Page 1 of 1

Trojan horse detected by AVG v9.0 (paid version)

Posted: Fri Sep 03, 2010 2:39 am
by neilallison147
I have just purchased ScriptCryptor and have generated an exe. When I try to run it or e-mail it, AVG detects a Trojan horse. (Trojan horse generic 18 FTT).

I've tried uploading it to www.virustotal.com and don't see any information on the screen that helps.
I've also tried to e-mail it to them but I get a message saying the mailserver has detected a virus too.

Where to now?

Posted: Fri Sep 03, 2010 2:56 am
by neilallison147
I managed to get it e-mailled to Virus Total by shutting AVG off. Here are the results.

Complete scanning result of "M3Get.exe", processed in VirusTotal at 09/03/2010 04:38:11 (CET).

[ file data ]
* name..: M3Get.exe
* size..: 194048
* md5...: 3298b111296fa97e1aaf41b91cbd4482
* sha1..: 35eecce07b23a083808e52d6b42a41a346207b09
* peid..: -

[ scan result ]
AhnLab-V3 2010.09.03.00/20100903 found nothing
AntiVir 8.2.4.46/20100902 found [SPR/QuickBatch.Gen]
Antiy-AVL 2.0.3.7/20100902 found [Trojan/Win32.Delf.gen]
Authentium 5.2.0.5/20100903 found nothing
Avast 4.8.1351.0/20100902 found nothing
Avast5 5.0.594.0/20100902 found nothing
AVG 9.0.0.851/20100902 found [Generic18.FTT]
BitDefender 7.2/20100903 found nothing
CAT-QuickHeal 11.00/20100902 found nothing
ClamAV 0.96.2.0-git/20100902 found [PUA.Crypt.ScriptCryptor]
Comodo 5950/20100903 found [Heur.Packed.Unknown]
DrWeb 5.0.2.03300/20100903 found nothing
Emsisoft 5.0.0.37/20100903 found [Trojan.JS.StartPage!IK]
eSafe 7.0.17.0/20100901 found nothing
eTrust-Vet 36.1.7833/20100902 found nothing
F-Prot 4.6.1.107/20100901 found nothing
F-Secure 9.0.15370.0/20100903 found nothing
Fortinet 4.1.143.0/20100902 found nothing
GData 21/20100903 found nothing
Ikarus T3.1.1.88.0/20100903 found [Trojan.JS.StartPage]
Jiangmin 13.0.900/20100903 found [Trojan/Delf.pbn]
K7AntiVirus 9.63.2424/20100902 found nothing
Kaspersky 7.0.0.125/20100903 found nothing
McAfee 5.400.0.1158/20100903 found nothing
McAfee-GW-Edition 2010.1B/20100903 found nothing
Microsoft 1.6103/20100902 found nothing
NOD32 5419/20100902 found nothing
Norman 6.05.11/20100902 found nothing
nProtect 2010-09-02.01/20100902 found nothing
Panda 10.0.2.7/20100902 found [W32/MSNworm.IX.worm]
PCTools 7.0.3.5/20100903 found nothing
Prevx 3.0/20100903 found nothing
Rising 22.63.03.03/20100902 found nothing
Sophos 4.57.0/20100903 found nothing
Sunbelt 6826/20100902 found nothing
SUPERAntiSpyware 4.40.0.1006/20100903 found nothing
Symantec 20101.1.1.7/20100903 found nothing
TheHacker 6.5.2.1.362/20100903 found nothing
TrendMicro 9.120.0.1004/20100902 found nothing
TrendMicro-HouseCall 9.120.0.1004/20100903 found nothing
VBA32 3.12.14.0/20100902 found [Trojan.Win32.Delf.spj]
ViRobot 2010.8.31.4017/20100902 found nothing
VirusBuster 12.64.15.0/20100902 found nothing

[ notes ]
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_respon ... 23-0550-99

Posted: Fri Sep 03, 2010 8:45 pm
by support
Looks cool, especially:

AntiVir 8.2.4.46/20100902 found [SPR/QuickBatch.Gen]

- point to the Quick Batch File Compiler

ClamAV 0.96.2.0-git/20100902 found [PUA.Crypt.ScriptCryptor]

- yes, it compiled with ScriptCryptor

VBA32 3.12.14.0/20100902 found [Trojan.Win32.Delf.spj]

- yes, we use the Delphi for Win32

Please understand that this is false positives. AV detect our compiler and mark it as suspicious file because it can be used for virus creation.

Posted: Sat Sep 04, 2010 1:40 am
by neilallison147
Ok. But what can be done about it? I can't be creating .exe files and installing them on clients machines where there is a potential for their virus software to pick them up as infected.

It has to be something to do with ScriptCryptor because there appears to be so many posts on this forum where virus software is detecting virus's in the .exe files (albeit incorrect).

If there is nothing Abyss can do to fix this, then as good as the software appears to be, it will be of no use to me.

Posted: Sun Sep 05, 2010 1:25 am
by support
You need to submit the false positive report to AV company and they remove signature from database.

Please understand, we don't know your AV version, database version, don't have your EXE file, so we can not submit report to AV.

Posted: Sun Sep 05, 2010 2:17 am
by neilallison147
That's all well and good for th AV package that I am using but what about all the other AV packages on the list from Virus Total? What if my clients where I install the .exe files are using a different AV package (which they almost certainly are !!).
Do I have to submit a report to ALL the AV software vendors? That's not really practical is it?

Posted: Sun Sep 05, 2010 12:16 pm
by support
In fact, most vendors just copied detections form others, so one report may remove few detections.

Posted: Sun Sep 05, 2010 12:32 pm
by neilallison147
So can I assume that Abyss Media will not do anything about this issue?

Posted: Thu Sep 09, 2010 6:51 pm
by support
We can only release new version that will not match with current signature.

Posted: Thu Sep 09, 2010 9:49 pm
by neilallison147
When is this new version likely to be released?

I'm sure you understand that I cannot be installing exe files at clients sites that are going to be reported as infected.

If the new release can't resolve this, then I'm afraid I will be requesting a refund. Which would be a shame because the product is fast, really easy to use and very well priced.

Here's hoping we can get a satisfactory resolution.

Posted: Wed Sep 15, 2010 2:32 pm
by support
As I know, AV doesn't like encryption routines in our compilers, so we will update algorithm for all compilers at this month.

Posted: Wed Sep 15, 2010 5:19 pm
by support
I have submitted a sample to VirusTotal and got only one false detection
from VBA32 (who is it?):

http://www.virustotal.com/file-scan/rep ... 1284561354

ClamAV detect it as PUA.Crypt.ScriptCryptor (not a virus!)
Panda report about suspicious file