Virus in build 878

Virus in build 878

Postby Robert » Sun Jun 11, 2017 3:27 pm

I have just down-loaded and unzipped build 878.

My virus checker (AVG) says that BlackBox.exe contains "Win32:SMorph[Cryp]", whatever that means.

Does anyone else have a similar problem; what is the solution?
User avatar
Robert
 
Posts: 1001
Joined: Sat Sep 28, 2013 11:04 am
Location: Edinburgh, Scotland

Re: Virus in build 878

Postby cfbsoftware » Mon Jun 12, 2017 2:50 am

I checked build 878 on Virus Total and it has already been analysed there. It only fails on 2 out of 61 antivirus programs - AVG and AVAST (I suspect they use the same engine).

The solution might be to get yourself a different virus checker. After several years of little or no problems with it I abandoned AVG a few weeks ago as it was giving me so many false alarms. Worse still it was quarantining the items without even giving me a chance to prevent it from doing so or to recover them. I'm currently trialling Microsoft's Windows Defender and have had no problems so far.
cfbsoftware
 
Posts: 204
Joined: Wed Sep 18, 2013 10:06 pm

Re: Virus in build 878

Postby Robert » Mon Jun 12, 2017 7:48 am

AVG goes through cycles. It was rather tedious / onerous to use. Then they changed its interface, and it was much more low key (nicer!). In recent months it has started to be a nuisance with many pop-up adverts for extra products.

I did (after some search) find a way ro restore BlackBox.exe, but when I tried to use it AVG immediately deleted it again!

Finally I was upable to upload it to Virus Total; it now fails 14 / 61 tests with different warnings, mainly: "Gen:Variant.Razy.182001" & "Win32:SMorph [Cryp]".

Maybe build 879 will be ok?
User avatar
Robert
 
Posts: 1001
Joined: Sat Sep 28, 2013 11:04 am
Location: Edinburgh, Scotland

Re: Virus in build 878

Postby Josef Templ » Mon Jun 12, 2017 7:50 am

I don't know exactly how those virus checkers work but it seems that
they are doing a simple pattern search in the exe file.
With the large file Applogo.ico embedded in BlackBox.exe there are
good chances to find such a pattern. If you replace this file by something else,
for example Doclogo.ico, there are less chances to find a malicious pattern and the
number of Virus Total reports decreases.

- Josef
User avatar
Josef Templ
 
Posts: 2012
Joined: Tue Sep 17, 2013 6:50 am

Re: Virus in build 878

Postby Robert » Mon Jun 12, 2017 7:56 am

Josef Templ wrote:With the large file Applogo.ico embedded in BlackBox.exe there are
good chances to find such a pattern. If you replace this file by something else,...

Don't understand.
1 - Build 850 is ok, surely it has the same icons embedded?
2 - How do I replace a part of BlackBox.exe?
User avatar
Robert
 
Posts: 1001
Joined: Sat Sep 28, 2013 11:04 am
Location: Edinburgh, Scotland

Re: Virus in build 878

Postby Robert » Mon Jun 12, 2017 8:14 am

Robert wrote:Maybe build 879 will be ok?

No its not: same problem.
User avatar
Robert
 
Posts: 1001
Joined: Sat Sep 28, 2013 11:04 am
Location: Edinburgh, Scotland

Re: Virus in build 878

Postby Josef Templ » Mon Jun 12, 2017 8:28 am

Robert wrote:Don't understand.
1 - Build 850 is ok, surely it has the same icons embedded?
2 - How do I replace a part of BlackBox.exe?


Build 850 lists 11 virus checker messages on Virus Total. (AVG not included)
Build 874 lists 14 virus checker messages on Virus Total. (AVG included)
Build 878 lists 17 virus checker messages on Virus Total. (AVG included)

There were some extensions in Kernel and HostFiles since build 850.
This may lead to additional pattern matches (if it is that simple?, I really don't know).
Fact is if you replace Applogo.ico by Doclogo.ico the Virus Total messages decrease sharply
but not down to zero, at least in my experiments.

You replace a part of a BlackBox.exe file by linking a new one with different parts.

- Josef
User avatar
Josef Templ
 
Posts: 2012
Joined: Tue Sep 17, 2013 6:50 am

Re: Virus in build 878

Postby Robert » Mon Jun 12, 2017 2:06 pm

cfbsoftware wrote:I'm currently trialling Microsoft's Windows Defender and have had no problems so far.

I did some minimal asking around on the internet, and this seemed like a reasonable idea for Windows 10, but less so for Windows 7.
So I decided to upgrade from 7 to 10, which was reasonably painless so far.

I then extracted build 879, which I was allowed to do, and tried to run it. I immediately got a message from Windows defender that it had protected me from running an unrecognised program, and I had no option to override this decision.
Then, 30 seconds later, AVG told me it had quaranteened the file, and BlackBox.exe disappeared.

I will turn off AVG, and try again.
User avatar
Robert
 
Posts: 1001
Joined: Sat Sep 28, 2013 11:04 am
Location: Edinburgh, Scotland

Re: Virus in build 878

Postby Robert » Mon Jun 12, 2017 2:22 pm

I've found the Windows defender "Run anyway" option.
That's taken almost a whole day - but I guess I had to upgrade to 10 sometime!
User avatar
Robert
 
Posts: 1001
Joined: Sat Sep 28, 2013 11:04 am
Location: Edinburgh, Scotland

Re: Virus in build 878

Postby Josef Templ » Mon Jun 12, 2017 3:06 pm

FALSE positives are a wide spread pain today.
I even got an error report recently sending an e-mail via gmail because
the gmail mail server is listed somewhere as a spammer.

On my Windows machines I only use Windows virus tools for many years
because of many kinds of problems, including FALSE positives.

- Josef
User avatar
Josef Templ
 
Posts: 2012
Joined: Tue Sep 17, 2013 6:50 am

Next

Return to Infrastructure

Who is online

Users browsing this forum: No registered users and 0 guests

cron