VMware Cloud Community
TanquenETG
Enthusiast
Enthusiast

I have 5 VMs running the same HMI software and only one says this file has a virus

My desktop and other Windows 10 VMs with all the updates do not find the same virus or script.

It's an add on from this site:

https://www.wmkit.com/archives/intouch-color-picker-activex-library.html  

Trojan:Script/Wacatac.B!ml
Alert level: Severe
Status: Active
Date: 6/3/2022 11:59 AM.
Category: Trojan
Details: This program is dangerous and executes commands from an attacker.

Affected items:
containerfile: C:\Users\...\Desktop\XColorPicker_22.5.8167.42278.zip
file: C:\Users\...\Desktop\XColorPicker_22.5.8167.42278.zip->XColorPicker.ocx

 

Moderator Note:
I've unlinked the URL above for now, to avoid possible danger for other users.
Since the topic does not seem to be related to virtualization, or VMware products, I will move it to the guest OS section.

Reply
0 Kudos
16 Replies
continuum
Immortal
Immortal

Why on earth do you think it is a good idea to post a link to a Trojan ???

@moderators - delete this post asap

Ulli


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

Reply
0 Kudos
TanquenETG
Enthusiast
Enthusiast

Because I don't think it is.

"I have 5 VMs running the same HMI software and only one says this file has a virus"

Why would only one Windows VM say it is?

They have been around for like 10 years with good HMI info.

Reply
0 Kudos
continuum
Immortal
Immortal

Upload it to virustotal.com and have it checked

 


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

Reply
0 Kudos
continuum
Immortal
Immortal

Malwarebytes flags it as malware.


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

Reply
0 Kudos
TanquenETG
Enthusiast
Enthusiast

This is an odd one. If it is malware how is it getting past a clean Windows 10 VM with all updates but not a VM cloned from it that I've been working on the last few weeks? Why do other VMs that are closed from it not see it as malware?

Reply
0 Kudos
continuum
Immortal
Immortal

Malware detection is not 100% reliable. It is a best effort approach.
It is expected that a piece of malware gets detected in environment A but not in environment B or C.
Ask your anivirus-tool vendor about the file or trust MalwareBytes.

 

 


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

Reply
0 Kudos
wila
Immortal
Immortal

Hi,

Let's link to the report...

https://www.virustotal.com/gui/file/91c91b54d94afb8bf3bf014799e87fddfb4f592a8594bd415fe70bbf47ef7f13

and the ocx itself:
https://www.virustotal.com/gui/file/b4cc9d1d7022cf2e996b709c50baf20b2f6c995e20f42f35ade8deb9d67d800b...

Malwarebytes lists it as possible malware, but that is based on heuristics.
A.k.a. "it might be malware based on specific things we see".

Most likely?
False positive, especially as it is the only antivirus engine that tags it as "possible" malware.

Could it be malware?
yes

As a component developer myself.. having false positives just happens.
There are many things that can trigger this. For example using a specific version of a compiler might trigger EVERYTHING compiled by that compiler as suspect by a bunch of antivirus products.

I would contact the developer and have them report it to malwarebytes so that a human looks at the report and not just a heuristics engine.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
TanquenETG
Enthusiast
Enthusiast

Ok but it's just that they are cloned VMs with very little on them with all the same updates. I'd think the same version of Windows defender in a cloned VM to report the file the same.

A while back my host said another VMs vmdk had a virus but after shutting the VM down it no longer saw it as a virus. ???

I'll look at what out IT is using for virus scan. Seems imposable to know if it's real or a false positive.

Reply
0 Kudos
TanquenETG
Enthusiast
Enthusiast

Thanks for the info and I did let the dev know.

Reply
0 Kudos
TanquenETG
Enthusiast
Enthusiast

It's also odd and fun that Windows says it's quarantined and blocked the file with status removed but in the "AppData\Local\Temp\vmware-\VMwareDnD" and then the file are copied to the desktop.

 

 

Reply
0 Kudos
continuum
Immortal
Immortal

That is the path where Workstation stores files that are transported by the questionable drag'n'drop feature.


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

Reply
0 Kudos
TanquenETG
Enthusiast
Enthusiast

Yep, I've had it eat up many GBs of bad copies on some VMs. A good place to check if you have unexplained missing drive space.

I keep running the Windows update and it shows like 4 definitions updates just today but the other VM still thinks the file is ok.

Reply
0 Kudos
TanquenETG
Enthusiast
Enthusiast

Got a reply from DEV. Not sure what to do with about it. So, UPX is a known trojan or tool used by folks that make them?

 

The ActiveX file was compress with UPX to reduce the size of file, you can use UPX to decompress the ocx file by the command below:
"upx.exe" -d ".\XColorPicker.ocx" --backup --all-methods --all-filters

Then upload to virustotal to check it.

UPX can be download from here: https upx github io

Reply
0 Kudos
wila
Immortal
Immortal

Hi,

None of this is about vmware, but OK 🙂

UPX is a tool since - I don't know.. 1999 or something? - that can be used to make binaries smaller.
What it does is to basically zip the binary and then stick a small loader in front of the zip that unzips your binary on the fly when you try to run it.
I'm surprised to hear it works with an ActiveX component.

It's popular by malware as it can hide the malware somewhat. Although I doubt that there's many antivirus products that fall for that as it is a very very old tool.

So you can try if that helps.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos
TanquenETG
Enthusiast
Enthusiast

"None of this is about vmware, but OK "

Ok but I did not see how cloned VMs with all the same everything were seeing it or not seeing it? 

I'd also not long ago just had Windows say that a vmdk file had a virus. So now I'm paranoid and not sure who is doing what.

Anyway, as best I can tell it's not a trojan but why use UPX to save a few KB and set off random false positives?

Reply
0 Kudos
wila
Immortal
Immortal

You can clone hard disks for physical machines.. and you would see the same problems. I don't think you're seeing anything different because you are using VM's.
But it's OK.

re. why use UPX?
Don't ask me.. even as a developer I've never seen the need for that as yes it does add additional issues like potential antivirus issues.

I just googled and saw it was released in 1998. Back then size on binaries was more of an issue than it is now.

--
Wil

 

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos