flat assembler
Message board for the users of flat assembler.

Index > Windows > Hello world FASM program detected as virus. Why?

Goto page 1, 2, 3  Next
Author
Thread Post new topic Reply to topic
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY 14 Jan 2008, 23:56
This code:
Code:
format PE GUI 4.0
include 'win32ax.inc'

start:
        invoke MessageBox,0,'hello world',' ',0
        ret
.end start     


When assembled is detected by AVIRA Antivir. Why?
Is it time to change the AV?

Image
Post 14 Jan 2008, 23:56
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 15 Jan 2008, 00:12
Today everything is a virus, even those installer that auto-clicks the "do you want to install this unsigned driver" dialog are considered "trojan auto clicker".

Perhaps this time is that the heuristics found that the file has too few sections or the code section has too many permissions (read, write and execute instead of read/execute) and hence it surely must be packed and crypted.

AV companies are so used to very bloated executables than now every non bloated thing is considered a virus. I wonder if there is an AV that is worth to be used nowadays...
Post 15 Jan 2008, 00:12
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 15 Jan 2008, 00:23
I never have any problem with the AV programs running in my PC's. So what is my AV? My AV is nothing. I don't bother to use one.

Just turn off scripting in email and browsers, don't download all the crap available just because it looks nice, write all your own programs and never connect directly to the Internet (use a router). And for those times when you just want to make sure of something, go to virustotal.com. Simple and effective. Never had a virus.
Post 15 Jan 2008, 00:23
View user's profile Send private message Visit poster's website Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY 15 Jan 2008, 00:26
I'm thinking the same thing. I don't know what's worse, if it doesn't detect the virus or if it detects a program that's not virus as virus.

I'm thinking of trying this GPL'ed AV: http://sourceforge.net/projects/moonav
It may not detect everything, but at least the source is available and it seems to not give too much false alarms.
Post 15 Jan 2008, 00:26
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY 15 Jan 2008, 00:27
revolution wrote:
I never have any problem with the AV programs running in my PC's. So what is my AV? My AV is nothing. I don't bother to use one.

Just turn off scripting in email and browsers, don't download all the crap available just because it looks nice, write all your own programs and never connect directly to the Internet (use a router). And for those times when you just want to make sure of something, go to virustotal.com. Simple and effective. Never had a virus.


I do this. But family who don't know how to use the computer won't do that.
And I hate cleanning crap. Razz
Post 15 Jan 2008, 00:27
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 15 Jan 2008, 00:43
i quess it's unstandard layout of PE sections... this really doesn't appear in any real file.
Post 15 Jan 2008, 00:43
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
zxcv
Guest




zxcv 15 Jan 2008, 01:04
Quote:
Just turn off scripting in email and browsers, don't download all the crap available just because it looks nice, write all your own programs and never connect directly to the Internet (use a router). And for those times when you just want to make sure of something, go to virustotal.com. Simple and effective. Never had a virus.

I have full scripting, old firefox, download all files (even i know its a virus), and im connect to internet with public ip having no firewall and no av. Didnt had any problem with virus/malware for ~3 years.

Quote:
Is it time to change the AV?

Ask yourself, do you really need it.
Post 15 Jan 2008, 01:04
Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 15 Jan 2008, 01:09
zxcv wrote:
I have full scripting, old firefox, download all files (even i know its a virus), and im connect to internet with public ip having no firewall and no av. Didnt had any problem with virus/malware for ~3 years.
I don't believe you if you are running Windows and even *nix would be very unlikely to be immune to problems after 3 years. I suggest you check you are not spamming me and the rest of the world with your botnetted PC.
Post 15 Jan 2008, 01:09
View user's profile Send private message Visit poster's website Reply with quote
zxcv
Guest




zxcv 15 Jan 2008, 01:14
Quote:
I suggest you check you are not spamming me and the rest of the world with your botnetted PC.

Hmm, im not 100% immune, it would be hard to detect spoofed dll or smth.
Howewer i know all my dlls and processes with locations, using non-system driver to scan them, and that gives me 99.(9)% of being safe. 30 seconds reading after boot its enought bo be sure, same after launching infected file.

