Virus in 9.0 reported by ClamAV, CP Secure, nProtect, Ikarus

Having a problem? Ask for help here.
Post Reply
KernuLL
Newbie
Posts: 1
Joined: Sat Dec 13, 2008 6:21 am

Virus in 9.0 reported by ClamAV, CP Secure, nProtect, Ikarus

Post by KernuLL »

A scan of Vistumbler9-0_Installer.exe is showing a Virus-Trojan by all of these Anti-Virus scanners:

ClamAV shows Trojan.Banker-151
a-squared shows Virus.Win32.Trojan!IK
CP Secure shows Troj.Downloader.W32.Small.axy
nProtect shows Trojan/W32.Qhost.461706
Ikarus shows Virus.Win32.Trojan
The Hacker Antivirus" shows Adware/EShoper.bg

The Vistumbler9.0_Installer.exe file was uploaded to and scanned by VirScan.org
http://virscan.org/report/cdb61108ae9be ... 75399.html

What part of Vistumbler 9.0 is setting off all these alarms??
User avatar
ACalcutt
Vistumbler / TechIdiots Admin
Vistumbler / TechIdiots Admin
Posts: 1302
Joined: Sun Oct 21, 2007 6:50 pm
Location: Rutland, MA
Contact:

Re: Virus in 9.0 reported by ClamAV, CP Secure, nProtect, Ikarus

Post by ACalcutt »

I have a few ideas, but i'm not really sure

1.) The visumbler updater. It downloads a versions.ini file to check if the latest version of vistumbler all the files is present. (but this did not exist in 8.1)
2.) Window automation in vistumbler. To refresh networks using the windows "connect to" window vistumbler uses window automation to click the refresh button
3.) Autoit itself. The way autoit works is basically packing the autoit.exe and the code together. Maybe its the way this is packed.
4.) Maybe the fact that autoit has been used to create viruses in the past, maybe part of the packed autoit.exe has been classified as a virus

The problem is I don't really know. And i don't know what to do to fix it, other than contacting all these places
User avatar
ACalcutt
Vistumbler / TechIdiots Admin
Vistumbler / TechIdiots Admin
Posts: 1302
Joined: Sun Oct 21, 2007 6:50 pm
Location: Rutland, MA
Contact:

Re: Virus in 9.0 reported by ClamAV, CP Secure, nProtect, Ikarus

Post by ACalcutt »

looks like contacting these antivirus companies may have helped...

on that page it is down to only clamav and nprotect are still falsely detecting vistumbler as a virus.
User avatar
ACalcutt
Vistumbler / TechIdiots Admin
Vistumbler / TechIdiots Admin
Posts: 1302
Joined: Sun Oct 21, 2007 6:50 pm
Location: Rutland, MA
Contact:

Re: Virus in 9.0 reported by ClamAV, CP Secure, nProtect, Ikarus

Post by ACalcutt »

also, searching for information i found this

http://www.clickteam.com/epicenter/ubbt ... ber=120840

clickteam install builder is what I use to create the exe version of vistumbler. so this explains the clamav detection
Yakumo
Junior Member
Posts: 3
Joined: Sat Mar 20, 2010 7:28 am

Re: Virus in 9.0 reported by ClamAV, CP Secure, nProtect, Ikarus

Post by Yakumo »

bumping an old thread I know, but it's all that came up searching for adware

I just scanned the latest Vistumbler using virustotal.com and got these two threats :

F-Secure 9.0.15370.0 2010.03.20 Suspicious:W32/Malware!Gemini
TheHacker 6.5.2.0.241 2010.03.20 Adware/EShoper.v
User avatar
ACalcutt
Vistumbler / TechIdiots Admin
Vistumbler / TechIdiots Admin
Posts: 1302
Joined: Sun Oct 21, 2007 6:50 pm
Location: Rutland, MA
Contact:

Re: Virus in 9.0 reported by ClamAV, CP Secure, nProtect, Ikarus

Post by ACalcutt »

Like i've said before, these are false positives. The sourcecode for vistumbler is included with every copy if you want to look yourself.

I am done dealing with the virus companies. Sorry for any inconvenience this may cause you but its just not worth my time to contact them every time this happens.
Yakumo
Junior Member
Posts: 3
Joined: Sat Mar 20, 2010 7:28 am

Re: Virus in 9.0 reported by ClamAV, CP Secure, nProtect, Ikarus

Post by Yakumo »

No offense was meant, I simply wished to make you aware of a potential problem.

The worry is never the source code (unless you actually believe an authors intent is to infect), the worry is always that the files were infected post compilation on the developers machine as they are unaware that they themselves have an infection, or at some other point in the chain to reach the file hosting server.
Yakumo
Junior Member
Posts: 3
Joined: Sat Mar 20, 2010 7:28 am

Re: Virus in 9.0 reported by ClamAV, CP Secure, nProtect, Ikarus

Post by Yakumo »

I just tested the .zip version and only got :

Comodo 4417 2010.03.28 Heur.Packed.Unknown

which is not a worry.

so I'm happy that it's either a false positive, or simply a problem with the installer (false or otherwise)
User avatar
pferland
Contributor
Contributor
Posts: 406
Joined: Mon Oct 22, 2007 8:38 am
Location: The Universe
Contact:

Re: Virus in 9.0 reported by ClamAV, CP Secure, nProtect, Ikarus

Post by pferland »

Its probably more of the fact that its not a true compile, its more of a script wrapped around a parser. Same thing goes for the installer.
The best acceleration you can get on a Mac is 9.8ms^2
Post Reply