ggf31416
Content Type
Profiles
Forums
Events
Posts posted by ggf31416
-
-
I'm getting reports by Kaspersky 2006 that UniExtract.exe and ExttractMHT.exe matching Trojan-Downloader.Win32.Agent.axn signatures.
The false positives seem be fixed now. Kaspersky is having bad luck with the false positives.
As I found out, these files are UPX compressed. Unpacking these files does not solve the issue. May I ask why you put UPX compression in? It's totally unneccessary for this program, and it slows down my system as well.You should ask that question in the AutoIT forums. AutoIT uses automatically UPX compression when the script is compiled.
0 -
So, to workaround the issue, wait until it looks like 7-Zip is frozen (no new files are being written), then type 'a' into the console and hit enter (no quotes). That should tell it to overwrite any existing files, which should then make it continue extraction.
Or u - Auto Rename
To nitro322: for 7-zip you can use -aou (auto rename extracting file) or -aot (auto rename existing file).
0 -
I always get an error when trying to do it, "This page cannot be save." Don't know what the deal is. I use nLite to rip a hell of a lot of crap out of my system, though, so I could've brokem MHT support in the process. I'd appreciate it if someone could post a link to sample file.
2 MHT files in the attachment. Note that you may be asked for Internet Access to view the files. Most elements are contained in the MHT but some of them not.
BTW, there is another false positive
. Now it's Kaspersky:UniExtract.exe:
Antivirus Version Update Result
Fortinet 2.77.0.0 08.30.2006 PossibleThreat!05780
Kaspersky 4.0.2.24 08.30.2006 Backdoor.Win32.Agent.agl
Panda 9.0.0.4 08.29.2006 Suspicious file
File size: 223530 bytes
MD5: 59ce357c2d9d4300b130d13ed991e2ab
SHA1: 972b51bbd733339da595ae8d7129391a0613d040
packers: UPX
Edit: Seems that the attachments don't work for zip files (Or I'm doing something wrong). I will post a link to RapidShare.
Link to RapidShare: http://rapidshare.de/files/31273604/MHT.zip.html
Edit 2: I received a reply from Kaspersky saying that it is a false positive and it will be fixed in next update.
0 -
If you want a zip file using Store, Deflate, Deflate64 and Bzip2 (Created with KZIP, 7-zip and ZIPMIX): Test File
ggf31416, is there any chance you can repost this file? I didn't download it when you originally posted it, and now it's expired. It sounds like a good test case to work with.
Thanks.
You can create a zip with multiple compression methods by yourself, but if you want an example
http://rapidshare.de/files/31143658/Groff-KDB.ZIP.html (335 KB)
As I already said, I would recommend to use 7-zip as secondary (or main) unpacker for zip archives (using -aos switch to don't lose time extracting existing files) if info-zip fails.
BTW since 4.43 alpha 3, 7-zip supports most zips with incorrect headers, which previous versions of 7-zip refused to open. B)
0 -
Another format that currently is not supported is UHA (UHARC)
UHARC 0.6b can be downloaded from ftp://ftp.elf.stuba.sk/pub/pc/pack/uharc06b.zip
Older versions of UHARC can be downloaded from http://www.klaimsoft.com/forum/index.php?showtopic=25
Edit: If you want to support ZIP/Bzip2 you can do the following: extract the archive with 7-zip (using -aos, so no time is wasted extracting already existing files) if Info-Zip gives an exit code of 81.
0 -
Yeah and the worst thing is I am warned about it after every reboot. Getting annoying. Just wish they would fix their **** detections.
What's antivirus are you using?
If you are using AntiVir you can exclude files from the Resident Guard:
Extras -> Configuration -> Guard (Expert Mode must be enabled) -> Scan -> Click the + -> Exception -> Files objects to be omitted for the Guard
0 -
Another False Positive: Now Antivir detects IsXunpack.exe as "TR/Crypt.F.Gen"
Complete scanning result of "IsXunpack.exe", received in VirusTotal at 07.03.2006, 05:47:55 (CET).
AntiVir TR/Crypt.F.Gen
CAT-QuickHeal (Suspicious) - DNAScan
Fortinet suspicious
Panda Suspicious file
The other 22 antivirus no virus found
For comparison purposes a file compressed with Upack...
Complete scanning result of "7zSD.upack", received in VirusTotal at 07.03.2006, 05:52:33 (CET).
CAT-QuickHeal (Suspicious) - DNAScan
Fortinet suspicious
...and a file compressed with UPX
Complete scanning result of "7z.upx", received in VirusTotal at 07.03.2006, 05:54:38 (CET).
Panda Suspicious file
For some reason the Antivir team think that IsXunpack.exe is a real virus
0 -
Can you post a link to such a file? I'd be happy to look into it.
Using 7-zip (every version since 2003-04-19 - 2.30b30), Select some files, click Add, choose Format: Zip and Method: Bzip2. Almost the same for WinZip 10. Also you can use PKZIP.
If you want a zip file using Store, Deflate, Deflate64 and Bzip2 (Created with KZIP, 7-zip and ZIPMIX): Test File
0 -
How about add support for Zip archives that use the Bzip2 compression method?
7-zip support it (but Info-zip not).
0 -
I wonder what would happen with something like
n=3
VirusFound : IloveYou.Tchernobyl ?
