Page 1 of 4

Virus in build 878

PostPosted: Sun Jun 11, 2017 3:27 pm
by Robert
I have just down-loaded and unzipped build 878.

My virus checker (AVG) says that BlackBox.exe contains "Win32:SMorph[Cryp]", whatever that means.

Does anyone else have a similar problem; what is the solution?

Re: Virus in build 878

PostPosted: Mon Jun 12, 2017 2:50 am
by cfbsoftware
I checked build 878 on Virus Total and it has already been analysed there. It only fails on 2 out of 61 antivirus programs - AVG and AVAST (I suspect they use the same engine).

The solution might be to get yourself a different virus checker. After several years of little or no problems with it I abandoned AVG a few weeks ago as it was giving me so many false alarms. Worse still it was quarantining the items without even giving me a chance to prevent it from doing so or to recover them. I'm currently trialling Microsoft's Windows Defender and have had no problems so far.

Re: Virus in build 878

PostPosted: Mon Jun 12, 2017 7:48 am
by Robert
AVG goes through cycles. It was rather tedious / onerous to use. Then they changed its interface, and it was much more low key (nicer!). In recent months it has started to be a nuisance with many pop-up adverts for extra products.

I did (after some search) find a way ro restore BlackBox.exe, but when I tried to use it AVG immediately deleted it again!

Finally I was upable to upload it to Virus Total; it now fails 14 / 61 tests with different warnings, mainly: "Gen:Variant.Razy.182001" & "Win32:SMorph [Cryp]".

Maybe build 879 will be ok?

Re: Virus in build 878

PostPosted: Mon Jun 12, 2017 7:50 am
by Josef Templ
I don't know exactly how those virus checkers work but it seems that
they are doing a simple pattern search in the exe file.
With the large file Applogo.ico embedded in BlackBox.exe there are
good chances to find such a pattern. If you replace this file by something else,
for example Doclogo.ico, there are less chances to find a malicious pattern and the
number of Virus Total reports decreases.

- Josef

Re: Virus in build 878

PostPosted: Mon Jun 12, 2017 7:56 am
by Robert
Josef Templ wrote:With the large file Applogo.ico embedded in BlackBox.exe there are
good chances to find such a pattern. If you replace this file by something else,...

Don't understand.
1 - Build 850 is ok, surely it has the same icons embedded?
2 - How do I replace a part of BlackBox.exe?

Re: Virus in build 878

PostPosted: Mon Jun 12, 2017 8:14 am
by Robert
Robert wrote:Maybe build 879 will be ok?

No its not: same problem.

Re: Virus in build 878

PostPosted: Mon Jun 12, 2017 8:28 am
by Josef Templ
Robert wrote:Don't understand.
1 - Build 850 is ok, surely it has the same icons embedded?
2 - How do I replace a part of BlackBox.exe?


Build 850 lists 11 virus checker messages on Virus Total. (AVG not included)
Build 874 lists 14 virus checker messages on Virus Total. (AVG included)
Build 878 lists 17 virus checker messages on Virus Total. (AVG included)

There were some extensions in Kernel and HostFiles since build 850.
This may lead to additional pattern matches (if it is that simple?, I really don't know).
Fact is if you replace Applogo.ico by Doclogo.ico the Virus Total messages decrease sharply
but not down to zero, at least in my experiments.

You replace a part of a BlackBox.exe file by linking a new one with different parts.

- Josef

Re: Virus in build 878

PostPosted: Mon Jun 12, 2017 2:06 pm
by Robert
cfbsoftware wrote:I'm currently trialling Microsoft's Windows Defender and have had no problems so far.

I did some minimal asking around on the internet, and this seemed like a reasonable idea for Windows 10, but less so for Windows 7.
So I decided to upgrade from 7 to 10, which was reasonably painless so far.

I then extracted build 879, which I was allowed to do, and tried to run it. I immediately got a message from Windows defender that it had protected me from running an unrecognised program, and I had no option to override this decision.
Then, 30 seconds later, AVG told me it had quaranteened the file, and BlackBox.exe disappeared.

I will turn off AVG, and try again.

Re: Virus in build 878

PostPosted: Mon Jun 12, 2017 2:22 pm
by Robert
I've found the Windows defender "Run anyway" option.
That's taken almost a whole day - but I guess I had to upgrade to 10 sometime!

Re: Virus in build 878

PostPosted: Mon Jun 12, 2017 3:06 pm
by Josef Templ
FALSE positives are a wide spread pain today.
I even got an error report recently sending an e-mail via gmail because
the gmail mail server is listed somewhere as a spammer.

On my Windows machines I only use Windows virus tools for many years
because of many kinds of problems, including FALSE positives.

- Josef