EC has a point, in that it calls GetAsyncKeyState to check the F6 key to so it knows when to take the SS. GetAsyncKeyState is a Windows API function that (obviously) checks if a key is being pressed or not, as such it can also be used for key-logging - if you use it to track the state of all keys then save them.This is superficially analogous to saying that a tyre-iron can be used to beat someone to death, therefore we should suspect that anyone with a tyre-iron is a murderer. Of course most people have one in their trunk and just use it when they have a flat tyre.
The main point here is that you don't sell AV software by not reporting anything. Sadly most people believe that if AV#2 "finds more stuff" than AV#1, then AV#2 is therefore more sophisticated, and more secure.
Bloggers do comparative tests feeding a heap of different AV suits everything from actual malware to stuff that some other source said was a "PUP" (potentially unwanted program). Often they copy the descriptions of these things from the websites of the people selling the AV software to sound knowledgeable despite understanding very little of what they are writing. As a result, many AV providers got scared not to report EVERYTHING, in case they looked ineffetive on some moron's blog page.
It's a massive industry worth $Billions, and their competition has traditionally been one of providing the most alerts.... although they are slowly gettting better as the population becomes more tech-savvy. I always have a lol when I see the results of a multi-AV scan and they are all saying a different thing... or an identical
thing. For instance: here's the results for that file from VirusTotal.com - it's a useful site that checks just about every available AV resource.
Avira (no cloud) TR/Crypt.ULPM.Gen 20170306
Arcabit Trojan.Heur.emGfXPgbohm 20170306
BitDefender Gen:Trojan.Heur.emGfXPgbohm 20170306
Emsisoft Gen:Trojan.Heur.emGfXPgbohm (B) 20170306
F-Secure Gen:Trojan.Heur.emGfXPgbohm 20170306
GData Gen:Trojan.Heur.emGfXPgbohm 20170306
eScan Gen:Trojan.Heur.emGfXPgbohm 20170306
Endgame malicious (high confidence) 20170222
CrowdStrike Falcon (ML) malicious_confidence_68% (D) 20170130
Invincea worm.win32.bartly.a 20170203
McAfee-GW-Edition BehavesLike.Win32.Sality.lc 20170306
Qihoo-360 HEUR/QVM18.1.0000.Malware.Gen 20170306
TheHacker Posible_Worm32 20170305
ZoneAlarm by Check Point 20170306
From 61 different AV resources there are 48 negatives (nothing found) and 13 'results'.
Now, first let me say this; I'm pretty sure my computer is 'clean', but nobody can ever be 100% sure, there are some pretty clever rootkits around, so I don't know
that there is not malware on my computer somewhere. Take war2observe for example. It works by injecting a piece of code into a "code-cave" in the wc2 exe..... it's a worm, just not a malicious one.
Nobody really knows for sure that any .exe .dll .ocx etc. on their computer is completely safe, if I send some file to VirusTotal and there's results, I have to consider them. You can never be completely sure.... EXCEPT for this one case. Where I have personally written the code, then compiled it, then (and this is important) immediately compressed it
using the most aggressive executable compression available.... always the most exhaustive/slowest methods.
At this point it comes down to information/entropy vs. size. There are no 'code caves' left. There is no way to 'inject' a worm into it and have the program still perform its expected function without increasing the file size. That amount of bytes simply cannot hold the extra information, not without completely re-writing it in a different language (i.e pure ASM - this one is a bastardised C prog), and only a human can do that, not malware.
I use open source exe compression that I have altered so that it cannot be automatically unpacked by either malware OR anti-virus, because nobody else knows how I have altered it.... I won't go on about that part of it, but for now I'm what I'm saying that when I have just compiled and compressed a program from my own source code, is the only time
that I can upload a file to be virus checked and I absolutely 100% KNOW
it its safe. Nobody else knows this for sure, but I did it, so I know
... and yet we get "13 results" a few different results, but there's 6 out of the 13 all saying it is a "Trojan.Heur.emGfXPgbohm". OMG! It must be true!