From http://virusscan.jotti.org/
Statistics: Last file scanned at least one scanner reported something about: LoveToBootv6.zip, detected by:
Scanner Malware name
AntiVir Trojan/Flood.VB.BN
ArcaVir Trojan.Flooder.Yahoo.Vb.N
Avast Win32:Trojan-gen. {VB}
AVG Antivirus Flooder.RT
BitDefender Backdoor.Genlot.AJL
ClamAV X
Dr.Web Tool.Yabot
F-Prot Antivirus security risk or a "backdoor" program
Fortinet HackerTool/Generic
Kaspersky Anti-Virus IM-Flooder.Win32.VB.bn
NOD32 Win32/Flooder.VB.BN
Norman Virus Control W32/VBFlood.KX
UNA X
VirusBuster X
VBA32 IM-Flooder.Win32.VB.bn
Every antivirus misses some sample, but UNA seems be the only one that misses everything. However is surprisingly good detecting the EICAR test file.
By the way see http://www.antisource.com/article.php/una-antivirus-ruse
Edit: The Linux version of UNA doesn't work or the antivirus is useless:
Statistics: Last file scanned at least one scanner reported something about: AutoTrain.exe, detected by:
Scanner Malware name
AntiVir Trojan/Spy.SCKeyLo.o.17
ArcaVir Trojan.Sckeylog
Avast Win32:SCkeylog-B
AVG Antivirus PSW.Sclog.D
BitDefender Win32.Repor.A
ClamAV Trojan.Spy.SCKeylog-2
Dr.Web Trojan.SCKeyLog.20
F-Prot Antivirus W32/SCkeylogger.D@pws
Fortinet W32/Sckeylog.O!tr
Kaspersky Anti-Virus Trojan-Spy.Win32.SCKeyLog.o
NOD32 Win32/Spy.SCKeyLog.O
Norman Virus Control W32/SCKeylog.E
UNA X
VirusBuster Trojan.Gogel.A
VBA32 Trojan-Spy.Win32.SCKeyLog.o
0 -
Good idea.
But, this : "UNA Trojan.Win32.Autoit" makes me think many AVs just classify all AutoIt scripts as dangerous. One should try with a script such as : "MsgBox, hello world!". :/
[sarcasm]The most dangerous virus of the World!!![/sarcasm]
MsgBox(0, "My First Script!", "Hello World!")
Fortinet suspicious
Panda Suspicious file
TheHacker Trojan/Clicker.Small.ht
UNA Backdoor.Rbot
Others Antivirus no virus found
0 -
http://www.virustotal.com reports:
AntiVir no virus found
Authentium W32/Trojan.CXS
Avast no virus found
AVG no virus found
BitDefender no virus found
CAT-QuickHeal no virus found
ClamAV no virus found
DrWeb no virus found
eTrust-InoculateIT no virus found
eTrust-Vet no virus found
Ewido no virus found
Fortinet suspicious
F-Prot destructive program named W32/Trojan.CXS
Ikarus no virus found
Kaspersky no virus found
McAfee no virus found
Microsoft no virus found
NOD32v2 no virus found
Norman no virus found
Panda no virus found
Sophos no virus found
Symantec no virus found
TheHacker no virus found
UNA Trojan.Win32.Autoit
VBA32 no virus found
VirusBuster no virus found
Note: Authentium and F-PROT use the same engine
Edit: Removed link to full results (because they are not longer available).
0 -
Well, the problem is of course the "HEURISTIC" engine.
Actually, this false positive (at least with AVG Free) was not caused by the heuristics. Even with the heuristics turned off the executable was misidentified as an trojan.
0 -
I reported the false positive to AVG yesterday. It's fixed with the lastest updates (Some minutes ago).
0 -
Today AVG Free with the last updates shows UniExtract.exe as "Trojan Horse Generic.VFI"
http://virusscan.jotti.org/ reports:
File: UniExtract.exe
Status: INFECTED/MALWARE
MD5 59ce357c2d9d4300b130d13ed991e2ab
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Generic.VFI
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Obviously it's a False Positive
0 -
I saw you are using 7z.exe which is using lots of .dll files. You could instead use a single-file command line program 7za.exe (same author) which about 40% smaller and could be found at Sourceforge.
Added:
Maby 7za.exe is only for 7z files and not for others like iso, z, ...? If so my proposal is no good.
7za is only for 7z, zip, tar, gz, bz2 and z.
0 -
From the NSIS Forum:
lkj (Igor Pavlov)
[NSIS].nsi script extracting will be disabled in next version of 7-zip.
Read the thread "7zip now allows to extract installers"
0 -
Changelog of 7-zip 4.40 beta:
- 7-Zip now can unpack some installers created by NSIS
- New localization: Kurdish
- Some bugs were fixed
According to my tests with the 7-zip scripts, "some" means:
BCJ+LZMA (SetCompressor lzma SetCompressorFilter 1 with the LZMA - BCJ Filter Patch),
LZMA and
Zlib
but 7-zip cannot extract NSIS installers created with Bzip2 compression.
Guillermo Gabrielli
0
. Now it's Kaspersky:
Universal Extractor
in Universal Extractor
Posted
Antivirus companies usually request to send an e-mail to their virus submission address with the subject "False Positive" and the ofending file attached as a password protected zip (Otherwise the attachment will be deleted by the scanners in the e-mail servers before it can reach the AV company. Of course, you must tell the password in the message). For the e-mail address see this thread "E-mails for submitting samples to AV companies"