furger

Malicious code detected in SimServer.exe (Trojan-Ransom.Win32.Blocker.kdwe)

Recommended Posts

Hi

When downloading the most current version 3.1 (http://library.avsim.net/esearch.php?DLID=200064) Kaspersky is telling me that malicious code has been detected in SimServer.exe (Trojan-Ransom.Win32.Blocker.kdwe).

Best regards

Andreas

Share this post


Link to post
Share on other sites
Help AVSIM continue to serve you!
Please donate today!

False positive.

If you have downloaded it from the official source there is no problem.

Share this post


Link to post
Share on other sites

Hi Andreas,

I downloaded the app from AVSIM, and first of all, I confirm it's the same file I uploaded. So the one at AVSIM is not corrupted in any way.

Then I ran this online virus scan which uses many detection engines:

https://www.virustotal.com/file/fe5e08c8906e6e63aa16431debb378798c51b808785902325442bfd856b78409/analysis/1498721286/

Indeed, 6 engines detect malware. I'm guessing this is because I use a tool to encrypt the binary file to avoid easy disassembly.

Since 55 anti virus engines don't detect a virus, I would say this is indeed a false positive (so the tool I'm using doesn't add anything malicious).

I hope this reassures you on this topic.

Best Regards

Mark

Share this post


Link to post
Share on other sites

Dear Mark

Thank you for taking attention and thank you for clarifying. It's currently a sensitive topic . . .

Best regards

Andreas

Share this post


Link to post
Share on other sites

Hi Andreas,

I fully understand - and as such, thank you for pointing this out.

As a FYI: I have contacted Kaspersky and reported this as a false positive. As soon as I hear back from them, I will post the information in this thread.

Best Regards

Mark

Share this post


Link to post
Share on other sites

I will also note that Kaspersky does not like simserver.exe. Took me quite a while to get it installed and running as it would automatically be blocked and then deleted.

Share this post


Link to post
Share on other sites

Same problem but with BitDefender.....I can't even extract it from the zip file without BitDefender blocking and deleting it. :-(

Share this post


Link to post
Share on other sites

Dear All,

a quick update from my side:

  • Since I haven't heard back from Kaspersky, I did some research as to what was causing this increasing rate of false positives. Indeed, as Hilkiah mentioned above, more and more AV engines have detected some form of malware.
  • AV software use heuristic (empirical) algorithms to detect suspicious code. So if something looks fishy, it will be flagged, regardless if it actually is truly malware or not.
  • While playing around with my tool chain during compilation, I noticed that my original executable didn't show any sign of detected malware.
  • Instead, as I had expected, I ran into malware detection when running my obfuscation tool. It turns out, there is a small setting that will set off AV software. After disabling this setting, Kaspersky and co no longer detect malware.
  • This doesn't mean that the app was misbehaving in the past. It just means, it looked 'fishy' and probably other forms of malware took similar precautions of being disassembled.
  • I have uploaded a new version to AVSIM and as soon as the link goes live, I will update the link on here. Also, the app should notify you once the update is available.
  • No code changes to the app were made (except updating version info from 3.1.0.0 to 3.1.0.1)
  • There is nothing wrong with the current version, except that is sets off AV software

Thank you all for reporting this - I am trying to treat this problem with very high priority.

As such, I'm also trying to be as transparent as I can be.

Best Regards

Mark

 

 

Share this post


Link to post
Share on other sites

Version 3.1.0.1 is now available on AVSIM.

 

Share this post


Link to post
Share on other sites

 

7 hours ago, marcom said:

Version 3.1.0.1 is now available on AVSIM.

 

I currently have an open case with Kaspersky and they are looking at this figure out what is causing the false positive. Also, the new version of the program has the same results with Kaspersky. I cannot unpack the zip file as it deletes the executable file every time. I will keep you posted on what I find out.

Share this post


Link to post
Share on other sites

Dear Mark

Unfortunately there is no difference with the new version 3.1.0.1. My system still is diagnosing/treating the file SimServer.exe as infected.

I hope you/Kaspersky will find a solution.

Best regards

Andreas

Share this post


Link to post
Share on other sites

Hi folks,

yes, I am seeing this now as well. This is really frustrating, as yesterday everything looked ok.

Before uploading yet a new version to AVSIM, please give this version a test (I uploaded it to my google drive):

https://drive.google.com/file/d/0B5HdXeQAwtKVZVVhVFgxMDQ0LVk/view?usp=drive_web

The new .exe gave this result on VirusTotal:

https://virustotal.com/en/file/61b3f5a9b3b16467773a3892794d6e9b802fd0093f40fc6f237cc05b2a08928d/analysis/1499109271/

PS: again no code changes, just different settings for the obfuscation tool.

Regards

Mark

Share this post


Link to post
Share on other sites

Mark,

 

I was able to download this version (from your google drive) to my computer and open and successfully run the simserver.exe.  Bitdefender didn't complain one bit!.  I also ran the online check and its passes with flying colors.  

https://virustotal.com/en/file/08d61fa7cd659d4ae704ddc2b92753ebbecad0e16f56de6e637d1a3e299db594/analysis/1499109928/

Go ahead and upload and I will redownload the newly updated version and test again.  If that fails, then the problem has to do with the zipfiles getting corrupted after being uploaded.  If it passes, then the problem most likely was due to the obfuscation settings you used.

 

Regards,

Hilkiah

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now