but I prefer to have my clean files not detected by AVs.

[Jon]

The main AutoIt3.exe rarely gets flagged (sometimes on each new version). So if I were writing public software I'd play it safe and distribute AutoIt3.exe and compile the script as .a3x. Least chance of flagging.

[yennhikorea]

uninstall the autoit. fix isue registry with ccleaner. restart computer. install agains.

HOT nhất năm 2016 với dịch vụ thiết kế web giá rẻ của IUL, khi bạn thiết kế web hà nội sẽ được tặng ngay một khóa học hướng dẫn các bán hàng trên facebook hoặc bán hàng trực tuyến hay sử dụng các dịch vụ web khác của chúng tôi ví dụ như: thiết kế web du lịch khách sạn, thiết kế web công ty, thiết kế web trọn gói giá rẻ, thiết kế web theo yêu cầu, thiet ke web responsive, thiết kế website bất động sản nhà đất,.. Chương trình khuyến mãi sẽ kết thức vào ngày 20/10/2016 vì thế các bạn hãy nhanh tay tham gia trường trình để nhận thưởng nhé.

Edited October 19, 2016 by yennhikorea

[Trong]

5 minutes ago, yennhikorea said:

uninstall the autoit. fix isue registry with ccleaner. restart computer. install agains.

you are trying to say something?  nói cái L gì thế ?

[water]

Trong, what do you try to say?

[Trong]

I'm asked, I do not say!

[EmilyLove]

On 6/20/2016 at 11:36 AM, yennhikorea said:

uninstall the autoit. fix isue registry with ccleaner. restart computer. install agains.

That's not going to fix the detection of issue. It is probably a combination of the unpacking of the autoit engine on execution and certain functions in your script. 

[EmilyLove]

Hey guys. Want to help improve False Positive Reporter?

If you see any emails that aren't on the list below, please Private Message me so I can add it to the list.

 

Spoiler

support.is@cmclab.net
samples@digital-defender.com
sample@preventon.com
support-tech@returnil.com
malwaresample@herdprotect.com
info@chicalogic.com
submit@antiy.com
avlnetwork@antiy.com
virus@arcabit.com
v3sos@ahnlab.com
virus@avast.com
virus@avira.com
virus_submission@bitdefender.com
samples@bluepointsecurity.com
malwaresubmit@avlab.comodo.com
vms@drweb.com
malware@emcosoftware.com
submit@emsisoft.com
virus@esafe.com
samples@escanav.com
submitvirus@fortinet.com
research@spy-emergency.com
viruslab@f-prot.com
labs@fsb-antivirus.com
vsamples@f-secure.com
samples@ikarus.at
submit@samples.immunet.com
newvirus@kaspersky.com
support@jiangmin.com
research@lavasoft.com
virus_research@avertlabs.com
virus@micropoint.com.cn
avsubmit@submit.microsoft.com
virus@nanoav.ru
samples@eset.com
support@noralabs.com
support@norman.com
virus_info@inca.co.kr
virus@pandasecurity.com
psafe@psafe.com
kefu@360.cn
support@rubus.co.in
newvirus@s-cop.com
samples@sophos.com
detections@spybot.info
vlab@srnmicro.com
avsubmit@symantec.com
virus@hacksoft.com.pe
virus@thirtyseven4.com
cainfo@ca.com
submit@trojanhunter.com
support@simplysup.com
virus@filseclab.com
malware-cruncher@sunbelt-software.com
viruslab@hauri.co.kr
newvirus@anti-virus.by
virus@zillya.com
huangruimin@kingsoft.com
support@aegislab.com
viruslab@quickheal.com
trojans@agnitum.com
bav@baidu.com
bkav@bkav.com.vn
samples@mysecuritywin.com
falsepositive@reasoncoresecurity.com
virus_research_gateway@avertlabs.com

 

Edited June 23, 2016 by BetaLeaf

[Guest]

According to my tests:

• Some AVs will flag the exe file as virus if it does not have icon file
• #AutoIt3Wrapper_Res_Description=
  • if this is empty then some AVs will flag the file as virus
  • If this is not empty then some AVs + other AVs will flag the file as virus.. I guess it happens if the name is something that AVs know as virus
• Need to delete from the #AutoIt3Wrapper_Res_Description , #AutoIt3Wrapper_Res_Comment=
  Any string that telling the AVs what the file is. And need to leave #AutoIt3Wrapper_Res_Description=
  With some string. otherwise some AVs will detect it as virus.. So I wrote string that is the program version..

Edited August 9, 2017 by Guest

[Skysnake]

@BetaLeaf, maybe remove this one from your list?

PSafe (PSafe) 
Aug 10, 10:09 -03 
Hello Team,

We don't support Windows anymore, our AV for Windows platform was discontinued.

Thank you for your contact and if you have any questions, feel free to reach me.

Best regards,
Thomas

Skysnake

[EmilyLove]

On 8/11/2017 at 8:44 AM, Skysnake said:

@BetaLeaf, maybe remove this one from your list?

PSafe (PSafe) 
Aug 10, 10:09 -03 
Hello Team,

We don't support Windows anymore, our AV for Windows platform was discontinued.

Thank you for your contact and if you have any questions, feel free to reach me.

Best regards,
Thomas

Skysnake

Thanks for reporting in. It has been fixed.

In the future, please submit an issue on GitHub.

https://github.com/BetaLeaf/False-Positive-Reporter/releases/tag/1.3.2

Changelog:

• Removed PSafe from the list of Anti-Virus Vendors.
• Anti-Virus Vendor list and Banned Extensions list will now automatically update from this repository.
• You can now configure FPR.exe by simply double clicking on FPR.exe.
• Config FPR.exe removed (See above.)
• Update FPR.exe now updates FPR.exe to the latest version, instead of only updating the Anti-Virus Vendor list.

Edited August 17, 2017 by BetaLeaf
Since the list is now automatically updated on the repository, you can update it yourself and submit a pull request.

[BrewManNH]

Just don't trust that the information on VirusTotal is accurate for any purposes.

http://www.csoonline.com/article/3216765/security/heres-why-the-scanners-on-virustotal-flagged-hello-world-as-harmful.html