Descloix

ESET not detect trojan QTXWPF.exe

Recommended Posts

https://www.virustotal.com/fr/file/eeb259180a974966942d86b7008f3ee48cde187075d0ebbf63d501f69f1f6003/analysis/1526498428/

 

hxxp://my-files.ru/mlxzrx  

This file create new folders, files in Temp and Roaming and application connect to internet to IP 132.148.197.187. This file also create new program and tries to connect to the system file werfault.exe (system 32 Win 7 SP 1)

2018-05-16_22-28-48.jpg

Share this post


Link to post
Share on other sites

Not malware but a game tool. We'll add detection as a potentially unsafe application. The application doesn't pose any security risk.

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

Not malware but a game tool. We'll add detection as a potentially unsafe application. The application doesn't pose any security risk.

Most detection are " Trojan" or "Trojan something"

Definition of Trojan (by Kaspersky):

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. These actions can include:

  • Deleting data
  • Blocking data
  • Modifying data
  • Copying data
  • Disrupting the performance of computers or computer networks

I do not understand how ESET classifies this as "unsafe application" which doesn't pose any security risk......

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

Not malware but a game tool. We'll add detection as a potentially unsafe application. The application doesn't pose any security risk.

  This "game tool" is installed without my permission, configures folders and files in different directories ( Temp: ScintillaNET 3.5.10 and SciLexer.dll) and connects to the Internet. Without a license agreement and without notifications. AppData > Roaming: rbx_hook, SLX.wmp.dll, slx_version. Do you really think this is a "game tool"? No, I do not know what kind of information about me and my system transmits the application. Confidentiality of my information may be used for fraudulent purposes.  BitDefender, Avira, Comodo, McAfee, TrendMicro much closer to the truth than ESET. This is W32.Trojan.Gen the least.

Share this post


Link to post
Share on other sites
1 minute ago, claudiu said:

I do not understand how ESET classifies this as "unsafe application" which doesn't pose any security risk......

Did you debug the file and analyze its code that you are saying it's a dangerous trojan? Based on what did you make the assumption that it's dangerous?

Share this post


Link to post
Share on other sites
Quote

This is W32.Trojan.Gen the least.

This is a very generic name for a detection and may cover virtually anything. By the way, SciLexer.dll is included with a lot of legitimate and benign software.

Share this post


Link to post
Share on other sites
Posted (edited)
8 minutes ago, Marcos said:

Based on what did you make the assumption that it's dangerous?

See what the OP is saying...

8 minutes ago, Descloix said:

This "game tool" is installed without my permission, configures folders and files in different directories ( Temp: ScintillaNET 3.5.10 and SciLexer.dll) and connects to the Internet. Without a license agreement and without notifications. AppData > Roaming: rbx_hook, SLX.wmp.dll, slx_version. Do you really think this is a "game tool"? No, I do not know what kind of information about me and my system transmits the application. Confidentiality of my information may be used for fraudulent purposes.  BitDefender, Avira, Comodo, McAfee, TrendMicro much closer to the truth than ESET. This is W32.Trojan.Gen the least.

 

Edited by Marcos
formatting

Share this post


Link to post
Share on other sites

We are not going to detect a file as malware based on what a user says if it's not malicious. Detection is always added based on thorough analysis of the code.

The OP was also referring to a dll which is benign and is included with many legitimate software.

Share this post


Link to post
Share on other sites
Posted (edited)
5 minutes ago, Marcos said:

We are not going to detect a file as malware based on what a user says if it's not malicious. Detection is always added based on thorough analysis of the code.

The OP was also referring to a dll which is benign and is included with many legitimate software.

OK, then just detect this application as you want. But do not miss dangerous or even potentially dangerous programs. You still do not have this application detection were. "Potentially unsafe" for example. And once again, study the detection of antivirus companies that already detect this seemingly ordinary program as Trojan. These companies are many, and there are also no fools working and define the file as malicious. Regards.

