Malicious code detected in SimServer.exe (Trojan-Ransom.Win32.Blocker.kdwe)

[furger 12]

Hi

When downloading the most current version 3.1 (http://library.avsim.net/esearch.php?DLID=200064) Kaspersky is telling me that malicious code has been detected in SimServer.exe (Trojan-Ransom.Win32.Blocker.kdwe).

Best regards

Andreas

[JoeFackel 760]

False positive.

If you have downloaded it from the official source there is no problem.

[marcom 139]

Hi Andreas,

I downloaded the app from AVSIM, and first of all, I confirm it's the same file I uploaded. So the one at AVSIM is not corrupted in any way.

Then I ran this online virus scan which uses many detection engines:

https://www.virustotal.com/file/fe5e08c8906e6e63aa16431debb378798c51b808785902325442bfd856b78409/analysis/1498721286/

Indeed, 6 engines detect malware. I'm guessing this is because I use a tool to encrypt the binary file to avoid easy disassembly.

Since 55 anti virus engines don't detect a virus, I would say this is indeed a false positive (so the tool I'm using doesn't add anything malicious).

I hope this reassures you on this topic.

Best Regards

Mark

[furger 12]

Dear Mark

Thank you for taking attention and thank you for clarifying. It's currently a sensitive topic . . .

Best regards

Andreas

[marcom 139]

Hi Andreas,

I fully understand - and as such, thank you for pointing this out.

As a FYI: I have contacted Kaspersky and reported this as a false positive. As soon as I hear back from them, I will post the information in this thread.

Best Regards

Mark

[N405GJ 36]

I will also note that Kaspersky does not like simserver.exe. Took me quite a while to get it installed and running as it would automatically be blocked and then deleted.

[Hilkiah 4]

Same problem but with BitDefender.....I can't even extract it from the zip file without BitDefender blocking and deleting it. :-(

[Hilkiah 4]

I did the same online scan and got different results:

https://www.virustotal.com/en/file/d590ade489beadb4cd861307dfef96085cf502f1c7209e30eb0e41af37f1ae3b/analysis/1499012364/

 

Note I download simserver.zip from here :

https://library.avsim.net/download.php?DLID=200064

[marcom 139]

Dear All,

a quick update from my side:

• Since I haven't heard back from Kaspersky, I did some research as to what was causing this increasing rate of false positives. Indeed, as Hilkiah mentioned above, more and more AV engines have detected some form of malware.
• AV software use heuristic (empirical) algorithms to detect suspicious code. So if something looks fishy, it will be flagged, regardless if it actually is truly malware or not.
• While playing around with my tool chain during compilation, I noticed that my original executable didn't show any sign of detected malware.
• Instead, as I had expected, I ran into malware detection when running my obfuscation tool. It turns out, there is a small setting that will set off AV software. After disabling this setting, Kaspersky and co no longer detect malware.
• This doesn't mean that the app was misbehaving in the past. It just means, it looked 'fishy' and probably other forms of malware took similar precautions of being disassembled.
• I have uploaded a new version to AVSIM and as soon as the link goes live, I will update the link on here. Also, the app should notify you once the update is available.
• No code changes to the app were made (except updating version info from 3.1.0.0 to 3.1.0.1)
• There is nothing wrong with the current version, except that is sets off AV software

Thank you all for reporting this - I am trying to treat this problem with very high priority.

As such, I'm also trying to be as transparent as I can be.

Best Regards

Mark

 

 

[marcom 139]

Version 3.1.0.1 is now available on AVSIM.

 

[N405GJ 36]

 

7 hours ago, marcom said:

Version 3.1.0.1 is now available on AVSIM.

 

I currently have an open case with Kaspersky and they are looking at this figure out what is causing the false positive. Also, the new version of the program has the same results with Kaspersky. I cannot unpack the zip file as it deletes the executable file every time. I will keep you posted on what I find out.

[furger 12]

Dear Mark

Unfortunately there is no difference with the new version 3.1.0.1. My system still is diagnosing/treating the file SimServer.exe as infected.

I hope you/Kaspersky will find a solution.

Best regards

Andreas

[Hilkiah 4]

Hi Mark,

I too am having similar issues even with the newest file (downloaded from your link).  Bitdefender deleted the exe from the zipfile when I extracted it.  I did the online scan again and got 5 positives :

https://www.virustotal.com/en/file/0d035e036dbe737c56c8e7a21583aeb60a681dfdd421faa659cba672bbec3dc6/analysis/1499103633/

[marcom 139]

Hi folks,

yes, I am seeing this now as well. This is really frustrating, as yesterday everything looked ok.

Before uploading yet a new version to AVSIM, please give this version a test (I uploaded it to my google drive):

https://drive.google.com/file/d/0B5HdXeQAwtKVZVVhVFgxMDQ0LVk/view?usp=drive_web

The new .exe gave this result on VirusTotal:

https://virustotal.com/en/file/61b3f5a9b3b16467773a3892794d6e9b802fd0093f40fc6f237cc05b2a08928d/analysis/1499109271/

PS: again no code changes, just different settings for the obfuscation tool.

Regards

Mark

[Hilkiah 4]

Mark,

 

I was able to download this version (from your google drive) to my computer and open and successfully run the simserver.exe.  Bitdefender didn't complain one bit!.  I also ran the online check and its passes with flying colors.  

https://virustotal.com/en/file/08d61fa7cd659d4ae704ddc2b92753ebbecad0e16f56de6e637d1a3e299db594/analysis/1499109928/

Go ahead and upload and I will redownload the newly updated version and test again.  If that fails, then the problem has to do with the zipfiles getting corrupted after being uploaded.  If it passes, then the problem most likely was due to the obfuscation settings you used.

 

Regards,

Hilkiah