View previous topic :: View next topic |
Author |
Message |
Dr. Dread Professional Member
Joined: 03 Aug 2001 Posts: 1065 Location: Copenhagen, Denmark
|
Posted: Sat Jan 11, 2003 11:15 pm Post subject: |
|
|
And I checked up a bit on this. Trend states that the pchaunt thingy should be detected
by the current PCcillin engine - it comes up empty. Also I tried scanning some old VDS programs
that I have stashed away on a cd-rom. The on-line scanner says they are infected but several of these
files date back to 2000 - according to Trend Pchaunt was first discovered: Jul. 8, 2002.
So Trend's housecall scanner must be off on a wild goose chase here! Some pattern in VDS
exe files just happens to be similar to a Pchaunt pattern....
Greetz
Dread _________________ ~~ Alcohol and calculus don't mix... Don't drink and derive! ~~
String.DLL * advanced string processing |
|
Back to top |
|
|
FreezingFire Admin Team
Joined: 23 Jun 2002 Posts: 3508
|
Posted: Sat Jan 11, 2003 11:22 pm Post subject: |
|
|
This is probably due to the fact that they are executed line by line (script)
and is not pure machine code. The fact that it is interpreted is probably
looking suspicious to the scanner.
However, how could you be "infected" when the joke program doesn't
spread? _________________ FreezingFire
VDSWORLD.com
Site Admin Team |
|
Back to top |
|
|
Mac Professional Member
Joined: 08 Jul 2000 Posts: 1585 Location: Oklahoma USA
|
Posted: Sun Jan 12, 2003 12:48 am Post subject: |
|
|
OK, got another reply back from Micro Trend. Looks like they're
gonna check it out more thoroughly. Gotta say I'm impressed with
two responses in less than 16 hours after my first email...
____________________________________________________________
Dear Customer,
Thank you for contacting Virus Doctor @ Trend Micro.
The files you sent has been forwarded to our Antivirus engineer to make a thorough analysis. Once they are done with their investigation, we'll immediately inform you.
If you are going to follow up your case, kindly specify tick number: [number removed by Mac].
If you have any virus-related concerns, please contact us again.
Best Regards,
Margie Diaz
Virus Watch Team, Antivirus Group
TrendLabs HQ, Trend Micro Incorporated
____________________________________________________________
Cheers, Mac _________________ VDSug.dll does file IO, check/disable menu items,
non-VDS dlls, draw functions and more...
Free download (30k dll size) at:
http://www.vdsworld.com/download.php?id=361
|
|
Back to top |
|
|
Mac Professional Member
Joined: 08 Jul 2000 Posts: 1585 Location: Oklahoma USA
|
Posted: Sun Jan 12, 2003 1:14 am Post subject: |
|
|
Well, now I'm really impressed - got another email already.
It was a faulty diagnosis, and they are taking steps to correct it.
Here's the last email:
____________________________________________________________
Greetings.
Thank you for contacting the TrendLabs!
We regret to inform you that after further processing and verification, the file TEST.EXE(8,704 bytes) you submitted was mistakenly tagged as a joke program. Corrective action has been done with regards to this false alarm with the attached scan pattern update. Please install the update on your system to avoid further misidentification.
On the other hand, the file VDSRUN30.DLL (332,800 bytes) is an exact copy of the Visual DialogScript 3 run-time engine. You can safely keep this file.
Be assured that we take pride in providing quality detection and protection. Rare instances such as this are attributed simply due to the emerging complexities of file structures even as viruses infect them.
For inquiries and follow-ups please retain the subject heading of this e-mail notification as it will serve as the case-ID reference for this issue.
For virus related inquiries, please send an email to: virus_doctor@support.trendmicro.com
For product related inquiries, please send an email to: support@support.trendmicro.com
Have a nice day!
Regards,
For inquiries and follow-ups please retain the subject
heading of this e-mail notification as it will serve as
the case-ID reference for this case.
Wilson Sauler
AntiVirus Group
TrendLabs HQ, Trend Micro, Inc.
____________________________________________________________
Cheers, Mac _________________ VDSug.dll does file IO, check/disable menu items,
non-VDS dlls, draw functions and more...
Free download (30k dll size) at:
http://www.vdsworld.com/download.php?id=361
|
|
Back to top |
|
|
Garrett Moderator Team
Joined: 04 Oct 2001 Posts: 2149 Location: A House
|
Posted: Sun Jan 12, 2003 4:55 am Post subject: |
|
|
Trend wrote: | Rare instances such as this are attributed simply due to the
emerging complexities of file structures even as viruses infect them. |
"emerging"???? VDS 3 has been out here now for how long? Didn't we go
through this BS with McCrappy AV and Snorton AV a few years ago? I
guess it was time for Trend to justify their existance this time.
What worries me is that with McCrappy and Snorton, they're notorious
for throwing up ghost virii alerts, but Trend was in the habit of doing that. I
worry now that they may have fallen for the same tactics as the other two.
