Through the Eyes of a Keylogger versus HIPS

Neo,

Would you be so kind to tell which trojan it was, so people can check whether they were infected or not?

Thanks Kees

 

Hi Kees. My virus checker told me it was "Generic.dx".

 

Hmm. Can you send me the file (infected) through PM so I can analyze it further and see the modifications it makes.

 

Here are results when i uploaded this file on VT:
https://www.wilderssecurity.com/showpost.php?p=1422422&postcount=6

 

I wish I could, but I deleted the infected file. (Now, I can't believe I did it.)

Sorry.

 

I have found this file on my second disk.

 

Send it to me please

 

Files on TE as well:

http://www.threatexpert.com/report.aspx?md5=ec9e11864cb294766fca5fccc5f17f9a

 

Ron we are not trading. Simply trying to find out what malware has infected us (if it is malware), and how to get rid of it.

 

Something, deep inside me, is not surprised at all with this "incident" ......

 

Well 26 virus labs now have a sample and will be testing it I'll post my results in the morning.

 

It's scary how only 3 av's detected it. Proof it doesn't matter what percentage an av got on a test if it misses the one virus your actually infected with (avira).

 

Hi neo. I don't think you should be embarassed. It would be embarassing if you knew it contained a trojan and didn't tell us in fear of ruining your reputation. I think it allows us to trust you if your not scared to tell us of a small mess-up.

 

+ 1

tried test 1 vs keyscrambler and it seems ok.

 

could the test still be infected ?

I downloaded it now and got this virus scan result.

http://www.virustotal.com/analisis/8574d4402e0625c87b6cc13148d0e06c

Checked it with threatfire which has now hung.

 

Hi all,

I'm at a loss as to why the replaced version is coming up in some checkers as a trojan.

In an attempt to get to the bottom of this, I have done the following:

I have released the next version, today (a bit premature as it doesn't have the full featureset yet, but having the next version is a good test).
You can download here: http://www.aplin.com.au/?page_id=443
Here is its MD5Sum: 22bf4c3e32e9555eb68ab617ec761dde

I have checked every line of code - there is NO trojan programmed here.

If people find that some checkers state that it has a trojan in this new program, I can only suggest two possibilities:

1. some virus checkers are giving false positives
2. my compiler is somehow inserting trojan code into the program?

(...perhaps others more versed in viruses/trojans can suggest other alternatives.)

To show that I'm serious about security; if I can't resolve this issue to my satisfaction, I will take down Through The Eyes of a Keylogger permanently.

Neo.

 

I believe they are fp's. I am using KIS 09 right now and it still detects it but kaspersky has no information about it. I am guessing kaspersky seems to be catching it based on filename or something since it has no idea what the so-called virus even does.

See kaspersky detection page: http://www.viruslist.com/en/search?VN=Trojan.Win32.VB.neo

EDIT: Tried with new beta and it is reported clean by kaspersky is 09

 

I wouldn't mind the virus scans but that TF hung worried me a little.
Anyhow scanning away with MBAM so hopefully nothing will be found.

will try the new version with TF after that.

 

I just downloaded it again now
When I sent it to it virustotal it said it was this

03e787cab7f69a90a74b6fd1ee361ec4

MD5 checksum......

which is also the result that this tool gives.
http://www.winmd5.com/

 

Well no lab has said it has a trojan, however, they say it is a privacy risk watching keystrokes...Duhh.

I wonder if they are just analyzing the surface or delving deeper?

Maybe it's just FP's?

 

No I had a different malware in C:\Windows\system32. The executable itself is listed as general keystroke Pup or something (might be a general classification after this incicent)

 

Hi all,

Even though I first reported that Through the Eyes of a Keylogger was infected, I now believe that virus checkers are issuing false positives when scanning the program. I do not know why - this program does not save anything or send anything anywhere - it just presents info on the screen for you to see (information that is lost once you close the program). It does not do any malicious activity.

Even though I'm 100% sure that these are false positives, and that any malware activity is NOT associated with Through the Eyes, I have removed the utility from my site.

The tool was supposed to assist people to understand the dangers of keyloggers (and to help me to write better versions of Neo's SafeKeys to combat keyloggers). But I'd rather not have people misunderstand my intentions if they get false positives.

I'd like to thank the members of this forum in helping me investigate this issue.

Cheers,

Neo.

 

No need to remove it when it,s clean. U can just post the warning on web site about possible detection by some AVs as malware and it may be even true due to very nature of the software.

 

True, but I don't see too many non-tech users wanting to download and use a program that admits it may be blocked by virus checkers as malware.

...my main aim in publishing this tool was to show people what keyloggers are, what they can do, and how incidious they are. In short, to show non-technical people how they shouldn't just do their banking etc. on a public terminal when on holidays (without some form of protection, or knowing the risks).

I don't think that too many non-technical people would be prepared to run a program that admits to possible detection as malware (albeit incorrectly detected).

I'm quite happy to send program Through the Eyes of a Keylogger to anyone who would like it - just PM me.