Discussion:
Powerbasic Virus Alert!
(too old to reply)
Olav
2010-07-12 10:15:32 UTC
Permalink
Raw Message
ESET NOD32 4 Antivirus reports that a variant of Win32/Kryptik.UT trojan
was found in the creation of an exefile created by PbWin8.

cleaned by deleting - quarantined

Event occurred on a file modified by the application:
C:\PBWin8\Bin\PBWin.exe.

And here is the code:

FUNCTION PBMAIN()
t!=TIMER
REGISTER X&, Counter&
FOR Counter& = 1 TO 300000000
X& = Counter& + Counter& + Counter&
NEXT
e!=TIMER-t!
MSGBOX(STR$(e!))
END FUNCTION

Who talked about cracked Powerbasic and viruses? Powerbasic is a virus
itself.
--
H-Man
2010-07-12 14:12:31 UTC
Permalink
Raw Message
Post by Olav
ESET NOD32 4 Antivirus reports that a variant of Win32/Kryptik.UT trojan
was found in the creation of an exefile created by PbWin8.
cleaned by deleting - quarantined
C:\PBWin8\Bin\PBWin.exe.
FUNCTION PBMAIN()
t!=TIMER
REGISTER X&, Counter&
FOR Counter& = 1 TO 300000000
X& = Counter& + Counter& + Counter&
NEXT
e!=TIMER-t!
MSGBOX(STR$(e!))
END FUNCTION
Who talked about cracked Powerbasic and viruses? Powerbasic is a virus
itself.
False positive. AV program's problem.
--
HK
Olav
2010-07-12 14:42:00 UTC
Permalink
Raw Message
Post by H-Man
Post by Olav
ESET NOD32 4 Antivirus reports that a variant of Win32/Kryptik.UT trojan
was found in the creation of an exefile created by PbWin8.
cleaned by deleting - quarantined
C:\PBWin8\Bin\PBWin.exe.
FUNCTION PBMAIN()
t!=TIMER
REGISTER X&, Counter&
FOR Counter& = 1 TO 300000000
X& = Counter& + Counter& + Counter&
NEXT
e!=TIMER-t!
MSGBOX(STR$(e!))
END FUNCTION
Who talked about cracked Powerbasic and viruses? Powerbasic is a virus
itself.
False positive. AV program's problem.
--
HK
May be so, but one must be allowed to wonder what kind of work the compiler
does behind the scene at the moment of the exe file creation, and so far
why only it is this file which are triggered.
--
WangoTango
2010-07-12 15:46:01 UTC
Permalink
Raw Message
Post by Olav
Post by H-Man
Post by Olav
ESET NOD32 4 Antivirus reports that a variant of Win32/Kryptik.UT trojan
was found in the creation of an exefile created by PbWin8.
cleaned by deleting - quarantined
C:\PBWin8\Bin\PBWin.exe.
FUNCTION PBMAIN()
t!=TIMER
REGISTER X&, Counter&
FOR Counter& = 1 TO 300000000
X& = Counter& + Counter& + Counter&
NEXT
e!=TIMER-t!
MSGBOX(STR$(e!))
END FUNCTION
Who talked about cracked Powerbasic and viruses? Powerbasic is a virus
itself.
False positive. AV program's problem.
--
HK
May be so, but one must be allowed to wonder what kind of work the compiler
does behind the scene at the moment of the exe file creation, and so far
why only it is this file which are triggered.
--
No, what one wonders about is your continual whining.
Learn a little something about how AV programs work, and you will
understand why false positives happen, oh sorry, I forgot, you just want
something else to bitch about...
Olav
2010-07-12 19:14:37 UTC
Permalink
Raw Message
Post by WangoTango
Post by Olav
Post by H-Man
Post by Olav
ESET NOD32 4 Antivirus reports that a variant of Win32/Kryptik.UT trojan
was found in the creation of an exefile created by PbWin8.
cleaned by deleting - quarantined
C:\PBWin8\Bin\PBWin.exe.
FUNCTION PBMAIN()
t!=TIMER
REGISTER X&, Counter&
FOR Counter& = 1 TO 300000000
X& = Counter& + Counter& + Counter&
NEXT
e!=TIMER-t!
MSGBOX(STR$(e!))
END FUNCTION
Who talked about cracked Powerbasic and viruses? Powerbasic is a virus
itself.
False positive. AV program's problem.
--
HK
May be so, but one must be allowed to wonder what kind of work the compiler
does behind the scene at the moment of the exe file creation, and so far
why only it is this file which are triggered.
--
No, what one wonders about is your continual whining.
Well, put me on your spamlist then.
Post by WangoTango
Learn a little something about how AV programs work, and you will
understand why false positives happen, oh sorry, I forgot, you just want
something else to bitch about...
As I said; put me on your spamlist and hopefully you can start again to hear
only what itches your ears.
--
WangoTango
2010-07-12 23:03:05 UTC
Permalink
Raw Message
Post by Olav
Post by WangoTango
Post by Olav
Post by H-Man
Post by Olav
ESET NOD32 4 Antivirus reports that a variant of Win32/Kryptik.UT trojan
was found in the creation of an exefile created by PbWin8.
cleaned by deleting - quarantined
C:\PBWin8\Bin\PBWin.exe.
FUNCTION PBMAIN()
t!=TIMER
REGISTER X&, Counter&
FOR Counter& = 1 TO 300000000
X& = Counter& + Counter& + Counter&
NEXT
e!=TIMER-t!
MSGBOX(STR$(e!))
END FUNCTION
Who talked about cracked Powerbasic and viruses? Powerbasic is a virus
itself.
False positive. AV program's problem.
--
HK
May be so, but one must be allowed to wonder what kind of work the compiler
does behind the scene at the moment of the exe file creation, and so far
why only it is this file which are triggered.
--
No, what one wonders about is your continual whining.
Well, put me on your spamlist then.
Post by WangoTango
Learn a little something about how AV programs work, and you will
understand why false positives happen, oh sorry, I forgot, you just want
something else to bitch about...
As I said; put me on your spamlist and hopefully you can start again to hear
only what itches your ears.
No problem, off to the Bozo Bin with you.
hutch--
2010-07-13 13:58:07 UTC
Permalink
Raw Message
Olav,