Edited by Descloix

Share this post


Link to post
Share on other sites
14 minutes ago, Marcos said:

We are not going to detect a file as malware based on what a user says if it's not malicious

OK then, that means 23 from 66 antiviruses on Virus Total must be stupid to classify this as "Trojan" when in fact  doesn't pose any security risk.

Well done, ESET!

 

 

 

Share this post


Link to post
Share on other sites
9 minutes ago, claudiu said:

OK then, that means 23 from 66 antiviruses on Virus Total must be stupid to classify this as "Trojan" when in fact  doesn't pose any security risk.

Correct. Sometimes even > 40 AVs in VT report even perfectly benign files as malware. That is also the reason why VirustTotal has the following listed among best practices:

The data generated by VirusTotal should not be used automatically as the unique means to blacklist/produce signatures for files. i.e. Antivirus vendors should not copy the signatures generated by other vendors without any other scrutinizing on their side.

Almost all AVs detect the file with generic detection names so they are not detections based on manual analysis of the file by researchers and therefore are not accurate.

By the way, here is how the game hack tool looks like when run:

image.png

Share this post


Link to post
Share on other sites
Posted (edited)
1 hour ago, Marcos said:

Correct. Sometimes even > 40 AVs in VT report even perfectly benign files as malware. That is also the reason why VirustTotal has the following listed among best practices:

The data generated by VirusTotal should not be used automatically as the unique means to blacklist/produce signatures for files. i.e. Antivirus vendors should not copy the signatures generated by other vendors without any other scrutinizing on their side.

By the way, here is how the game hack tool looks like when run:

image.png

The creation, modification and launch of the file is prohibited without my permission by the HIPS module. Try to prevent HIPS from accessing all files to the QTXWPF.exe on computer. You will see a completely different image. This is called MODIFICATION AND CREATION OF NEW APPLICATION. You are very active in antispam, which is usually a supplement to the main program. You have a rootkit detection module of 2017 and a module nettoyage spéciale 2016 in the 7th version of ESET Endpoint Security 7.0.2053.0. This is the version of 2018 !!!!!!  Analyze the traffic of the program and look at its activity: the .exe file creates a .ini file and runs that window with buttons.

899222d01fac3026bab299bb7e8bf25a.png

Edited by Descloix

Share this post


Link to post
Share on other sites

This window appeared after the rules of HIPS, which prohibit the creation, launch and modification of any other files and system parameters

a176e397edf60321c3113d0c2afc04ef.jpg

Share this post


Link to post
Share on other sites

I really don't understand this discussion.

It would be one thing if Eset was the only major AV vendor not flagging this software at VirusTotal. That is far from the case. Avast/AVG, F-Secure, Kaspersky, Panda, Sophos, Symantec, and TrendMicro - non HouseCall vers. also do not flag the software as malicious.

Of the vendors that do flag the software, many of those employ some type of behavior analysis processing. From what has been described in this posting, the software definitely performs "suspicious" activities. However, those alone are not enough to classify software as malicious. 

Share this post


Link to post
Share on other sites
Posted (edited)

As far as SciLexer.dll goes:

Quote

CIA hacking SciLexer.dll

Actually, I read the story when it broke several weeks ago. What the hack boils down to is replacing one or more of the DLLs used in Notepad++ with modified ones. This issue is hardly specific to Notepad++. Any program in Windows that uses DLLs can potentially have this problem.

The fix that the Notepad++ team has decided to implement is to check the DLL signature before loading it. It shouldn't be too difficult to do the same in ScintillaNET and I have no problem adding that to the backlog.

Be aware that for this to truly make a difference in an application, developers need to also used the signed version of ScintillaNET and make sure their application is only using and requires signed, strong-named DLLs. Otherwise, we would go to all the trouble of making sure we have the right SciLexer.dll, but the application itself is not checking the ScintillaNET DLL.

https://github.com/jacobslusser/ScintillaNET/issues/330

So if the CIA can do it, most certainly the Russians can. Which leads to the issue of downloading a game hack from a Russian web site.:rolleyes: In any case, one shouldn't be installing apps that are not validily signed.

