bug.n
bug.n copied to clipboard
fuhsjr00
antivirus detecting the file as supecious
if u check ur bug.n.exe file it is detected as a malicious file check virustotal.com
Yes, indeed. I copied the results as of 2018-07-12 below together with those for the 32-bit-unicode version of AutoHotkey from https://autohotkey.com/download/.
I can imagine, that there are some script kiddies writing malware with AutoHotkey; compiling it to an executable results in a file, which incorporates the script files and the AutoHotkey executable, which are unpacked to RAM, when running the compiled script's executable. Therefor the binary shares a lot of bytes with other compiled AutoHotkey scripts.
Of course, bug,n does use the keyboard hook, which comes with AutoHotkey to allow keyboard shortcuts, and it does do some DLL calls, including a shellhook to register newly created and destroyed windows; that could be seen as malicious.
The good thing though regarding open source is, that you may review the code and recompile the executable. It should result in the same file with the same SHA fingerprint. There is a build script in the tools directory; I do use mpress and the 32-bit-unicode version of the AutHotkey executable to compile bug.n.
SHA256: c1b5d8ead0184afd8c28f7716468f5dd84d869d039bd87c37227d873d957c44f File name: bugn.exe
| Antivirus | Result | Update |
|---|---|---|
| Bkav | W32.eHeur.Virus02 | 20180619 |
| CMC | Virus.Win32.Sality!O | 20180619 |
| Cylance | Unsafe | 20180619 |
| Sophos ML | heuristic | 20180601 |
| McAfee | Artemis!A6B95AEA5D0F | 20180619 |
| McAfee-GW-Edition | BehavesLike.Win32.SoftPulse.fc | 20180619 |
... and reanalysed with a detaection rate of 7 out of 67 (with 60 virus scanners not detecting it as malicious):
| Antivirus | Result | Update |
|---|---|---|
| Bkav | W32.eHeur.Virus02 | 20180712 |
| CMC | Virus.Win32.Sality!O | 20180712 |
| Cylance | Unsafe | 20180712 |
| Sophos ML | heuristic | 20180601 |
| Jiangmin | RiskTool.BitMiner.udv | 20180712 |
| McAfee-GW-Edition | BehavesLike.Win32.PWSZbot.fc | 20180712 |
| TrendMicro-HouseCall | Suspicious_GEN.F47V0619 | 20180712 |
SHA256: 18cfbbe2eb182b94eb499837f57c70989c3c80343c99575d577b440f76cefb59 File name: AutoHotkey
| Antivirus | Result | Update |
|---|---|---|
| Bkav | W32.eHeur.Malware12 | 20180706 |
| Jiangmin | Trojan.Generic.bxwmv | 20180710 |
| TrendMicro-HouseCall | Suspicious_GEN.F47V0604 | 20180710 |
I understand, but this preventing me from using it on my daily workstation unfortunately
I have previously confirmed that VirusTotal won't trigger for keyboard or mouse hooks. This means that keyloggers may never be reported as a threat.
I suspect it is like you say and is the result of being a compiled AHK. Some bad actors (script kiddies) probably have done as you describe and now all AHK compilations may be reported as a threat. I think it's a combination of the shell hook and being an AHK compilation.
Good work on the project. Maybe at some point you can move it away from AHK.
I also get the McAfee/Artemis!8263B9CEA245 virus report, when unziping the latest (9.0.2) version zip file. Interestingly enough the bugn.exe isn't in the directory McAfee reports it is...
Should I just delete the exe file and run the ahk file instead?
