1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

About VT scans

Discussion in 'Black Hat SEO Tools' started by Frement, Oct 16, 2011.

  1. Frement

    Frement Registered Member

    Joined:
    Sep 26, 2010
    Messages:
    66
    Likes Received:
    22
    Location:
    46696E6C616E64
    Home Page:
    So, my program got 0/43 results before packing, and after packing 14/43.

    Is this something to be worried about? I know for sure that the result is because of Themida.

    I mean, if I release this software for free, and I can only offer this result, does it mean I can't share the software because of trust issues?

    Heres the results:
    Code:
    [i]Antivirus results[/i]
    AhnLab-V3 - 2011.10.13.00 - 2011.10.13 - [color=red]Trojan/Win32.ADH [/color]
    AntiVir - 7.11.15.252 - 2011.10.13 - [color=red]TR/Crypt.TPM.Gen [/color]
    Antiy-AVL - 2.0.3.7 - 2011.10.13 - -
    Avast - 6.0.1289.0 - 2011.10.13 - -
    AVG - 10.0.0.1190 - 2011.10.13 - [color=red]Win32/Heur [/color]
    BitDefender - 7.2 - 2011.10.13 - [color=red]Gen:Trojan.Heur.JP.WyWaaGI!Qee [/color]
    ByteHero - 1.0.0.1 - 2011.09.23 - -
    CAT-QuickHeal - 11.00 - 2011.10.13 - [color=red](Suspicious) - DNAScan [/color]
    ClamAV - 0.97.0.0 - 2011.10.13 - -
    Commtouch - 5.3.2.6 - 2011.10.13 - -
    Comodo - 10440 - 2011.10.13 - -
    DrWeb - 5.0.2.03300 - 2011.10.12 - -
    Emsisoft - 5.1.0.11 - 2011.10.13 - [color=red]Backdoor.Win32.Prorat!IK [/color]
    eSafe - 7.0.17.0 - 2011.10.11 - -
    eTrust-Vet - 36.1.8617 - 2011.10.13 - -
    F-Prot - 4.6.5.141 - 2011.10.13 - -
    F-Secure - 9.0.16440.0 - 2011.10.13 - [color=red]Gen:Trojan.Heur.JP.WyWaaGI!Qee [/color]
    Fortinet - 4.3.370.0 - 2011.10.13 - -
    GData - 22 - 2011.10.13 - [color=red]Gen:Trojan.Heur.JP.WyWaaGI!Qee [/color]
    Ikarus - T3.1.1.107.0 - 2011.10.13 - [color=red]Backdoor.Win32.Prorat [/color]
    Jiangmin - 13.0.900 - 2011.10.12 - -
    K7AntiVirus - 9.115.5278 - 2011.10.13 - -
    Kaspersky - 9.0.0.837 - 2011.10.13 - -
    McAfee - 5.400.0.1158 - 2011.10.13 - -
    McAfee-GW-Edition - 2010.1D - 2011.10.13 - [color=red]Heuristic.LooksLike.Win32.Suspicious.F [/color]
    Microsoft - 1.7702 - 2011.10.13 - -
    NOD32 - 6541 - 2011.10.13 - [color=red]a variant of Win32/Packed.Themida [/color]
    Norman - 6.07.11 - 2011.10.13 - -
    nProtect - 2011-10-13.01 - 2011.10.13 - -
    Panda - 10.0.3.5 - 2011.10.13 - -
    PCTools - 8.0.0.5 - 2011.10.13 - -
    Prevx - 3.0 - 2011.10.16 - -
    Rising - 23.79.03.02 - 2011.10.13 - [color=red]Suspicious [/color]
    Sophos - 4.70.0 - 2011.10.13 - [color=red]Sus/ComPack-M [/color]
    SUPERAntiSpyware - 4.40.0.1006 - 2011.10.13 - -
    Symantec - 20111.2.0.82 - 2011.10.13 - -
    TheHacker - 6.7.0.1.322 - 2011.10.13 - -
    TrendMicro - 9.500.0.1008 - 2011.10.13 - -
    TrendMicro-HouseCall - 9.500.0.1008 - 2011.10.13 - -
    VBA32 - 3.12.16.4 - 2011.10.13 - -
    VIPRE - 10749 - 2011.10.13 - [color=red]Backdoor.Win32.Ircbot.gen (v) [/color]
    ViRobot - 2011.10.13.4717 - 2011.10.13 - -
    VirusBuster - 14.1.11.0 - 2011.10.13 - -
    [i]File info:[/i]
    MD5: 163fc06e0e1f7f8f2389a400b463cb2a
    SHA1: a9f0fa9ce0ff68dc9dd5ca6638527c7add823a85
    SHA256: 5a3bc273bbb38f84a37f8406dfc3ec8daafd3aa423cbabaead7428bbddd13e78
    File size: 797184 bytes
    Scan date: 2011-10-16 01:11:44 (UTC)
     
  2. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    Send me both the files, I'll check it out.
     
  3. Frement

    Frement Registered Member

    Joined:
    Sep 26, 2010
    Messages:
    66
    Likes Received:
    22
    Location:
    46696E6C616E64
    Home Page:
    The program has no virus in it, the problem is with the protection software I use. What I wanted to know is, will the community accept my software even if it has false positives on the VT result? Should I create the thread and wait until someone verifies that it is clean?
     
  4. Kickflip

    Kickflip BANNED BANNED

    Joined:
    Jan 29, 2010
    Messages:
    2,038
    Likes Received:
    2,465
    If the software is being released free, will you just release it as open source or at least send the software code to mods to review?
     
