Back to home page

DOS ain't dead

Forum index page

Log in | Register

Back to the forum
Board view  Mix view

HX updated (DOSX)

posted by Rugxulo(R) Homepage, Usono, 22.11.2012, 09:32

> > Which ones in particular flag it?
> They didn't tell in this case. Just this info:

Not sure if this particular DKRNL32.DLL is the same as online, I haven't re-downloaded here locally. Anyways, a quick (re)scan (of the one I do have) via shows 18/43 false positives:

Antivirus             Result                          Update
Agnitum               Trojan.Monder!9aKet0RsdrA       20121121
DrWeb                 Trojan.Virtumod.9813            20121122
Fortinet              W32/Monder.DKMF!tr              20121122
Ikarus                Trojan.Win32.Monder             20121122
K7AntiVirus           Trojan                          20121121
Kaspersky             Trojan.Win32.Monder.dkmf        20121122
Kingsoft              Win32.Troj.Monder.(kcloud)      20121119
McAfee                Generic.dx!b2r4                 20121122
McAfee-GW-Edition     Generic.dx!b2r4                 20121122
Norman                W32/Suspicious_Gen2.FQPJV       20121121
nProtect              Trojan/W32.Monder.80896.DZ      20121121
Panda                 Trj/CI.A                        20121121
TheHacker             Trojan/Monder.dkmf              20121121
TrendMicro            TROJ_GEN.R42Z2JS                20121122
TrendMicro-HouseCall  TROJ_GEN.R42Z2JS                20121122
VBA32                 Trojan.Monder.dkmf              20121122
VIPRE                 Trojan.Win32.Generic!BT         20121122
ViRobot               Trojan.Win32.S.Monder.80896.B   20121122

> ... blah blah blah blah blah ...

rexx -e"do random(1,20) ; say 'Nein sprechen sie Deutsch!' ; end"

(Google Translate helps a little but not much.) :-P :-D

> But a month ago ( there was a "problem" with file ENUMMODE.EXE in
> ), they told me:
> ... blah blah blah blah blah ...

At least that part was fairly obvious. It does actually make sense to avoid false positives, esp. with the five most popular, but even better if it can be recompiled / reassembled without problematic bits (even if it's really their fault, not yours ... dumb $@%@%$Ss heuristics).

> So I guess they used exactly those scanners again.
> The "problem" in ENUMMODE.EXE was that the code and data section was
> "merged" in the link step ( to save 512 bytes space ). This is something
> you shouldn't do these days if your file is to be public, but back then in
> 2005 it was pretty innocent.

I can't imagine it being a big deal. They must be really dumb to just search for specific bytes only and blindly assume there is no clash in the (big, complex) real world.

> I guess I'm going to switch to a server in West Samoa.

Please don't. Or do, I have no idea if that would be better or not.

Anyways, a quick brute force attempt at isolating the problematic area was this: I copied a random kilobyte of code from further down in DKRNL32.DLL over the header. Granted, it's not valid code anymore, but it at least was an attempt to see if that was the problem area. I rescanned online via VirusTotal and now it passes with 0/42 (and not 0/43, heh, dunno why).

I don't know if that helps, but it's a small hint (maybe). ;-)


Complete thread:

Back to the forum
Board view  Mix view
15112 Postings in 1359 Threads, 247 registered users, 15 users online (0 registered, 15 guests)
DOS ain't dead | Admin contact
RSS Feed
powered by my little forum