Trojan horse detected by AVG v9.0 (paid version)

VBS to EXE and JScript to EXE Compiler
Post Reply
neilallison147
Posts: 7
Joined: Thu Sep 02, 2010 4:24 am

Trojan horse detected by AVG v9.0 (paid version)

Post by neilallison147 »

I have just purchased ScriptCryptor and have generated an exe. When I try to run it or e-mail it, AVG detects a Trojan horse. (Trojan horse generic 18 FTT).

I've tried uploading it to www.virustotal.com and don't see any information on the screen that helps.
I've also tried to e-mail it to them but I get a message saying the mailserver has detected a virus too.

Where to now?
neilallison147
Posts: 7
Joined: Thu Sep 02, 2010 4:24 am

Post by neilallison147 »

I managed to get it e-mailled to Virus Total by shutting AVG off. Here are the results.

Complete scanning result of "M3Get.exe", processed in VirusTotal at 09/03/2010 04:38:11 (CET).

[ file data ]
* name..: M3Get.exe
* size..: 194048
* md5...: 3298b111296fa97e1aaf41b91cbd4482
* sha1..: 35eecce07b23a083808e52d6b42a41a346207b09
* peid..: -

[ scan result ]
AhnLab-V3 2010.09.03.00/20100903 found nothing
AntiVir 8.2.4.46/20100902 found [SPR/QuickBatch.Gen]
Antiy-AVL 2.0.3.7/20100902 found [Trojan/Win32.Delf.gen]
Authentium 5.2.0.5/20100903 found nothing
Avast 4.8.1351.0/20100902 found nothing
Avast5 5.0.594.0/20100902 found nothing
AVG 9.0.0.851/20100902 found [Generic18.FTT]
BitDefender 7.2/20100903 found nothing
CAT-QuickHeal 11.00/20100902 found nothing
ClamAV 0.96.2.0-git/20100902 found [PUA.Crypt.ScriptCryptor]
Comodo 5950/20100903 found [Heur.Packed.Unknown]
DrWeb 5.0.2.03300/20100903 found nothing
Emsisoft 5.0.0.37/20100903 found [Trojan.JS.StartPage!IK]
eSafe 7.0.17.0/20100901 found nothing
eTrust-Vet 36.1.7833/20100902 found nothing
F-Prot 4.6.1.107/20100901 found nothing
F-Secure 9.0.15370.0/20100903 found nothing
Fortinet 4.1.143.0/20100902 found nothing
GData 21/20100903 found nothing
Ikarus T3.1.1.88.0/20100903 found [Trojan.JS.StartPage]
Jiangmin 13.0.900/20100903 found [Trojan/Delf.pbn]
K7AntiVirus 9.63.2424/20100902 found nothing
Kaspersky 7.0.0.125/20100903 found nothing
McAfee 5.400.0.1158/20100903 found nothing
McAfee-GW-Edition 2010.1B/20100903 found nothing
Microsoft 1.6103/20100902 found nothing
NOD32 5419/20100902 found nothing
Norman 6.05.11/20100902 found nothing
nProtect 2010-09-02.01/20100902 found nothing
Panda 10.0.2.7/20100902 found [W32/MSNworm.IX.worm]
PCTools 7.0.3.5/20100903 found nothing
Prevx 3.0/20100903 found nothing
Rising 22.63.03.03/20100902 found nothing
Sophos 4.57.0/20100903 found nothing
Sunbelt 6826/20100902 found nothing
SUPERAntiSpyware 4.40.0.1006/20100903 found nothing
Symantec 20101.1.1.7/20100903 found nothing
TheHacker 6.5.2.1.362/20100903 found nothing
TrendMicro 9.120.0.1004/20100902 found nothing
TrendMicro-HouseCall 9.120.0.1004/20100903 found nothing
VBA32 3.12.14.0/20100902 found [Trojan.Win32.Delf.spj]
ViRobot 2010.8.31.4017/20100902 found nothing
VirusBuster 12.64.15.0/20100902 found nothing

[ notes ]
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_respon ... 23-0550-99
support
Site Admin
Posts: 476
Joined: Fri Feb 13, 2004 1:05 pm

Post by support »

Looks cool, especially:

AntiVir 8.2.4.46/20100902 found [SPR/QuickBatch.Gen]

- point to the Quick Batch File Compiler

ClamAV 0.96.2.0-git/20100902 found [PUA.Crypt.ScriptCryptor]

- yes, it compiled with ScriptCryptor

VBA32 3.12.14.0/20100902 found [Trojan.Win32.Delf.spj]

- yes, we use the Delphi for Win32

Please understand that this is false positives. AV detect our compiler and mark it as suspicious file because it can be used for virus creation.
neilallison147
Posts: 7
Joined: Thu Sep 02, 2010 4:24 am

Post by neilallison147 »

Ok. But what can be done about it? I can't be creating .exe files and installing them on clients machines where there is a potential for their virus software to pick them up as infected.

It has to be something to do with ScriptCryptor because there appears to be so many posts on this forum where virus software is detecting virus's in the .exe files (albeit incorrect).

If there is nothing Abyss can do to fix this, then as good as the software appears to be, it will be of no use to me.
support
Site Admin
Posts: 476
Joined: Fri Feb 13, 2004 1:05 pm

Post by support »

You need to submit the false positive report to AV company and they remove signature from database.

Please understand, we don't know your AV version, database version, don't have your EXE file, so we can not submit report to AV.
neilallison147
Posts: 7
Joined: Thu Sep 02, 2010 4:24 am

Post by neilallison147 »

That's all well and good for th AV package that I am using but what about all the other AV packages on the list from Virus Total? What if my clients where I install the .exe files are using a different AV package (which they almost certainly are !!).
Do I have to submit a report to ALL the AV software vendors? That's not really practical is it?
support
Site Admin
Posts: 476
Joined: Fri Feb 13, 2004 1:05 pm

Post by support »

In fact, most vendors just copied detections form others, so one report may remove few detections.
neilallison147
Posts: 7
Joined: Thu Sep 02, 2010 4:24 am

Post by neilallison147 »

So can I assume that Abyss Media will not do anything about this issue?
support
Site Admin
Posts: 476
Joined: Fri Feb 13, 2004 1:05 pm

Post by support »

We can only release new version that will not match with current signature.
neilallison147
Posts: 7
Joined: Thu Sep 02, 2010 4:24 am

Post by neilallison147 »

When is this new version likely to be released?

I'm sure you understand that I cannot be installing exe files at clients sites that are going to be reported as infected.

If the new release can't resolve this, then I'm afraid I will be requesting a refund. Which would be a shame because the product is fast, really easy to use and very well priced.

Here's hoping we can get a satisfactory resolution.
support
Site Admin
Posts: 476
Joined: Fri Feb 13, 2004 1:05 pm

Post by support »

As I know, AV doesn't like encryption routines in our compilers, so we will update algorithm for all compilers at this month.
support
Site Admin
Posts: 476
Joined: Fri Feb 13, 2004 1:05 pm

Post by support »

I have submitted a sample to VirusTotal and got only one false detection
from VBA32 (who is it?):

http://www.virustotal.com/file-scan/rep ... 1284561354

ClamAV detect it as PUA.Crypt.ScriptCryptor (not a virus!)
Panda report about suspicious file
Post Reply