1 2 Previous Next 10 Replies Latest reply on Nov 17, 2014 10:23 PM by catdaddy

    False Artemis!9A1ED0A5F625

    hkisit

      Hi,

       

      I have submitted a sample for analysis and waiting the reply. Analysis ID: 9188294.

       

      I downloaded a command line calculator program (calc.exe) from SourgeForge.net "Command Line Calculator".

       

      Manual scan by McAfee is clean. I have another program "A" that will call this calculator.

      When program "A" gives error result, I find the calculator program disappears and is actually quarantined as suspected Trojan.

      It just keeps periodically quarantined even I restore it.


      It is disturbing ! If it is bad, why manual scan tells me it is clean every time ?

      I submitted the file to Metascan-online.com, and only 3/41 scan engines (incl. McAfee) find a threat.

       

      My question is in the Quarantine Item Details, it also show some registry key.

      Does that means it is caught when it attempts to change those keys ?

      Screenshot as below. Thanks for any help !

      mcafee.png

       

      Message was edited by: nil nil Remove URL

        • 1. Re: False Artemis!9A1ED0A5F625
          Peacekeeper

          You should get a tech popin here soon if not ask and I will stir him up. best to give it a couple days till you ask.

           

          Your original name was unsuitable it was renamed to hkisit to avoid the censors.

           

          You will need to logout and relogin

           

          Ok see this is a corporate program detection as well as you have safeboot installed you will have enterprise as well i assume.

          • 2. Re: False Artemis!9A1ED0A5F625
            catdaddy

            hkisit,

                            The file (calc.exe) can be a legitimate Windows file. However can also be disguised as Malware depending on where you have Downloaded from. See this Site and the detections, scroll down to where the different Anti-Virus engines have detected it, to include McAfee.  calc.exe | ThreatExpert statistics

             

                              As with all Malware/PUPS they have different variants. I recommend running the Latest McAfee Stinger/McAfee Rootkit Remover (Read how to use). Followed up by Malwarebytes (Free) for a second opinion.

             

                             To keep Malwarebytes (Free) DO NOT accept any Free Trial Offers/or Activate the Pro Version all throughout the Download/Installation Process. The Free Version will suffice.

             

                              You can obtain these Free Superb Tools here:  Anti-Spyware/Malware & Hijacker Tools

             

                               You may find the following articles most informative, as to how this may have arrived on your system:

                                 PUPs - Potentially Unwanted Programs - Basics

             

            All the very best,

            Catdaddy

            McAfee Volunteer Moderator

            Consumer Products

            • 3. Re: False Artemis!9A1ED0A5F625
              catdaddy

              Just noticed that you are possibly running Enterprise Software,if so they have different methods compared to the Consumer Software to  address these certain Detections. The above recommendations are for the Consumer McAfee Applications.

              • 4. Re: False Artemis!9A1ED0A5F625
                catdaddy

                You may try uploading the file to www.virustotal.com also.

                • 5. Re: Re: False Artemis!9A1ED0A5F625
                  hkisit

                  Thanks for your reply.

                   

                  Yes, I have been aware of potential infected / disguised file issue.

                  The file checksum is the same with file from sourceforge.net.

                   

                  On the same date of submission (5-Nov), I got reply from "Virus_Research(at)avertlabs.com" that automated analysis is not able to determine it.

                  So I wait.


                  Still on the same date (5-Nov) I downloaded GetSusp. After scan, a few files (including calc.exe) were submitted with WorkItemID: 1496085.

                  3 minutes later, I received a email attached EXTRA.DAT saying that "ID Number:  1496085  Identified: Generic.TRA" and only calc.exe is listed.

                  Does that mean the file calc.exe confirmed malicious ? Or I need to wait ?

                   

                  Today (11-Nov) I just found manual Scan On Demand will detect it as Artemis Trojan if I set Artemis sensitivity to "very high".

                  If the sensitivity is "high" or lower, no detection is found. (DAT version 7618.0000)

                   

                  The detection ratio from virustotal.com is 2/53. Database update is on 20141110 or 20141111.

                  McAfee and McAfee-GW-edition both state not detected.

                  - F-Prot : W32/AutoIt.BQ.gen!Eldorado

                  - Thehacker : Trojan/Dropper.gen

                   

                  The file calc.exe was compiled by Microsoft AutoIt. The author has also include the source code in sourgeforge.net (just around 10 lines of code).

                  I suspect that by default AutoIt may include some sensitive dll not actually called in calc.exe, which may be considered "dangerous" by some engine?

                  I will try to compile it again myself and see any unnecessary resources linkage I can eliminate. See if this will make any difference.

                   

                  Thanks for reading this long story!

                  • 6. Re: False Artemis!9A1ED0A5F625
                    Peacekeeper

                    Asked a tech to comment

                    • 7. Re: False Artemis!9A1ED0A5F625

                      Artemis means it's a behavioural detection, not a known/unknown condition. So, you need to submit it as a false if indeed the file has no malicious behaviour.

                       

                      It's triggering on a number of detections which usually are only seen in malware (don't ask what, I am not going to tell) - this might just be bad luck, or it might be an indication that things are not what they seem.

                      • 8. Re: False Artemis!9A1ED0A5F625
                        catdaddy

                        hkisit,

                                       As Safeboot suggested, I would resubmit just in case. I might add ,I have contacted a McAfee Labs Technician/Engineer to take a look at your Work Item ID # after your submittal through Getsusp. To include your Analysis ID # as well.

                         

                        All the best,

                        Catdaddy

                        McAfee Volunteer Moderator

                        Consumer Products

                        • 9. Re: False Artemis!9A1ED0A5F625
                          hkisit

                          After further web search, I found AutoIt compiled exe is quite well known for false positive by AntiVirus.

                          In AutoIt Wiki it reads "The most common cause is an AntiVirus engine has found a set of instructions in an AutoIt EXE and deemed it malicious, took the general signature of the file, and has now flagged all (or most) AutoIt EXE's."

                           

                          http://blogs.mcafee.com/mcafee-labs/autoit-and-malware-whats-the-connection

                          The Labs seem to have no concern about false positive though ...

                           

                          Some other forum members mentioned it could have a different AntiVirus detection result for different AutoIt compile options used. I decompiled the original calc.exe. The script has no obfuscation and clearly it just does a simple task of passing an arithmetic expression for calculation and return the result. I then compile the exe with different options (compression level, pack / no pack with UPX, ...). Now I have a few candidates and pitifully wait to see who can "survive".

                           

                          Scan on demand (Artemis sensitivity: Very high) reports Artemis detection for one or two exe (I do not remember which and may be those packed with UPX) and no detection for the others. Interestingly, they all report a higher detection ratio by virustotal.com than the original calc.exe ( 4/53 or 5/53 against 2/53).

                           

                          One or two days later, they (including the original calc.exe) are quarantined by background scan. Re-scan states they are all actually clean. I speculate Artemis detection does not care about definition file update. What's the use of appeal for false positive indeed?

                          mcflow.png

                          mcafee7620.png

                          mcafee7621.png

                          mcafee7624.png


                          Now I have only one candidate (look "nice" enough?) that is not ever detected by Artemis yet.

                          Still the same source script but this one I assign an icon to it when compiled ... Yes this silly thing makes a difference!

                          I will wait for one week and if this candidate is never quarantined, I deem my problem solved.


                          Information written above for reference to folk who meet similar trouble.

                          1 2 Previous Next