3 years ago i had a troyan-horse, first and last time =) Thats how i started to learn about computers.
Post 15 Jan 2008, 01:14
Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1900
DOS386 15 Jan 2008, 06:02
Quote:

This code:
When assembled is detected by AVIRA Antivir. Why?


1. Known issue: see FAQ in Main

2. Amount of false positives is increasing. Why ? Increasing amount of "good" bloat and increasing amount of known viruses. There must be collisions. Further, as other people wrote, FASM produces "non-standard" executables Shocked

You can report this issue to the maintainers, they probably will "fix" this, but I bet it will take less than 3 months before we get the next "Virus in FASM !!!" thread here Laughing

PS: I don't use any "antivirus" program, and I don't have trouble with virii ... Idea


Last edited by DOS386 on 01 Dec 2008, 08:32; edited 3 times in total
Post 15 Jan 2008, 06:02
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 15 Jan 2008, 15:03
No DOS386, it is a new issue, those links talks about a different "virus" and it is located on FASMW.exe while the problem with Ozzy is that FASMW.exe pass the shield but the very simple hello world example does not.
Post 15 Jan 2008, 15:03
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY 15 Jan 2008, 17:52
Would anyone be interested in creating a AV program in FASM?
It would be simple, light-weight and fast.
Post 15 Jan 2008, 17:52
View user's profile Send private message Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 16 Jan 2008, 01:14
lol string scanning?? I've always thought of an AV type that would create a fast hash of the file being scanned, and then search a binary tree quickly for it Smile Like MD5, except virus writers could collide that probably. I can't even get MD5 going, the "little-endian" is getting very confusing as to how it is supposed to be. Almost little-endian'ized every constant in the whole algo to try and see what's wrong with it! Almost no complete doc's for a step-by-step MD5 hash either, like a FIPS or somethin'.
Post 16 Jan 2008, 01:14
View user's profile Send private message Visit poster's website Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1900
DOS386 16 Jan 2008, 01:28
LocoDelAssembly wrote:
it is a new issue
...
while the problem with Ozzy is that FASMW.exe pass the shield but the very simple hello world example does not.


I did notice ... but still both are false positives and the reason for them is very similar Rolling Eyes
Post 16 Jan 2008, 01:28
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4330
Location: Now
edfed 16 Jan 2008, 01:44
yeah, i'm interrested in virii writing, toknow exactlly how to fix them.
because building a LAN os need to have a deep native protection.
Post 16 Jan 2008, 01:44
View user's profile Send private message Visit poster's website Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY 16 Jan 2008, 03:41
edfed: Are you interested in creating a simple AV for learning purposes?
I know nothing about creating AVs, but that would good research/knowledge.
Post 16 Jan 2008, 03:41
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4330
Location: Now
edfed 16 Jan 2008, 03:53
i know how to make hardcore virus, because each time i cannot reach my objectives, i find a virus, something that can be very dangerous if broadcasted.
Post 16 Jan 2008, 03:53
View user's profile Send private message Visit poster's website Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 16 Jan 2008, 16:56
edfed: Pretty much anybody here can make a good metamorphic if they spend a few months on it, virus writing isn't at all like the movies. Like where they quick "hack into a port" in less than a second and execute something inside their OS remotely lol that would be crazy if a good enough glitch was found inside Windows, or just a cheap foreign driver nonetheless
Post 16 Jan 2008, 16:56
View user's profile Send private message Visit poster's website Reply with quote
null1024



Joined: 07 Jan 2008
Posts: 4
null1024 17 Jan 2008, 01:51
OT: It may just be that virus scanner. Avast! and Symantec turn up nothing after I assemble that code.
Post 17 Jan 2008, 01:51
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY 17 Jan 2008, 05:21
I used to code virus for fun, but I never release them into the wild. But it's fun to try them inside a testing box. And them create a cure for them. Very Happy

A friend of mine got infected with the Brotok worm. He sent me a sample. I'll do some analisys and maybe create a removal tool for it.

Although it seems to be pretty well packed.
Post 17 Jan 2008, 05:21
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.