-Garrett |
|
Back to top |
|
|
cnodnarb Professional Member
Joined: 11 Sep 2002 Posts: 762 Location: Rockeledge, GA
|
Posted: Sun Jan 12, 2003 2:50 pm Post subject: |
|
|
Virus detection is not an exact science...they actually kind of have to pick an attribute of the virus and grab on...a string...a date...a registry entry...a file array name pattern...whatever. When a virus infects executables developed by others this becomes even more difficult....
BUT I still agree with Garrett. Most of the time the attributes of a virus they choose are far too ambiguous...they realize "new" technology is emerging so they purposely choose an ambiguous detection attribute...it really does further there revenue.
Mary Mom runs Trends Virus scanner which detects "Electro Mystic" or "WebWrite Pro" is actually a villan in disguise! All praise to Trend says Mary Mom to all her friends and relatives over the telephone...after all...this essential product prevented her machine from self destructing.
What can we do about it? Nothing. As dishonest as this is it probably literally doubles these companies revenue. The majority of programs are developed in well known languages....all they have to do is single these out and make certain they don't count as virus's. The rest of the development world is fair game. If I where in there shoes I'm not certain I would change it. Hate them if you want to...but its all about the Benjamins.
NodNarb
PS This is of course speculation on my behalf. The only proof of what I say is the constant misdetections of valid executables as virus files and you'll have to make your own decisions on the validity of this post. |
|
Back to top |
|
|
Garrett Moderator Team
Joined: 04 Oct 2001 Posts: 2149 Location: A House
|
Posted: Sun Jan 12, 2003 7:57 pm Post subject: |
|
|
We're the ones who get hurt in the process. The last time this happened,
I had tons of email from people who thought I was trying to infect their
system. I would have to say it was more hate mail from these people than
anything. They don't bother to check into these things, they just assume
since the AV program said such programs as "Electro Mystic" or
"WebWrite Pro" were "Infected" or for that fact "Possibly Infected" that
we are guilty of attempting to destroy their system.
While Memory-Trax III was listed on ZD Net (back when they didn't charge
the authors) I had to constantly defend my program against comments left
by people who were duped into thinking my program was infected. This
may have affected the programs status as a shareware program and
pushed it to it's demise.
Another thing that just seriously ticks me off, is the VBScript Checking
of these programs and programs spedifically just for script checking.
Every single one I have seen does not give the consideration that the
script trying to run is harmless at all. They just jump in the users face
with red lights flashing and scaring the user into thinking that this damn
program just saved them from another danger to their computer. All
the while, the damn script was totally harmless and a needed part of
something that was running on their system.
And again, who gets hurt in this process? We the authors do. The user
now thinks that we've tried to do harm to their system and sends us the
nasty emails. Now we've lost yet another potential sale, and we now
have to spend more valuable time trying to defend ourself against a
mistake made by an AV program.
It's a shame we can't hold these companies responsible for such actions.
-Garrett |
|
Back to top |
|
|
PGWARE Web Host
Joined: 29 Dec 2001 Posts: 1562
|
Posted: Sun Jan 12, 2003 9:06 pm Post subject: |
|
|
I wouldn't personally go as far as to blame the anti-virus companies for what they are trying to attempt. Sure many of them are using simplistic techniques to diagnose a virus and thus in the process mis-label many valid programs as containing viruses.
I've received hundreds of emails with people complaining my files had viruses in them (when my software was compressed with a PE compressor). But a simple explanation of what's going on to them usually clarifies the matter.
The AV companies are trying their best however there are just way too many different types of compilers out there to make sure you won't mislable someone elses program as a virus.
The people who really are to blame are the losers who spend day and night writing viruses. |
|
Back to top |
|
|
Garrett Moderator Team
Joined: 04 Oct 2001 Posts: 2149 Location: A House
|
Posted: Mon Jan 13, 2003 12:35 am Post subject: |
|
|
Well, just as another example, while Memory-Trax has been in
distribution since 1999, and has used a .vbs file to reclaim the memory
since that time, you'd think that after hundreds of people sending it in
to say Norton, that Norton would stop reporting my program as malicious
code?
Here's an email I just got today. This is similar to many I get on a
regular basis. So much so that I even put notes about this on my site,
but it does not good.
Quote: | Dear Sirs...
There appears to be some malicious code embedded in your MEMORY-TRAX III
program. Norton Anti-virus detected it on my system and I have not been able to
delete all of the program.
First, I downloaded the program based on a recent recommendation from TechTV's
show, Call_For_Help, however I was never able to get the program to operate properly.
So I went into my Control Panel and used Add/Remove programs to delete it. Although
it appeared that the program was deleted, a few hours later MEM-TRAX re-appeared.
Today, Norton identified this program as trying to run malicious code. Although the
program no longer appears in Add/Remove programs, it is still listed in my Program
Files. I then went into the Programs folder, clicked on Memory-Trax III Uninstall.
