Ad-Aware reports Triojan

[AlexanderBB]

A small VB6 program I made for our group is being blocked by
Ad-Watch Live Alert. It won't let the program start saying it has
Trojan.Win32.VBinject.gen(v)

There is one entry called just 'VBInject' in the registry. It's under HKEY_USERS\S-1-5-21-73586283-1425521274-682003330-1003\Software\Microsoft\Search Assistant\ACMru\5603

But I think that's only there because I was searching for any files with that name. Nothing found and also AVG says my comp is clean.

Anyone else had this problem?
Can I do anything about it ?

Thanks, ABB

[dilettante]

Win32/VBInject is a generic detection for malicious files that are obfuscated using particular techniques to protect them from detection or analysis.

A malicious file is generally encrypted and/or compressed and stored inside another program, which decodes the malicious file and loads it. The malicious program may be injected into a clean process or loaded in a new process of its own. Unlike a “dropper”, the malicious executable is never written to disk as a separate file.

Malicious programs detected as Win32/VBInject can have virtually any purpose, as this technique is utilized by many different malware families in the wild in order to protect them from detection or analysis.

Sadly many people (including members here) write programs that contain other programs embedded as resources to be written out to disk at runtime.

This is a poor practice and even though it may not be process-injected it can trigger this sort of alert - even when benign.

[AlexanderBB]

I'm not sure what you mean by "programs embedded as resources to be written out to disk at runtime."
and the bits you quoted don't mean much to me, except I don't think it applies! There's nothing 'extra'
in mine, its just a VB6 compressed exe. I'm at a loss what's going on. I was using a reference to
Microsoft Scripting Runtime but removing that made no differnece.

The other references are:

Visual Basic For Applications
Visual Basic runtime objects and procedures
Visual Basic objects and procedures
OLE Automation
Microsoft XML, v2.6
Microsoft DAO 3.51 Object Library
Microsoft Excel 12.0 Object Library

Is it likely to be one of them? If not, what possible VB code might cause this?

Thanks for any suggestions.

[si_the_geek]

The thing that jumps out at me is the word compressed in "its just a VB6 compressed exe".

I have no idea what you used to compress it, but there is a good chance that it adds a hidden executable inside yours to re-expand yours to its full state before running it - and if so that hidden executable is almost certainly the cause.

Try using an uncompressed version of your executable, and see if that has the same issue.

[AlexanderBB]

My aplogies Si - when I said 'compressed' I meant compiled.

It seems the problem is unique to Ad-Aware. Tests with Spy Boy or Super Anti Spyware show no problem.

[Milk]

I had a false positive from MalwareBytes picking up on a couple of my personal Apps. I got in touch with the dev team and it turned out to be a fluke coincidence and was very easy to solve. They understandably do not want the techniques they use to identify a virus made public so I won't say what I had to change. Have you got in touch with the Ad-Aware team??

[AlexanderBB]

Hi Milk,

Thanks for the info, it's good to know you had a resolution. Yes I did email Ad-Aware, but thinking I'd be very surprised if they even read it.
Maybe I'm wrong... time will tell. In the meantime I've made other small VB6 utilities which aren't reported as trojans, so when time permits I'll slowly remove parts of the code until the alert stops, then replace it piece by piece and identify what exactly is causing it.

Regards, ABB

[Milk]

I would go the false positive forum route (linked to), had my issue resolved within a couple of hours (admittedly a different company) . Even though the Apps in question were not public, they were still very helpful.

[dilettante]

Most anti-virus packages might be tolerant of an embedded EXE that isn't determined to be compressed or encrypted. Maybe in this one they've decided all injectors and droppers are a hazard.

Droppers aren't exactly a legit technique anyway. If anything I would expect more anti-virus makers to flag them in the future.

[ThEiMp]

Don't use Ad-Adware and AVG. They don't work very well, and also they don't work right. AVG could be telling you that it hasn't found a virus, and then it has then been attacked by a Virus, after that. Use Norton Anti-Virus and Uniblue Registery Booster 2011. They work very well, in deed!!

Then check your Source Code, for the calls to the Registery Entry, that is called: VBinject. That is your problem. The person that gave your that Source Code, is a very bad person. That is where the problem lies, that Registery Entry. Remove It!! Then Scan again, until everything is safe, and sequre on your machine. Then remove that part of your Source Code, then get better Source Code.