  5. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    14 detections are NOT false detections. That's why I'm asking you to send me the exe so I can check it with my scanners.

    Or as ^^ said, release the source code so people can trust the software.
     
    • Thanks Thanks x 2
  6. Frement

    Frement Registered Member

    Joined:
    Sep 26, 2010
    Messages:
    66
    Likes Received:
    22
    Location:
    46696E6C616E64
    Home Page:
    Well, they are detections of the themida packing, while it says they are some trojans etc.

    I'll PM you the software, you can check it with your scanners, but I don't think you can make anything else out of it then the VT already says.

    I'd rather not release sources, if I decide to develop the software further and make a paid version that includes this tool also.
     
  7. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    Ok. So I got the file, and ran through different scanners.

    Here are the results.

    VT Scan:
    Code:
    http://www.virustotal.com/file-scan/report.html?id=65d83e2c25142e110f0a8a3f35cfd13b59971e46fa729ab773f453d04297ef84-1318771757
    13/ 43 (30.2%)

    MBAM Scan:
    Code:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org
    
    Database version: 7958
    
    Windows 6.1.7601 Service Pack 1
    Internet Explorer 9.0.8112.16421
    
    10/16/2011 7:07:37 PM
    mbam-log-2011-10-16 (19-07-37).txt
    
    Scan type: Quick scan
    Objects scanned: 1
    Time elapsed: 8 second(s)
    
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    
    Memory Processes Infected:
    (No malicious items detected)
    
    Memory Modules Infected:
    (No malicious items detected)
    
    Registry Keys Infected:
    (No malicious items detected)
    
    Registry Values Infected:
    (No malicious items detected)
    
    Registry Data Items Infected:
    (No malicious items detected)
    
    Folders Infected:
    (No malicious items detected)
    
    Files Infected:
    (No malicious items detected)
    
    Sophos:
    [​IMG]

    ClamXAV
    Code:
    Starting scan...
    
    ----------- SCAN SUMMARY -----------
    Known viruses: 1054244
    Engine version: 0.97.2
    Scanned directories: 0
    Scanned files: 1
    Infected files: 0
    Data scanned: 20.16 MB
    Data read: 6.24 MB (ratio 3.23:1)
    Time: 6.937 sec (0 m 6 s)
    
    No infected files were found.
    Pretty darn strange.

    Then, I took the main exe, and ran it through VT. The result:
    Code:
    
    
    15/ 43 (34.9%)

    More more more strange!

    The whole program has 13 detections, while the exe has 15!

    Then, I repacked the whole thing in another archive.

    It was ZIP, and ran again through VT:

    Code:
    http://www.virustotal.com/file-scan/report.html?id=f35e7129867d13ffb5c2e270bc09b17fd8c75110dbe084e8c82ee337e3218da1-1318772410
    14/ 43 (32.6%)

    Then, I packed it in RAR, and the result:

    Code:
    http://www.virustotal.com/file-scan/report.html?id=b5ad3be3f9a1e1ca33294a99f413709930c949bc67b15612d4693febf3747ecc-1318772533
    14/ 41 (34.1%)


    The conclusion?

    VT is drunk IMHO!

    But wait!!

    You just said Themida, now did you!!

    So, I googled it, and found some stuff about it:

    Code:
    http://blogs.mcafee.com/mcafee-labs/who-digs-the-elephant-trap
    Hope that answers it all!

    EDIT: Forgot your primary question.

    See, we here at BHW, primarily rely on VT as a virus scanner. And if VT says there's a virus, then there is!

    You can try and work something out with mods, though.
     
    • Thanks Thanks x 1
  8. Frement

    Frement Registered Member

    Joined:
    Sep 26, 2010
    Messages:
    66
    Likes Received:
    22
    Location:
    46696E6C616E64
    Home Page:
    Size before themida:
    140 KB (143*872 bytes)

    Size after themida:
    778 KB (797*184 bytes)

    So there is no guarantee, even if I sent the file to some moderator, that I have sent the same file, but the mods could download the demo version of themida, to protect it, and see what happens to the clean file after running it through themida.

    But still, a lot of hassle over themida.
     
  9. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    Exactly. But that's your own choice. You only have to account what to use, and will your customers accept something like this.
     
  10. jimbobo2779

    jimbobo2779 Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 17, 2008
    Messages:
    3,247
    Likes Received:
    2,397
    Occupation:
    Software Engineer
    Location:
    UK
    Home Page:
    As someone that is using WinLicense (made by Orean just like Themida) I can sympathise with you mate. Currently I have 3 false positives from my packed file whereas smartassembly doesn't seem to get any of my packed files as flagged.

    I have not found a reliable way to get the false positive count down. TBH when I had 1/43 (1 false positive) I had plenty of people talking abot whether it was a virus or not in my BST so if there is anything you can do to get it down to 0 you must do it. Trust me people do not care about bringing irrelevant stuff up in your BST and it will definitely affect your sales.

    If you are using Themida just to hide your code then I would suggest using {SmartAssembly} instead as it works without fucking you. I like how WinLicense allows you to make a trial very easily but it is majorly flawed in this respect.

    14 or so false positives will cripple your sales mate, do everything you can to get rid as even if you send it to every AV company to manually check (which is an option) it will likely get flaged again the first time you release an update.
     
    Last edited: Oct 18, 2011
  11. HatIsBlack

    HatIsBlack Regular Member

    Joined:
    Sep 17, 2010
    Messages:
    265
    Likes Received:
    187
    Location:
    Where i belong
    I am also using themida. It's a great anti-crack system but has to many problems with virus scaners imao. However after explaining to my customers what is causing the problem and give them a link to oreans they usualy understand.