News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

installing masm32v11r.zip

Started by ms100, March 27, 2012, 06:42:29 PM

Previous topic - Next topic

ms100

I installled today masm32v11r.zip 5.012.275b, and Symantec AV detected:

zoomin.exe  Trojan.Startpage.G
poasm1k.exe  Trojan.Gen.2
multidl.exe   Suspicious.MH690


Vortex

Hi ms100,

Welcome to the forum.

They are false positives.

jj2007

Hi ms100,

Welcome from me, too.

\masm32\bin\zoomin.exe is a demo for zooming menus. It is a bit unfortunate that this file is packed, but be assured that it's a false positive, as Vortex already wrote.
The other two come along with sources in \masm32\examples\poasm\poasm1k\poasm1k.asm and \masm32\examples\threads\multidl\multidl.asm
You can build them yourself to see that Symantec (and some other sh***y antivirus companies) shout alarm where there is no reason to shout.

Regards, jj

ms100

thanks for the answers.
is it possible to get the source of zoomin?

hutch--

Sad to say NO, the source code for Zoomin is subject to a Microsoft licence that specifically prohibits its distribution. You can find it yourself in a number of old SDK's from Microsoft.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

vanjast

Quote from: ms100 on March 27, 2012, 06:42:29 PM
and Symantec AV detected..
ARGGHHhhh  Symantec Symantec Symantec.
It always helps to remove the problem.. "Symantec"
:U

P1

Quote from: vanjast on March 30, 2012, 10:50:47 PM
Quote from: ms100 on March 27, 2012, 06:42:29 PM
and Symantec AV detected..
ARGGHHhhh  Symantec Symantec Symantec.
It always helps to remove the problem.. "Symantec"
:U
It's more like, virus writers using hutch's code, your code and my code.   

Understand the battle now ???

Regards,  P1  :8)


hutch--

It always bottoms out that the specifications for Portable Executable programs is issued by Microsoft for their Windows versions and when an AV company flag a clean EXE as a false positive, it is simply the case that they have PHUKED up again. The class end of the market rarely ever do it, the crap end of the market do it regularly.

zoomin.exe is Microsoft code with minor modifications built to minimise size then fed through an EXE compressor.
poasm1k.exe has the buildable source.
multidl.exe has the buildable source.

Ther is no other way to say it except Symantec have PHUKED up with these false positives. AV companies need to understand that when they flag someone else's software as infected they need to get it right. Bleating about their product being criticised while criticising someone else's software as infected is simply hypocracy and something that they all need to fix.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

dedndave

the multidl program, i can understand
i mean, i can see where a program that downloads files might be suspicious

the other ones - they must be looking at the PE form as something that a C compiler didn't spit out
that makes no sense to me - i would think the malicious guys use a C compiler quite a lot   :P

jj2007

The problem is not our code, even if it contains UrlDownloadToFile. The problem are the C programmers of the big companies who regularly forget to control their buffers, see e.g. the 256,000 Google hits for Adobe flash buffer overflow.

Example (yesterday):

"The first vulnerability involves a buffer overflow when checking the trustworthiness of internet addresses"
Which sustains the hypothesis that the IQ of a group of C programmers can be calculated as IQ=120/n where n is the number of programmers who coded the loop (Adobe needs at least 2, for critical loops 3-4).

If the AV vendors could reprogram their heuristic scanners to detect that kind of lousy programming, it would impose some sane discipline on the C brigade....

dedndave

you make a good point

these guys that work at AV software companies like to call themselves "security specialists"
a real "security" company would write code that finds the exploits in an OS and reports them to the manufacturer (ms)
i would then be truly impressed   :P

P1

Quote from: dedndave on March 31, 2012, 06:18:40 AM
you make a good point

these guys that work at AV software companies like to call themselves "security specialists"
a real "security" company would write code that finds the exploits in an OS and reports them to the manufacturer (ms)
i would then be truly impressed   :P
What !!!

It is the virus writers that do not give up.

Quote from: dedndave on March 31, 2012, 05:04:22 AM
the multidl program, i can understand
i mean, i can see where a program that downloads files might be suspicious
Please point your gun of opinion in the right direction.

Ok, who("the manufacturer") wants to claim responsibility of programming multidl as poor code style ???

Misuse of code does not equal poor programming style.

This is the MAIN issue with false positives in AV detectors.

Quote from: P1 on March 24, 2012, 08:24:33 PMHow would you feel if some of your code, was found in virus code and the AV's started flagging this code as viral every where it was used ???
Good time to answer my question.  A week is long enough to consider a reply.

Keyboard hooks ???   Should M$ take them out of their code ???

Regards,  P1   :8)

hutch--

Th core assumption in the crap end of AV products is that PE files should comply with executable files that they are familiar with where in fact the specification for Windows is written by Microsoft (PECOFF.DOCX) and when some crappy AV scanner flags a valid clean EXE as infected or suspicious, they are in fact trying to reduce the PE specifications down to their own level of understanding, not that of the makers specification.

Now in the case of ZOOMIN which is Microsoft code built with Microsoft tools and with both a manifest and a version control block to identify it correctly, the error is that of the AV scanner company, not the software it has flagged. Now one of the reasons why we have this subforum is to address the many shortcomings of the low end of AV software. A programmer has only one responsibility and that is to write their application so it fully complies with the manufacturers PE specification, not have to second guess a bunch of hicks in the low end of AV production who don't properly understand the PE specifications.

The programmer who has in fact produced clean reliable software has every reason to put the boot into sloppy and unreliable programming from the low end of AV companies when their scanners flag clean software as infected or suspicious. No AV company is doing you a favour by falsely claiming your software is infected with a virus simply because they don't know what they are doing. As usual the class end of AV products rarely ever does it, the crap end does it regularly.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

jj2007

Quote from: P1 on March 31, 2012, 11:33:19 AM
Ok, who("the manufacturer") wants to claim responsibility of programming multidl as poor code style ???

The style could be improved but it's not that bad, actually. Clean, straightforward code. From a heuristic scanner's viewpoint, here are the critical lines.

Address      Hex dump                Command                    Comments
004011E2     ³.  68 50214000         push offset 00402150       ; ÚArg1 = ASCII "Downloading "
004011E7     ³.  E8 70000000         call 0040125C              ; Àmultidl.0040125C
004011EC     ³.  FF75 F8             push dword ptr [local.2]   ; ÚArg1
004011EF     ³.  E8 68000000         call 0040125C              ; Àmultidl.0040125C
004011F4     ³.  68 5D214000         push offset 0040215D       ; ÚArg1 = ASCII "
"
004011F9     ³.  E8 5E000000         call 0040125C              ; Àmultidl.0040125C
004011FE     ³.  6A 00               push 0                     ; ÚArg5 = 0
00401200     ³.  6A 00               push 0                     ; ³Arg4 = 0
00401202     ³.  FF75 F8             push dword ptr [local.2]   ; ³Arg3
00401205     ³.  FF75 FC             push dword ptr [local.1]   ; ³Arg2
00401208     ³.  6A 00               push 0                     ; ³Arg1 = 0
0040120A     ³.  E8 49020000         call <jmp.&urlmon.URLDownl ; Àurlmon.URLDownloadToFileA


Now that truely looks dangerous:
- uses URLDownloadToFileA
- announces "hey, I am downloading my payload!!"
- and sits in \masm32\examples\threads\multidl\multidl.exe, a non-hidden folder that is as visible as a blue horse
:green