Trojan.Win32.Autoit.x

[rdmaloyjr]

A-squared found 2 incidents of Trojan.Win32.Autoit.x on my computer.  I sent one to Virustotal with the results below.   As you can see A-squared has a slightly different name for it.  I have avast! on this computer. 

I don't know how to zip a file & password protect it to send to Alwil. 

Complete scanning result of "KeeRun.exe", received in VirusTotal at 11.04.2006, 20:30:19 (CET).

Antivirus   Version   Update   Result
AntiVir   7.2.0.37   11.03.2006   no virus found
Authentium   4.93.8   11.04.2006   no virus found
Avast   4.7.892.0   11.03.2006   no virus found
AVG   386   11.04.2006   no virus found
BitDefender   7.2   11.04.2006   no virus found
CAT-QuickHeal   8.00   11.04.2006   TrojanDownloader.Agent.axn
ClamAV   devel-20060426   11.04.2006   no virus found
DrWeb   4.33   11.04.2006   no virus found
eTrust-InoculateIT   23.73.45   11.03.2006   no virus found
eTrust-Vet   30.3.3176   11.03.2006   no virus found
Ewido   4.0   11.04.2006   no virus found
Fortinet   2.82.0.0   11.04.2006   no virus found
F-Prot   3.16f   11.04.2006   no virus found
F-Prot4   4.2.1.29   11.04.2006   no virus found
Ikarus   0.2.65.0   11.03.2006   no virus found
Kaspersky   4.0.2.24   11.04.2006   no virus found
McAfee   4888   11.03.2006   no virus found
Microsoft   1.1609    11.04.2006   no virus found
NOD32v2   1.1853   11.03.2006   no virus found
Norman   5.80.02   11.03.2006   no virus found
Panda   9.0.0.4   11.04.2006   no virus found
Sophos   4.10.0   10.26.2006   no virus found
TheHacker   6.0.1.112   11.03.2006   Trojan/Downloader.AutoIt.e
UNA   1.83   11.03.2006   Trojan.Win32.Autoit.4809
VBA32   3.11.1   11.04.2006   no virus found
VirusBuster   4.3.15:9   11.04.2006   no virus found

Aditional Information
File size: 184784 bytes
MD5: d62be7ef418365b7f4c0e9d60d9ed87f
SHA1: 14eaaee25f7573cc136d1aeead7c9cf630d2a6ff
packers: UPX
packers: UPX
packers: UPX

[XMAS]

Hello

Well you should be able to do it with any archive program - for example IzArc , WinZip ...
Just select the file, left click on it, and in the menu choose "Add to archive..." after that in the options set a password and you are ready - it depends of what program you are using, but generally this is the way.
after that send the file to avast@avast.com 

[DavidR]

Check these forums for Autoit and you will find tens of posts of people screaming because their autoit scripts are detected as infected when they aren't and it was usually only avast that detected them as infected. So they were send of continually as false positive detections and the VPS continually adjusted so they weren't detected.

However where did you get KeeRun.exe from, it sounds a bit weird. Autoit is usually used to create executable files to action batch or repetitive tasks.
Do you have Autoit ?

[rdmaloyjr]

However where did you get KeeRun.exe from, it sounds a bit weird. Autoit is usually used to create executable files to action batch or repetitive tasks.
Do you have Autoit ?

David,

KeeRun.exe is a component of KeePass.   The other incidence of Trojan.Win32.Autoit.x on my computer is in another component of KeePass.   It seems someone was trying to steal my passwords.

If you will notice the Virustotal results you will see 3 scanners besides my A-squared detected this trojan.   On my other computer A-squared didn't detect it in KeePass.   I have the same info in KeePass on both computers.  Both copies of KeePass & both copies of A-squared are up to date.   I keep both computers up to date.

[DavidR]

I can only assume thet the KeeRun.exe if it is a component of KeePass looks for paswords and encrypts them into KeePass a Password Safe. This wouldn't be a problem if you have KeePass installed, I can only assume you haven't or you wouldn't be questioning it ?
Where is the keerun.exe file located ?
I also suspect that the other component is KeeForm.exe (?) as reported in the links below on KeeRun.exe
Do you have any other password protector installed (as KeePass id open source), it may use components of KeePass ?

http://sourceforge.net/projects/keepass/
http://www.snapfiles.com/get/keepass.html

KeePass Password Safe is a secure password manager that allows you to store your sensitive login information in an encrypted database.

<snip>
KeePass Password Safe does not contain any adware or spyware.

I would have expected some of the larger names, Nod32, Kaspersky to get this if malicious. A google search for Win32.Autoit.x and Kaspersky can detect this but virus names can be different in multiple AV companies.

The a-squared site is lacking on what the trojan does either, http://www.emsisoft.com/en/malware/?Trojan.Win32.Autoit.x. I only mention this as a-squared did suffer from a spate of FP, as any AV can, so I treat all detections with care and don't automatically detete or quarantine them unless I'm sure and currently I can't say with any certainty that this is a good detection.

I found one hit for KeeRun.exe http://hdsurvivor.blogspot.com/2006/05/keepass-password-manager.html, this throwing up a different malware name.

I downloaded the KeeForm Zip file and Avira told me that KeeForm.exe and KeeRun.exe are both infected with the Sohanat.H worm.

This is too bad, as it is a great product.

I also look for symptoms of the reported malware: http://www.f-secure.com/v-descs/autoit_x.shtml

AutoIt.X, a variant of AutoIt, is a Trojan. AutoIt.X attempts to hiddenly download and run other files from remote web and ftp sites and changes startup and search pages of Internet Explorer.

I'm starting to think this may be a bad detection by a-squared if you have personally installed KeePass yourself.

[rdmaloyjr]

If you will notice the Virustotal results you will see 3 scanners besides my A-squared detected this trojan.   On my other computer A-squared didn't detect it in KeePass.   I have the same info in KeePass on both computers.  Both copies of KeePass & both copies of A-squared are up to date.   I keep both computers up to date.

David,

I did install KeePass on both of my computers.  A-squared is on both computers & only detects Trojan.Win32.Autoit.x on this computer.  (Please read quote above.)

You are right, Trojan.Win32.Autoit.x is also in KeeForm.exe.  Both KeeRun.exe & KeeForm.exe were originally in Program Files/KeePass, but I choose to have A-squared put them in quarantine.

Being as A-squared doesn't detect this trojan in KeePass on my other computer I think it may be a real trojan threat.  Being the case I don't want to take it out of quarantine to send to Alwil.  Besides I don't know how to do it.

I downloaded 7zip as it seems to be the favorite of those on this forum.  I used an unneeded file to try 7zip on.  I zipped it & put a password on it, then I was lost on how to get it on an email.  The "guinea pig" file still remained in the original folder unzipped.  I don't know where the zipped version went in 7zip archive.

Computers were supposedly meant to make life easier, but they aggravate & confuse greatly.

[DavidR]

It is your system and your choice, but I'm leaning towards this being a false positive detection of a-squared Even with those others). This is based on all that I have searched out and the symptoms of the reported trojan, none of which you are reporting. There is nothing stopping you from uninstalling KeePass and installing the latest version again if for nothing but peace of mind. I have no idea why it isn't be being detected on your other system.

Just try repeating the 7zip exercise and see where the default save location is and or you can do a search for *.7z I think you can probably change the default save location. You just open and email to and click on the attachment button/icon depending on your email program and navigate to the .7z file you want to attach. You can add a file to an archive and email in one go, but that doesn't allow you to password protect the 7zipped file.