My desktop and other Windows 10 VMs with all the updates do not find the same virus or script.
It's an add on from this site:
https://www.wmkit.com/archives/intouch-color-picker-activex-library.html
Trojan:Script/Wacatac.B!ml
Alert level: Severe
Status: Active
Date: 6/3/2022 11:59 AM.
Category: Trojan
Details: This program is dangerous and executes commands from an attacker.
Affected items:
containerfile: C:\Users\...\Desktop\XColorPicker_22.5.8167.42278.zip
file: C:\Users\...\Desktop\XColorPicker_22.5.8167.42278.zip->XColorPicker.ocx
Moderator Note:
I've unlinked the URL above for now, to avoid possible danger for other users.
Since the topic does not seem to be related to virtualization, or VMware products, I will move it to the guest OS section.
Why on earth do you think it is a good idea to post a link to a Trojan ???
@moderators - delete this post asap
Ulli
Because I don't think it is.
"I have 5 VMs running the same HMI software and only one says this file has a virus"
Why would only one Windows VM say it is?
They have been around for like 10 years with good HMI info.
Upload it to virustotal.com and have it checked
Malwarebytes flags it as malware.
This is an odd one. If it is malware how is it getting past a clean Windows 10 VM with all updates but not a VM cloned from it that I've been working on the last few weeks? Why do other VMs that are closed from it not see it as malware?
Malware detection is not 100% reliable. It is a best effort approach.
It is expected that a piece of malware gets detected in environment A but not in environment B or C.
Ask your anivirus-tool vendor about the file or trust MalwareBytes.
Hi,
Let's link to the report...
https://www.virustotal.com/gui/file/91c91b54d94afb8bf3bf014799e87fddfb4f592a8594bd415fe70bbf47ef7f13
and the ocx itself:
https://www.virustotal.com/gui/file/b4cc9d1d7022cf2e996b709c50baf20b2f6c995e20f42f35ade8deb9d67d800b...
Malwarebytes lists it as possible malware, but that is based on heuristics.
A.k.a. "it might be malware based on specific things we see".
Most likely?
False positive, especially as it is the only antivirus engine that tags it as "possible" malware.
Could it be malware?
yes
As a component developer myself.. having false positives just happens.
There are many things that can trigger this. For example using a specific version of a compiler might trigger EVERYTHING compiled by that compiler as suspect by a bunch of antivirus products.
I would contact the developer and have them report it to malwarebytes so that a human looks at the report and not just a heuristics engine.
--
Wil
Ok but it's just that they are cloned VMs with very little on them with all the same updates. I'd think the same version of Windows defender in a cloned VM to report the file the same.
A while back my host said another VMs vmdk had a virus but after shutting the VM down it no longer saw it as a virus. ???
I'll look at what out IT is using for virus scan. Seems imposable to know if it's real or a false positive.
Thanks for the info and I did let the dev know.
It's also odd and fun that Windows says it's quarantined and blocked the file with status removed but in the "AppData\Local\Temp\vmware-\VMwareDnD" and then the file are copied to the desktop.
That is the path where Workstation stores files that are transported by the questionable drag'n'drop feature.
Yep, I've had it eat up many GBs of bad copies on some VMs. A good place to check if you have unexplained missing drive space.
I keep running the Windows update and it shows like 4 definitions updates just today but the other VM still thinks the file is ok.
Got a reply from DEV. Not sure what to do with about it. So, UPX is a known trojan or tool used by folks that make them?
The ActiveX file was compress with UPX to reduce the size of file, you can use UPX to decompress the ocx file by the command below:
"upx.exe" -d ".\XColorPicker.ocx" --backup --all-methods --all-filters
Then upload to virustotal to check it.
UPX can be download from here: https upx github io
Hi,
None of this is about vmware, but OK 🙂
UPX is a tool since - I don't know.. 1999 or something? - that can be used to make binaries smaller.
What it does is to basically zip the binary and then stick a small loader in front of the zip that unzips your binary on the fly when you try to run it.
I'm surprised to hear it works with an ActiveX component.
It's popular by malware as it can hide the malware somewhat. Although I doubt that there's many antivirus products that fall for that as it is a very very old tool.
So you can try if that helps.
--
Wil
"None of this is about vmware, but OK "
Ok but I did not see how cloned VMs with all the same everything were seeing it or not seeing it?
I'd also not long ago just had Windows say that a vmdk file had a virus. So now I'm paranoid and not sure who is doing what.
Anyway, as best I can tell it's not a trojan but why use UPX to save a few KB and set off random false positives?
You can clone hard disks for physical machines.. and you would see the same problems. I don't think you're seeing anything different because you are using VM's.
But it's OK.
re. why use UPX?
Don't ask me.. even as a developer I've never seen the need for that as yes it does add additional issues like potential antivirus issues.
I just googled and saw it was released in 1998. Back then size on binaries was more of an issue than it is now.
--
Wil