But because I know
it is false, I now know something else. These sources are all using the same AV engine (or at the very least
the same virus definitions and a clone of the engine). Without a doubt. Of the 6 sources one stands out as being a genuine AV company. "BitDefender" are Romanian group, and a reasonably major player in the industry. So at this point I KNOW the other 5 are just re-branding BitDefender's engine. Never bothered looking before, but while writing this post, within 2 minutes of looking I came up with THIS
page listing "Multiscanning" vendors. At the top of the page it lists 4 out of the 5 (Emsisoft,F-Secure,GData and eScan) as using the BitDefender engine. As for "Arcabit", whoever the hell they are, I couldn't be bothered but I'll lay money if you look them up, they're exactly the same.
So. Our 13 out of 61 "Results" have shrunk to 8 out of 54. Two of those are saying "malicious" and "confidence", my guess: they are nobodys with dodgy "everything turned up to 11" implementations of one of the open source projects.... I mean "CrowdStrike Falcon" BAHAHAHA, sorry but if that name turned up in the war2bne channel you'd take one look at it and say "noob"
Here's our real results:
and of course...
Avira TR/Crypt.ULPM.Gen.... and these people say its safe:AVG, Avast, Kaspersky, Kingsoft, McAfee (Std), Microsoft, Symantec, TrendMicro, ZoneAlarm .... and 39 other AV providers.
Anyway, for starters you can see why I LMAO at noobies claiming "68% confidence"... lol I've actually started laughing again writing that, for real... I mean some newbie newbie called CrowdStrikeFalcon!!! just turns up in the channel and claims that he is exactly "68% confident" that he knows more about the game than mikulz, styx, Day, Player, Medievh, Ouin... etc (sorry ppl i forgot)... ROTF...
Anyway, stuff such as: "BehavesLike.Win32.Sality.lc" is fair enough. IDK what "Sality" is, but its probably a naughty program that is written in C, calls "GetAsyncKeyState", "OpenProcess", and "ReadProcessMem", is compiled with WATCOM, and then compressed in a non-standard way. McAffee is a decent provider, in addition to their normal AV product they obviously have another product variant aimed at the customer who wants to see lots of results
.... that's fine, they just said, "owns a tyre-iron"
not "is a serial killer"
. Annoying, but not technically untrue (I assume).
That's the sort of thing they all should be putting. because the fact of the matter is these are all the result of the AV software saying 2 things
:(1) This program is protecting it self in ways I don't understand, so I cant mess with it how I want to... this makes me worry.
(and Lamb says,"yes that's right mother-lover, and neither can the worms when they try to find a home"
)(2) When it unpacks itself I can see the functions its linking, and now I've got an excuse to make some alarmist rubbish up because I don't trust it and OMG ITS USING THE KEYBOARD! et.al.
.... and besides: Warnings Generate Sales.
"TheHacker", despite their rather dodgy sounding name, give a reasonable response possible worm
. Not a claim, just a possibility, and the way that this program functions it could conceivably be a "worm" like Observer is. In this case it isn't but it does use some of the tools that a worm would need, so "possible worm"... sure, hf with that.
"Invincea", whoever they are, just say worm.win32.bartly.a
, same thing, they really should put "possibly", or "behaves like"
"Qihoo-360" - HEUR/QVM18.1.0000.Malware.Gen
lol...WTH is a "Qihoo"? You just invented that crap on the spot, didn't you? heh
I guess, this means "general malware". Also note the "HEUR", in this and the BitDefender response, which stands for heuristic
"As opposed to signature-based scanning, which looks to match signatures found in files with that of a database of known malware, heuristic scanning uses rules and/or algorithms to look for commands which may indicate malicious intent." SOURCE i.e. "Carries a tyre-iron"
And then there's these 2...
Sorry, but it looks to me like Avira also uses the the BitDefender engine as at least part of it's scanning process, because I'm finding it hard to believe that 2 separate engines got it that
wrong. At least they have their own classification of the result, because of all the responses this one is the most incorrect. "Worm"... maybe. It's not a worm, but if you wanted to make stuff up, at least it's believable garbage,.... but "Trojan"... bzzzz.. FAIL. Sorry. No freakin' way.
The whole point of the Trojan horse (actually a Roman Horse lol) was to allow a few men to get into Troy and open the gates so the Roman army could storm in and sack the city. The one thing all software trojans do... in fact pretty much all malware these days, is access the network
. That is the whole point, so they can download a bunch of other nasty stuff and install it, but this program has absolutely no code whatsoever that does anything at all with any network functions or services. So sorry BitDefender, but that is just a big fat FAIL