Jump to content

vbs - false detection


jessy
 Share

Recommended Posts

Today, when I was starting my vbs file, to run a sql server, it got deleted by nod32.

 
It's a very simple script, and I think you might have detected it by mistake?.
 
the content of the vbs file:
 
CreateObject("WScript.Shell").Exec "sqlexplorer.exe command.exe"
 
 
Link to comment
Share on other sites

I though it maybe was that, (even it was, it would still be a false positive) but it wasn't tried to rename both the filenames, and the extensions, didn't solve the problem.

I know I could just use a cmd file, but I think it's very wrong that eset is detecting legit files.

Link to comment
Share on other sites

simply create a new file, with the content of :

 

CreateObject("WScript.Shell").Exec "sqlexplorer.exe command.exe"

 

you can change the names, or the extensions, it's still detected.

Link to comment
Share on other sites

it's not, try change it to like this: "test1.exe test2.exe" or other extension names too, it's still detecting it, no matter what

Link to comment
Share on other sites

Just a stupid example to show you, it's detected:

CreateObject("WScript.Shell").Exec "test1.jpg test2.png"

 

detection name: VBS/Starter/NAQ trojan

Link to comment
Share on other sites

I changed it to this :
 

CreateObject("WScript.Shell").Exec "command.exe"

 

Doesnt detect

 

CreateObject("WScript.Shell").Exec "sqlexplorer.exe"

 

Doesnt detect.

 

Why are you adding both files inside the quotes like that anyway ?

Usually when creating a shell object, you create it as 1 object for each executable or simlar your going to call a function or action on.

 

Your telling the machine to create 1 shell object with command and sqlexplorer running as the same object.

 

hxxp://msdn.microsoft.com/en-us/library/d5fk67ky%28v=vs.84%29.aspx

 

Why dont you change your code up to use a variable instead of the programs directly.

That will stop ESET from hating your file so bad in the first place.

Use a variable.

Edited by Arakasi
Link to comment
Share on other sites

If I want to simulate the drag an drop option, that's the way to do it, and I don't see why in gods name that should be detected

Link to comment
Share on other sites

If I want to simulate the drag an drop option, that's the way to do it, and I don't see why in gods name that should be detected

 

pm what drag and drop feature your trying to simulate or implement.

Two heads are better then one. :)

 

The case where ESET is detecting might be code syntax related, i dont know, but we will have to wait for them to respond to find out how to proceed or what they will do/say.

 

Thanks jessy

Edited by Arakasi
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...