98Guy Posted October 24, 2008 Share Posted October 24, 2008 (edited) It was mentioned today in microsoft.public.win98.gen_discussion that Paolo Monti's "GDI32 / WMF Patch" (gdihook.dll) is being flagged with BackDoor.Hupigon4.ADUA trojan by 18 out of 36 AV packages at virus total.Speculation is that it's likely a false positive, but also that it's a target for malware.From the usenet post:---------------The package is delivered as a single install.exe file. When this file is scanned by Virustotal, Sophos identifies "Sus/Madcode-A" malware. All other antivirus products detect nothing.I notice the following text strings in gdihook.dll:====================================================================forbiddenAPIsMutex madCodeHook warning...You've tried to hook one of the following APIs:These APIs are usually hooked in order to hide a process. Of coursemadCodeHook can do that just fine. But I don't want virus/trojanwriters to misuse madCodeHook for illegal purposes. So I've decided tonot allow these APIs to be hooked. If you absolutely have to hookthese APIs, and if you have a commercial madCodeHook license, you maycontact me.====================================================================BTW, the subject patch is available here:http://web.archive.org/web/20070203164123/.../wmfpatch11.zipMy research leads me to believe that MadCodeHook is a legitimate product that has occasionally been misused by malware writers. It is for this reason that I suspect the WMF patch is being falsely identified as infected.---------------Update:AVG have replied as follows:==========================================Unfortunately, the current virus database version may detect thementioned file as infected. We can confirm that it is a false alarm.We would like to inform you that the false positive will be removedin the next Definitions update.========================================== Edited October 25, 2008 by 98Guy Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now