Also: I might be able to help your work with this. Could you post your Source Code, in the CODE tags, please kind person???

[Milk]

Just to be clear, the apps of mine in question had no resources but strings and they did nothing dodgy what so ever. Certainly no injection. It was merely a bizzare coincidence.

[ThEiMp]

Like I said: "Don't use Ad-Adware and AVG Anti-Virus, they don't work right, or even at all!!"

[jemidiah]

In my experience, Norton is a monstrous resource hog, and I don't like it for that reason.

(To be clear: I don't mean to start an antivirus debate since that would derail this thread. I just wanted to give the OP an alternate opinion to ThEiMp's.)

[AlexanderBB]

Hi ThEiMp and goup,

I am the author, although I did use a couple of routines found via Google. They don't appear to call the registry and there is no mention of 'VBinject'.

These are
Public Function MyFolderExists(Path As Variant) As Boolean
with declarations
Private Const mcstrValidPathToFolder As String = "C:\temp"
Private Const mcstrInvalidPathToFolder As String = "C:\temp2"

and

Function DecodeBase64(ByVal strData As String) As Byte()
Private Function EncodeBase64(ByRef arrData() As Byte) As String

These set up objects
Dim objXML As MSXML2.DOMDocument
Dim objNode As MSXML2.IXMLDOMElement

There's one other function credited
'Most APIs from Doug Steele

But I have used that in other VB6 programmes that AdAware hasn't objected to.

It's purpose it to rename certain files. It copied them to a backup Folder and moves them to a working folder, (which it creates of the Backup folder). The files are then reNamed back to the original folder and the Working folder is deleted. The original files remain in the Backup Folder. It is designed to be run once to help users do a necessary update.

I don't really want to post the source as it may not hold up to scrutiny of experienced programmers. I am an amatuer !

Had never heard the term 'False Positive' before. I don't have Ad-Aware, it was an Ad-Aware user alerted me to the problem. I may be able to get the log and apply via the link you sent. Thanks, Milk; and everyone for their input.

Regards, ABB

[ThEiMp]

Your project has been hijacked then. You must clean off the Virus off the system...

[AlexanderBB]

>Your project has been hijacked then. You must clean off the Virus off the system...

What nonsense.

[ThEiMp]

Fine!!

[AlexanderBB]

Well ThEiMP if you're right I'll be the first to apologise. But there's many reasons I don't believe it. There isn't a virus on my system, and the project hasn't been anywhere else. Also three different malware programs have checked the program and only Ad-Aware says there's a problem.
So I'm going to follow Milks suggestion and log it as a False Positive.
This is a first for me, if anything comes of it I'll advise here in case it's of interest to anyone else.

[jemidiah]

if anything comes of it I'll advise here in case it's of interest to anyone else.

I'm curious (so I'm interested in the outcome, if any).

[LaVolpe]

Have your ad-aware user check for updated definitions, download them, and try against your app again. False positives (saying something not bad is bad) is not too uncommon. Several months ago, I as getting virus alerts on this forum and alerted the admins. It persisted for hours. My virus app automatically updated later in the day & guess what.... no more alerts from this forum. It could be possible a similar situation exists with your customer.

Also, Ad-Aware is free. You can download it and see if it alerts on you too.
http://www.lavasoft.com/

Edited. One more point. This happened on someone else's computer, right? Well, it is possible that person's copy of your app got infected?

[Magic Ink]

>This happened on someone else's computer, right?
And had they upgraded/ update Ad-Aware lately?

[ThEiMp]

-- What kind of operating system are they running on their machine, also what kind of operating system was it written on???

[AlexanderBB]

The other person has tested other VB apps of mine and only this one is affected. Both of us have Win XP. I'm not sure how updated their Ad-Aware is, I'll check that out. I tried to download a copy but the link (although it said free) then insisted you pay or else choose 1 in 12 'something-or-others'
first. I declined to play their silly game - whatever it was! Also their forum for reporting 'false positives' has not yet replied to my registration. They said 10mins but it's now 24 hours plus. I'll give it another day, then try again.

[ThEiMp]

Sounds like they have changed their type of method, for Ad-Aware. Cause when I was using it. It was totally free, and no third party stuff, at all. However I tried the C-Net download of it, instead. Also this was the free version of the product, but that was about ten years ago!!