Trojan.VkHost caught by Malwarebytes but not Avast :(

[jxf011]

[first post, i love avast, it missed one that malwarebytes caught, not sure if this is the right way to address this, here goes ...]

I was running an invisible exe created by Bat To Exe Converter V1.5 (at www.f2ko.de) from a 3 line batch:
xcopy D:\MyDocs\Thunderbird\contacts\abook.mab C:\Portable\ThunderbirdPortable\Data\profile /Y
C:\Portable\ThunderbirdPortable\ThunderbirdPortable.exe
move C:\Portable\ThunderbirdPortable\Data\profile\abook.mab D:\MyDocs\Thunderbird\contacts

I should have scanned www.f2ko.de with Norton SafeWeb!  They says 4 trojans there ...
http://safeweb.norton.com/report/show?url=f2ko.de

Anyway, this exe (from a converted batch) ensures my address book is backed up with my MyDocs folder along with my Tbird account folders. If portable Tbird allowed me to specify my address book location, this wouldn't be needed. And, I don't want to see a dos window in the task bar while I run Tbird.

The problem: random browser redirects with FF 3.6 in Win7 x64.  It was only on Google search results and not every result.  Once I stopped running the exe created by Bat To Exe Converter and deleted the exe, no problems.  Malwarebytes finds Trojan.VkHost but Avast finds nothing.

Here's how I reproduce the problem ...

1. download Bat To Exe Converter 1.5 and run it

2. create a batch file with 2 lines: dir, pause

3. convert it with Bat to Exe with the invisible setting

4. scan it the test.exe:
Malwarebytes' Anti-Malware 1.44, Database version: 3826
Files Infected:
c:\Download\portable updates\bat_to_exe_converter\test-dir-pause.exe (Trojan.VkHost) -> No action taken.

Here's the PASSWORD protected 7z file with the test batch file, test.exe, and Malwarebytes output (truncated):
http://www.megaupload.com/?d=KJXESB76

Password is:
Trojan.VkHost

Thanks,
jxf011

[Shiw Liang]

Is it not avast log file

I guess it is a no...

Where did you downloaded that converter?

[jxf011]

I didn't look in the log but I did right click and "Scan" with Avast which gave me no virus warning, just "NO THREAT FOUND"

I found the program (really a trojan maker) at portable freeware dot com but the download itself is at f2ko.de

[Shiw Liang]

somehow it is a strange website!
Please if you are using firefox use this for more safety about websites and change your search engine to google if possible!
http://www.mywot.com/en/download/ff

[Mike Buxton]

Hi,

I strongly suspect, but obviously do not know, that Avast does not detect it because it is a False Positive that they have already rectified.

This is what I wrote (back in 1998) to someone with a similar problem:

¨Recently Avast detected a freeware BatToExe compiler as infected and also the compiled exe files it produced.

I emailed a passworded zip file containing both the compiler and an example of a compiled exe file and Avast promptly fixed my FP problem.¨

My regards

[YoKenny]

I see Malwarebytes' Anti-Malware (MBAM) blocks f2ko.de is as infected:
IP-BLOCK   81.169.145.68

See:
Every 3.6 seconds a website is infected
http://www.scmagazineus.com/every-36-seconds-a-website-is-infected/article/140414

The Webmaster needs to fix the site and tighten up its security.

[jxf011]

Hi Avasters!

Funny that "false positive" came up here just like the portablefreeware.com/forums/ thread.  Below is my follow up post there addressing this.  Remember: Avast doesn't see anything wrong with the invisible exe I create with Bat to Exe *but* I experience browser redirect symptoms.  Malwarebytes sees Trojan.VkHost in the process and file and the symptoms go away when I stop my invisible exe and delete it.  This is the opposite of a false positive ... a "true negative"?    Quote of other post follows ...

http://www.portablefreeware.com/forums/viewtopic.php?f=2&t=5989&p=22972#p22972

I'm not suggesting for a moment this is a false positive.

I experienced ***symptoms*** after creating and running an invisible exe with this program.  These symptoms were random, periodic redirects of Google search results.  Maybe the top result was fine but the next 1 or 3 were re-directed.  The Google web page of results would have the url printed, e.g. http://www.hitnumber7.com/blah/blah, and when I clicked on it I would be sent to an advertisement web page.

Specifically, with my invisible exe running, I searched Google for an Acronis backup issue.  One of the hits (maybe the 3rd) was an Acronis.com link for the pdf manual.  The Google web page results had http://www.acronis.com/... printed underneath the hyperlink in clear text.  If I mouse over this link with Firefox using the add on Link Alert I don't see the Acronis link, I see some super long link for some ad web site.  Clicking on the link in Firefox takes me to said link.

I started to investigate the URL of this ad page.  I Googled and found some others talking about Google search result redirects specially affecting Firefox.  I started to test this by doing Google searches and looking at the results and clicking on them.  What do you know but I was easily able to replicate the problem: hypertext links on Google that go to an advertisement web site - these links do not match the link text associated with them on the Google search results page.

Ok, so now I know I have a problem.  Avast 5.0 scan, nothing.  Windows Defender scan, nothing.  Malwarebytes scan, something!  Trojan.VkHost is found on the process and file that I created with Bat to Exe.

I stop the process and delete the exe.  No more Google search redirects!!!!

Let me repeat - this is not a false positive problem.  I had Firefox redirect hijack symptoms for Google search results when my invisible exe was running.  After stopping the process and deleting the exe, no more redirects.

Maybe this only affects certain versions or Windows (I run 7 x64) and/or Firefox (latest with 40+ add ons).  But, I can't recall being hit with a trojan/virus before and I sure didn't like it this time!  Thanks to Malwarebytes and a few other poor souls troubleshooting this on forums on line for helping me to a solution.   

[Mike Buxton]

Hi,

If you have not already done so; you might email Alwil a passworded zip file containing both the compiler and your compiled exe together with a brief explanation of your findings.

My regards

[jxf011]

What's the email for submitting the info on a possibly missed trojan?