False positives are common with AV software, even with the better end
of AV scanners they still rely on basically unreliable techniques for
heuristic scanning backed up by signature scanners.

A valid Portable Executable file (Win32 PE) is determined by its
conformity to the Microsoft Portable Executable specifications, not
what can get past an AV scanners assumptions.

Do yourself a favour, secure you machine properly with multiple level
firewalls and don't download crap and you will be far more secure than
AV scanners that deliver false positives. Make a point of backing up
your boot/OS drive with a disk image software like Acronis or Norton
or some of the free ones as long as you understand how to use it.

Once you have this done nothing can beat it as you can always fully
restore the boot drive without any dependence on the OS, damaged or
not.
hutch--
2010-07-15 02:00:29 UTC
Permalink
Raw Message
Something I should have added, if you are using a later Windows
version than XP and you are running some form of AV scanner, many of
the AV products require BOTH a manifest file AND a version control
block in the resource section of the executable or they will not be
recognised correctly by the crappy end of AV scanners.

When you post small test pieces like the one Olav posted,

FUNCTION PBMAIN()
t!=TIMER
REGISTER X&, Counter&
FOR Counter& = 1 TO 300000000
X& = Counter& + Counter& + Counter&
NEXT
e!=TIMER-t!
MSGBOX(STR$(e!))
END FUNCTION

You need to take into account that the test piece has a very limited
amount of code in it which triggers the heuristic scanners that assume
a minimum amount of code and flag the alternative as a trojan or
virus.

As usual with this stuff a little knowledge is dangerous. The solution
is to know enough not to keep making mistakes based on ignorance.
H-Man
2010-07-12 17:47:35 UTC
Permalink
Raw Message
Post by Olav
Post by H-Man
Post by Olav
ESET NOD32 4 Antivirus reports that a variant of Win32/Kryptik.UT trojan
was found in the creation of an exefile created by PbWin8.
cleaned by deleting - quarantined
C:\PBWin8\Bin\PBWin.exe.
FUNCTION PBMAIN()
t!=TIMER
REGISTER X&, Counter&
FOR Counter& = 1 TO 300000000
X& = Counter& + Counter& + Counter&
NEXT
e!=TIMER-t!
MSGBOX(STR$(e!))
END FUNCTION
Who talked about cracked Powerbasic and viruses? Powerbasic is a virus
itself.
False positive. AV program's problem.
--
HK
May be so, but one must be allowed to wonder what kind of work the compiler
does behind the scene at the moment of the exe file creation, and so far
why only it is this file which are triggered.
As ESET NOD32 4 Antivirus is signatures based it is entirely conceivable
that portion of your compiled code is shared with the Win32/Kryptik.UT
trojan. As compilers use a finite set of instructions eventually you will
have collisions whereby a portion legitimate code looks like a portion of
the bad code. If the trojan was created using the PB product the liklihood
of a collision of this sort increases substantially. Again, it's not that
the compiler generates anything nefarious spontaneously, the compiler may
have been asked to generate nefarious code known to the AV company, and the
signature the AV company chooses to use to identify the trojan exists in
legitimate code as well. The compiler remains legitimate, the AV company's
job is to find a way to decide which code is okay, and which is not. In
this case, it would seem, the AV company has failed.

This exact situation occurs with most compilers / assemblers out there at
some point in time. PowerBasic is in good company then.
--
HK
Loading...