Edited by itman

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

As far as SciLexer.dll goes:

https://github.com/jacobslusser/ScintillaNET/issues/330

So if the CIA can do it, most certainly the Russians can. Which leads to the issue of downloading a game hack from a Russian web site.:rolleyes: In any case, one shouldn't be installing apps that are not validily signed.

If the program leaves files of incomprehensible content in various system directories, registers itself in startup and changes the browser's start page, then this is a HARMFUL program. It also creates empty folders and connects to the Internet. In your opinion, is this normal? A person is going to defend his doctoral dissertation, and in it are unclear files, when launching which appear game windows, windows crashes in the system and all those windows and files that I and other people have posted above.

Symantec, Kaspersky and F-Secure have detect of this virus or malware. At the top of the Norton Internet Security window written: the file contains a medium-level threat. Name: WS.Reputation.1  It is also written: the threat is eliminated.  If an antivirus is not listed in the virustotal, it does not mean that it does not recognize the threat in this file.

Share this post


Link to post
Share on other sites
Posted (edited)

As far as this IP: 132.148.197.187 goes, per Robtex;

Quote

 

It is hosted by GoDaddy.com, LLC

Hostname                 ip-132-148-197-187.ip.secureserver.net
City                            Scottsdale, Arizona US 
Latitude/Longitude 33.6119,-111.8910
Postal Code             85260

 


Here's a report I ran on the domain, www.xyzhosting.net, associated with it: https://www.virustotal.com/#/domain/www.xyzhosting.net

It appears that anything named QTX.exe that references it could very well be malicious. You referenced QTXWPF.exe.

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)
8 hours ago, itman said:

As far as this IP: 132.148.197.187 goes, per Robtex;


Here's a report I ran on the domain, www.xyzhosting.net, associated with it: https://www.virustotal.com/#/domain/www.xyzhosting.net

It appears that anything named QTX.exe that references it could very well be malicious. You referenced QTXWPF.exe.

1)  ip-132-148-197-187.ip.secureserver.net - Are you sure that behind this IP is not a maniac killer or a hacker who collects information? I do not know. It's just numbers and letters. People are behind them. What people? You know? Did you see them? Do you know them?  Did you analyze the outbound traffic from computer when an application QTXWPF.exe. is connected to the Internet?

2) QTXWPF.exe - it's just letters. But and I gave you a link(!!!) with a modified file, which is a medium-level threat according to the antivirus company Symantec. Also 24 (!!!) AV company: McAfee, Kaspersky, BitDefender, Avira, Comodo etc. classify this file as a trojan.

https://www.virustotal.com/#/domain/www.xyzhosting.net  -  I saw this link and I can tell you one thing: if 25-30 out of 60 antivirus companies say the virus file, then it is. 30 AV companies correctly identified the virus.  At somebody this file is classified as a trojan, and someone considers it adware or malware. In any case, it's a virus. Today, the virus is more and more classified according to behavioral analysis and reputation. This is correct. Because it makes it clear what harm to the person sitting at the computer is doing this or that application or file.

Now almost the middle of the 21st century, stealing a password is nonsense. 1 minute - and I'm on the phone recovering the password. The collapse of the system is not a catastrophe. 20-30 minutes - and I completely reinstalled the system. The same amount of time it takes to scan for viruses. All files and programs that harm the system should be considered a threat and the most dangerous ones must be immediately removed from the computer. The remaining medium-risk files should be isolate by means of the antivirus and give the user a choice, warning him.

For example   P.S. https://www.upload.ee/files/8450398/Network_Booster_1.1.rar.html

Symantec delete this file, ESET only block at startup. File connect to internet and It creates traffic. Done.

 

 

Edited by Descloix

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.