My computer immediately tried to re-install Windows Millenium Edition. I stopped that
from proceeding as that would have wiped my computer clean.
Next I used Norton CleanSweep to remove the program... It seems to have
removed most of the files except the following...
File 'C:\Program Files\Memory-Trax III\mem-trax.ini' -- Not deleted.
File 'C:\Program Files\Memory-Trax III\mem-trax2.ico' -- Not deleted.
File 'C:\WINDOWS\SYSTEM\MEMBG.HTM' -- Not deleted.
It appears that most of Mem-Trax III is uninstalled, however the Uninstall feature of the
program remains in my Program Files and when accessed it attempts to re-install
Windows.
Next I tried to rid my computer of this program using the System Restore function of
Windows Millenium Edition by restoring the computer to the day prior to its dowload.
Errors!!! My computer will not allow me to Restore to an earlier date.\
Please HELP!!! Please advise how I can rid my computer of this malicious program.
Regards,
Joe xxxxxxxx |
As you can see, the user just assumes that the program is malicious
just because Norton says so, and in return, the person now thinks I've
tried to do something to his system. Seems he has other issues on his
system too, but it's not due to my program. And look what Norton made
this user go through trying to remove the program and supposedly clean
his system of my *MALICIOUS* program.
Now I have to spend the next 5 minutes trying to explain to the user that
my program is not maclicious, and try to help fix what he's gotten himself
into.
Honestly, I don't mind helping people as I'm sure most of you know, but
it hurts me when the person I'm helping thinks I've tried to harm him or
his system.
I must admit though, the amount of these kinds of emails are minor
when compared to the emails I get thanking me for my program. But
still, after all these years now, I shouldn't be getting this kind of email.
-Garrett |
|
Back to top |
|
|
cnodnarb Professional Member
Joined: 11 Sep 2002 Posts: 762 Location: Rockeledge, GA
|
Posted: Mon Jan 13, 2003 12:51 am Post subject: |
|
|
A little off topic but I think I know what happend to Garretts user.
What looks like happend is that the uninstaller or cleaner didn't eliminate the program group. He clicked on the uninstall shortcut and it mis-flashlight search found the wrong program which just so happens to be the windows re-install program on his system. What luck right?
Believe it or not i've seen this sort of stuff happen alot back when I did customer support
NodNarb |
|
Back to top |
|
|
Garrett Moderator Team
Joined: 04 Oct 2001 Posts: 2149 Location: A House
|
Posted: Mon Jan 13, 2003 2:29 am Post subject: |
|
|
This is only the second time I've seen this happen, and the first time I had
no clue as to what the heck was going on with regards to the uninstall
situation.
-Garrett |
|
Back to top |
|
|
Tommy Admin Team
Joined: 16 Nov 2002 Posts: 746 Location: The Netherlands
|
Posted: Mon Jan 13, 2003 4:17 pm Post subject: |
|
|
The actual PC Haunt joke program was probably really written by someone in VDS.
I imagine Trend Micro only recently came across the file and then added the signature to
their database, not realizing that the signature appears in all VDS executables. |
|
Back to top |
|
|
Garrett Moderator Team
Joined: 04 Oct 2001 Posts: 2149 Location: A House
|
Posted: Mon Jan 13, 2003 7:56 pm Post subject: |
|
|
cnodnarb wrote: | A little off topic but I think I know what happend to Garretts user.
What looks like happend is that the uninstaller or cleaner didn't eliminate the program group. He clicked on the uninstall shortcut and it mis-flashlight search found the wrong program which just so happens to be the windows re-install program on his system. What luck right?
Believe it or not i've seen this sort of stuff happen alot back when I did customer support
NodNarb |
Brandon, do you know how to get the uninstall problem solved?? The person in the email is asking. Seems my suggestions at just deleting all files related to my program didn't work.
-Garrett |
|
Back to top |
|
|
FreezingFire Admin Team
Joined: 23 Jun 2002 Posts: 3508
|
Posted: Mon Jan 13, 2003 10:53 pm Post subject: |
|
|
Quote: | As you can see, the user just assumes that the program is malicious ... |
I too had my Norton Anti-Virus alert me that your program was trying to
run "malicious" code. While I understand your situation (the VBS script
was attempting to write to the registry it said) I mind Norton giving me the
option to stop a script that could potentially be doing "malicious" things
on my computer. However, I don't feel that it is necessary for Norton to
scare the user with a big red box and flashing lights, etc. that "A virus has
been detected on your computer". I jumped when I saw the initial alert
but since you have a good reputation I allowed it to run.
I think something good would be to put a run-once info box stating the
problem, and after it runs one or two times, write a registry key telling
your app that it has shown the information box. This way the user cannot
deny that you told them there are conflicts. _________________ FreezingFire
VDSWORLD.com
Site Admin Team |
|
Back to top |
|
|
|