A Trojan in "Captain.exe" ?!

[beslam]

Hello,
I analyzed Captain.exe with VirusTotal ( www.virustotal.com ) with 40+ different antivirus and I got as a result that a trojan named "Trojan.Win32.Swisyn.spa" infect Captain.exe 
Can everyone tell me anything about this, please ?!
Thanx.

[mouser]

two questions:

1) where is captain.exe from and what is it?
2) can you give us the url virustotal gives you where it displays its report so we can see?

[beslam]

1/ I doawnloaded captain.exe from https://www.donation...l/index.html#Captain

2/ The adress of the report of virustotal :
http://www.virustota...3f9f25b1d-1268877433

[mouser]

ok, thank you.

• this is almost certainly a false positive, triggered not too unfrequently on compiled scripts written in the autohotkey language.  there is no virus or trojan.  it's a false alarm.
• you can download the source .ahk file from that same page and run it without it being compiled at all, if you are wary.
• usually we see only 1 stupid antivirus program flagging a compiled ahk as dangerous.. this time its a ton of them.. i suspect that it's because skrommel has build these so long ago.  it's DEEPLY troubling and fills me with anger at these antivirus companies for being so damn stupid and lazy to do this.  i simply can't express how irresponsible it is for them to generically flag programs as viruses just because they were compiled with a certain packaging program.  but i've ranted against this for so long in so many posts i'm just exhausted from it.
• i will try to get skrommel to rebuild his ahks so these alerts stop.

[mouser]

follow up:
we need to fix skrommels compiled ahks and remove the upx right away, if there are this many antivirus tools falsely flagging these, this just confirms that the antivirus companies have effectively made it impossible to ever use UPX to pack anything again.  i feel horribly for UPX because this is deeply unfair to them, but as i said in this post, it is simply impossible to use UPX without getting massively and repeatedly flagged improperly as being a trojan -- there is no other solution at this point but to absolutely forbid the use of upx on any program uploaded to DC.

anyone associated with UPX who wants my help fighting the antivirus companies to get them to stop this outrageous (and perhaps legally liable for damages) behavior, just ask.  but until they do stop, we have no choice but to outlaw the use of upx on any dc related software, immediately.  the damage to the site is just too high.

[beslam]

Ok, I'm relieved  but I have a couple of questions :

1) What do you mean with "DC" ?

2)Untill today, has anybody get some problem using it? Nobody before me complains about it, please? 

Thanx

[mouser]

1) DC = DonationCoder

2) We *regularly* see these false-positive reports about compiled ahk scripts like skrommel's.  They are always false alarms.  You can see more here.

3) Such false alarms are why we established a new policy of saying the UPX packager should no longer be used on any programs uploaded to donationcoder.  it's just that skrommel has not updated his older exe's yet.  i hope he will do so right away.

[beslam]

 

[lanux128]

1/ I doawnloaded captain.exe from https://www.donation...l/index.html#Captain

2/ The adress of the report of virustotal :
http://www.virustota...3f9f25b1d-1268877433

-beslam (April 29, 2010, 11:58 AM)

just to note that since the above report, Skrommel has re-compiled all the Exe files of his programs and below is the link to Virustotal's analysis of the new Captain.exe.

• http://www.virustota...dbfed0451-1274851845

[beslam]

I seen . It is conclusive 
Harry

[Carol Haynes]

1/ I doawnloaded captain.exe from https://www.donation...l/index.html#Captain

2/ The adress of the report of virustotal :
http://www.virustota...3f9f25b1d-1268877433

-beslam (April 29, 2010, 11:58 AM)

just to note that since the above report, Skrommel has re-compiled all the Exe files of his programs and below is the link to Virustotal's analysis of the new Captain.exe.

• http://www.virustota...dbfed0451-1274851845

-lanux128 (May 26, 2010, 12:34 AM)

It is interesting to see from that report that two versions of MacAfee come to different conclusions

Arse/Elbow springs to mind 

[beslam]

Yes, I've noticed the same thing with Avast also
Harry

[daddydave]

At least we can all figure out what antivirus software to avoid.