jessy 0 Posted December 23, 2013 Share Posted December 23, 2013 Today, when I was starting my vbs file, to run a sql server, it got deleted by nod32. It's a very simple script, and I think you might have detected it by mistake?. the content of the vbs file: CreateObject("WScript.Shell").Exec "sqlexplorer.exe command.exe" Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 23, 2013 Share Posted December 23, 2013 (edited) perhaps the command.exe flagged it i have vbs scripts with create shell objects that dont flag at all. How do I submit a virus, website or potential false positive sample to ESET's lab? Edited December 23, 2013 by Arakasi Link to comment Share on other sites More sharing options...
jessy 0 Posted December 23, 2013 Author Share Posted December 23, 2013 I though it maybe was that, (even it was, it would still be a false positive) but it wasn't tried to rename both the filenames, and the extensions, didn't solve the problem. I know I could just use a cmd file, but I think it's very wrong that eset is detecting legit files. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 23, 2013 Share Posted December 23, 2013 Can you PM me the file ? I would like to test the same file on my database. Link to comment Share on other sites More sharing options...
jessy 0 Posted December 23, 2013 Author Share Posted December 23, 2013 simply create a new file, with the content of : CreateObject("WScript.Shell").Exec "sqlexplorer.exe command.exe" you can change the names, or the extensions, it's still detected. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 23, 2013 Share Posted December 23, 2013 Will try... Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 23, 2013 Share Posted December 23, 2013 (edited) Haha thats funny Marcos you should try this lol This is the flag : "sqlexplorer.exe command.exe" Edited December 23, 2013 by Arakasi Link to comment Share on other sites More sharing options...
jessy 0 Posted December 23, 2013 Author Share Posted December 23, 2013 it's not, try change it to like this: "test1.exe test2.exe" or other extension names too, it's still detecting it, no matter what Link to comment Share on other sites More sharing options...
jessy 0 Posted December 23, 2013 Author Share Posted December 23, 2013 Just a stupid example to show you, it's detected: CreateObject("WScript.Shell").Exec "test1.jpg test2.png" detection name: VBS/Starter/NAQ trojan Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 23, 2013 Share Posted December 23, 2013 (edited) I changed it to this : CreateObject("WScript.Shell").Exec "command.exe" Doesnt detect CreateObject("WScript.Shell").Exec "sqlexplorer.exe" Doesnt detect. Why are you adding both files inside the quotes like that anyway ? Usually when creating a shell object, you create it as 1 object for each executable or simlar your going to call a function or action on. Your telling the machine to create 1 shell object with command and sqlexplorer running as the same object. hxxp://msdn.microsoft.com/en-us/library/d5fk67ky%28v=vs.84%29.aspx Why dont you change your code up to use a variable instead of the programs directly. That will stop ESET from hating your file so bad in the first place. Use a variable. Edited December 23, 2013 by Arakasi Link to comment Share on other sites More sharing options...
jessy 0 Posted December 23, 2013 Author Share Posted December 23, 2013 If I want to simulate the drag an drop option, that's the way to do it, and I don't see why in gods name that should be detected Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 23, 2013 Share Posted December 23, 2013 (edited) Dim oShell Set oShell = WScript.CreateObject ("WScript.Shell") oShell.run "command.exe" or "sqlexplorer.exe" Edited December 23, 2013 by Arakasi Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 23, 2013 Share Posted December 23, 2013 (edited) If I want to simulate the drag an drop option, that's the way to do it, and I don't see why in gods name that should be detected pm what drag and drop feature your trying to simulate or implement. Two heads are better then one. The case where ESET is detecting might be code syntax related, i dont know, but we will have to wait for them to respond to find out how to proceed or what they will do/say. Thanks jessy Edited December 23, 2013 by Arakasi Link to comment Share on other sites More sharing options...
jessy 0 Posted December 24, 2013 Author Share Posted December 24, 2013 It's solved now, and it's not detected anymore Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 24, 2013 Share Posted December 24, 2013 You are absolutely right. A developer or staff most likely saw the thread and reported. Thanks Jessy, you have been great. Have a happy holidays ! Link to comment Share on other sites More sharing options...
Recommended Posts