Sign in to follow this  
c.haslam

AutoIt 3 seen as worm Sohanad/D

Recommended Posts

I think (know?) that the latest definitions falsely find autoit3.exe to contain a worm, Sohanad/D. KAV does not consider it to contain a worm. I have to disable Ad-Watch to be able to run AutoIt scripts.

...chris

Share this post


Link to post
Share on other sites
[quote name='c.haslam' post='114258' date='Dec 12 2009, 03:12 AM']I think (know?) that the latest definitions falsely find autoit3.exe to contain a worm, Sohanad/D. KAV does not consider it to contain a worm. I have to disable Ad-Watch to be able to run AutoIt scripts.

...chris[/quote]

Hi Chris.

Thank you for reporting this.

When posting a false positive (FP) notification, you will help us identify the FP more quickly by following the below guidelines:

1. Upload the log file of the scan that detected the FP. Log files (XP, Vista and 7) are located in:

Ad-Aware 2008 users
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\logs\Ad-Aware<date information>.log
Ad-Aware AE users
XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log
Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log
Ad-Aware 8.1 users
XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log
Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log

To upload the file, click on the Browse button within your post, navigate to the log file's location, select the file then click the green UPLOAD button.

2. If the detected application is downloadable, provide a link to the download location.

3. If you have access to the detected file, upload it as described above, however, please be sure to zip your file first and use the password [b]infected [/b]since the forum will not accept the upload of .exe files or renamed .exe files.
If the detected file is not available, then a copy of the file from quarantine will suffice.
(Please, use an application like 7-Zip, ZipCentral or your preferred compression program to zip your file.)

Thanks!

Share this post


Link to post
Share on other sites
1. The log file for the date in question (yesterday) is attached, but it does not show the positive. This may because, while Ad-Watch is clearly working, an Ad-Aware Scan aborts the application after 8 to 10 seconds. I reported this earlier.

2. The link to AutoIt 3 is [url="http://www.autoitscript.com/autoit3/downloads.shtml"]AutoIt 3[/url]

3. AutoIt3.exe has been zipped and the zip file is attached.

...chris Edited by LS CalamityJane
Removed attachment - no longer needed.

Share this post


Link to post
Share on other sites
Hi Chris,

Thanks for the uploads - we will investigate this further and report back.

Regards,

Andy
Lavasoft Malware Labs

Share this post


Link to post
Share on other sites
Dear Lavasoft-team and concerned users,

the AutoIt3.exe, which is the compiler from AutoIt3 to C++ (I guess), itself is detected as W32.Worm.Sohanad/D.
I think so because all my programms I wrote or costomized from the source of other AutoIt3-programms are detected as W32.Worm.Sohanad/D when I execute them.
The compilered versions of those programms are also detected as W32.Worm.Sohanad/D when being executed.
I think the definitions should be defined more clearly because Autoit3-scripts are compilered too C++ and by default packed with UPX just like the real worm (according to [url="http://www.avira.com/de/threats/section/fulldetails/id_vir/4212/worm_sohanad.as.html"]Avira[/url]).
When executeing the scrips, on a pc with AutoIt3 installed, the sourcecode is compilered to C++, then executed and detected as W32.Worm.Sohanad/D.

I have attached some of those AutpIt3-scripts.
Please have a look at the untitled.au3-script which is just a dummy-script but is nevertheless detected as W32.Worm.Sohanad/D.

greetings PS2801 Edited by LS CalamityJane
Removed attachment - no longer needed.

Share this post


Link to post
Share on other sites
Hi all,

Thanks for providing so much information. These detections have been fixed as of today's release. Please update Ad-Aware to get the latest definition file.

Regards,

Andy
Lavasoft Malware Labs

Share this post


Link to post
Share on other sites
Sign in to follow this