Jump to content

GDIhook.dll being reported as viral


98Guy

Recommended Posts

It was mentioned today in microsoft.public.win98.gen_discussion that Paolo Monti's "GDI32 / WMF Patch" (gdihook.dll) is being flagged with BackDoor.Hupigon4.ADUA trojan by 18 out of 36 AV packages at virus total.

Speculation is that it's likely a false positive, but also that it's a target for malware.

From the usenet post:

---------------

The package is delivered as a single install.exe file. When this file is scanned by Virustotal, Sophos identifies "Sus/Madcode-A" malware. All other antivirus products detect nothing.

I notice the following text strings in gdihook.dll:

====================================================================

forbiddenAPIsMutex madCodeHook warning...

You've tried to hook one of the following APIs:

These APIs are usually hooked in order to hide a process. Of course

madCodeHook can do that just fine. But I don't want virus/trojan

writers to misuse madCodeHook for illegal purposes. So I've decided to

not allow these APIs to be hooked. If you absolutely have to hook

these APIs, and if you have a commercial madCodeHook license, you may

contact me.

====================================================================

BTW, the subject patch is available here:

http://web.archive.org/web/20070203164123/.../wmfpatch11.zip

My research leads me to believe that MadCodeHook is a legitimate product that has occasionally been misused by malware writers. It is for this reason that I suspect the WMF patch is being falsely identified as infected.

---------------

Update:

AVG have replied as follows:

==========================================

Unfortunately, the current virus database version may detect the

mentioned file as infected. We can confirm that it is a false alarm.

We would like to inform you that the false positive will be removed

in the next Definitions update.

==========================================

Edited by 98Guy
Link to comment
Share on other sites


Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...