GDIhook.dll being reported as viral

[98Guy]

It was mentioned today in microsoft.public.win98.gen_discussion that Paolo Monti's "GDI32 / WMF Patch" (gdihook.dll) is being flagged with BackDoor.Hupigon4.ADUA trojan by 18 out of 36 AV packages at virus total.

Speculation is that it's likely a false positive, but also that it's a target for malware.

From the usenet post:

---------------

The package is delivered as a single install.exe file. When this file is scanned by Virustotal, Sophos identifies "Sus/Madcode-A" malware. All other antivirus products detect nothing.

I notice the following text strings in gdihook.dll:

====================================================================

forbiddenAPIsMutex madCodeHook warning...

You've tried to hook one of the following APIs:

These APIs are usually hooked in order to hide a process. Of course

madCodeHook can do that just fine. But I don't want virus/trojan

writers to misuse madCodeHook for illegal purposes. So I've decided to

not allow these APIs to be hooked. If you absolutely have to hook

these APIs, and if you have a commercial madCodeHook license, you may

contact me.

====================================================================

BTW, the subject patch is available here:

http://web.archive.org/web/20070203164123/.../wmfpatch11.zip

My research leads me to believe that MadCodeHook is a legitimate product that has occasionally been misused by malware writers. It is for this reason that I suspect the WMF patch is being falsely identified as infected.

---------------

Update:

AVG have replied as follows:

==========================================

Unfortunately, the current virus database version may detect the

mentioned file as infected. We can confirm that it is a false alarm.

We would like to inform you that the false positive will be removed

in the next Definitions update.

==========================================

Edited October 25, 2008 by 98Guy