The MASM Forum

Projects => MASM32 => AV Software sh*t list => Topic started by: jayanthd on January 08, 2013, 04:31:24 AM

Title: trojan in masm32v11
Post by: jayanthd on January 08, 2013, 04:31:24 AM
Hello!

I found out that the following 2 files in masm32 installation is infected with trojans. (Scanned with AVG Internet Security)

polib.exe                        Trojan horse Startpage.SLK
dlgmake.exe                  Trojan Horse BackDoor.Generic16.KKX

I sent the files to AVG for analysis and they confirmed the infections.

Will new files be provided?
Title: Re: trojan in masm32v11
Post by: dedndave on January 08, 2013, 04:41:36 AM
they are false
let AVG provide a new AV program   :P

http://masm32.com/board/index.php?board=23.0 (http://masm32.com/board/index.php?board=23.0)
Title: Re: trojan in masm32v11
Post by: qWord on January 08, 2013, 04:42:57 AM
That are definitively false positives as long as you get the package from the links Hutch supplies - either change the AV or move these file (or MASM32 installation) to the exceptions/ignore-list (or however AVG call that).
Title: Re: trojan in masm32v11
Post by: jayanthd on January 08, 2013, 04:53:16 AM
I asked the AVG people to analyze the files for trojan in it. They confirmed that there is trojan in the files.
Title: Re: trojan in masm32v11
Post by: jayanthd on January 08, 2013, 04:55:59 AM
Do I really need those 2 files I mentioned for writing and assembling my masm projects or can I work without those 2 infected files. I downloaded the masm32v11 from MASM32 website.
Title: Re: trojan in masm32v11
Post by: dedndave on January 08, 2013, 05:04:06 AM
i can assure you that those files are safe
PoLib is the library manager from Pelle's C compiler package

http://www.smorgasbordet.com/pellesc/ (http://www.smorgasbordet.com/pellesc/)

Pelle could care less what your start page is - lol

DlgMake was written by Hutch
i doubt there's any trojan in there   :P

however, you don't need either of these files to build programs
Title: Re: trojan in masm32v11
Post by: Vortex on January 08, 2013, 05:05:33 AM
Hi jayanthd,

Seriously, you have to make some efforts to understand the situation. The Forum members are telling you that the Masm32 package does not contain malware. What you have to do :

a) Be sure that you are using a safe computer with no virus
b) If your computer cannot provide a safe environment, install the Masm32 package on another computer ( "clean machine" ) and use another AV product.
Title: Re: trojan in masm32v11
Post by: dedndave on January 08, 2013, 05:08:25 AM
Erol has a point
it is possible that these files may have been infected, post-installation

for DlgMake, i have a size of 31,244 bytes
for PoLib, i have a size of 79,872 bytes

i just executed both, and i am still here  :eusa_dance:
Title: Re: trojan in masm32v11
Post by: jj2007 on January 08, 2013, 05:48:03 AM
Certain AV companies have crappy heuristic scanners which shout foul when they don't understand the code. They are called "false positives", and they are a reason to move the AV directly into the recycle bin where they belong.

If you don't trust us, upload the "evil" files to virusscan.jotti.org/ and see what serious AV products have to say about them. Click here to see the scan for dlgmake.exe (http://virusscan.jotti.org/en/scanresult/40785be3f91955cc6cfaf435a91caa4cd1e9fefb/f51164680343acaa08a1d2b1a49332a87a1714a9) - and, holy cow, six crappy AV products found out that dlgmake.exe is packed. PACKED! Can you imagine? Call the police, immediately 8)
Title: Re: trojan in masm32v11
Post by: Vortex on January 08, 2013, 06:10:14 AM
Hi jayanthd,

Jochen is 100% right. Jotti's engine is a good example. Some AV companies cannot interpret correctly the internals of Windows executables.
Title: Re: trojan in masm32v11
Post by: Gunther on January 08, 2013, 06:17:08 AM
Hi  jayanthd,

you can trust Vortex and Jochen. Your files are not infected, if you've downloaded the package from a serious source.

Gunther
Title: Re: trojan in masm32v11
Post by: jayanthd on January 08, 2013, 03:28:36 PM
OK. Thankyou people. The file sizes are the same as mentioned by dedndave. I again asked the AVG people to confirm and they said it is a false positive and they have updated the antivirus.
Title: Re: trojan in masm32v11
Post by: jj2007 on January 08, 2013, 05:27:47 PM
Great :t
So now we are waiting for more serious problems - code that crashes mysteriously etc etc  :biggrin:
Title: Re: trojan in masm32v11
Post by: japheth on January 08, 2013, 06:36:10 PM
So now we are waiting for more serious problems

False positives ARE a serious problem - more serious than crashes, which usually can be fixed easily.

On my site, I had to password-protect a file because on virustotal.com 60% of the scanners flagged it as malware. The problem is: encryption and password protection are not just cumbersome, but not even a solution at all if your binaries are to be redistributable.


Title: Re: trojan in masm32v11
Post by: jj2007 on January 08, 2013, 08:24:38 PM
So now we are waiting for more serious problems

False positives ARE a serious problem - more serious than crashes, which usually can be fixed easily.

It's not a serious problem for the OP, but otherwise I fully agree. It damages the business of small software developers (those without a legal department), because it's very easy to destroy a reputation but difficult to force these AV s**tware developers to apologise in public.
Title: Re: trojan in masm32v11
Post by: Gunther on January 08, 2013, 09:23:09 PM
Hi Jochen,

It's not a serious problem for the OP, but otherwise I fully agree. It damages the business of small software developers (those without a legal department), because it's very easy to destroy a reputation but difficult to force these AV s**tware developers to apologise in public.

unfortunately, your statement is true. It's a mess with that AV s**tware developers.

Gunther
Title: Re: trojan in masm32v11
Post by: Vortex on January 09, 2013, 05:26:08 AM
A lot of individuals purchasing AV software are not aware of the notion false-positive.