How (not) to create malware (TSPY-Agent.EA) with VC++ .Net?

TheMSsForum.com: The Microsoft Software Forum

Hello,

I scanned my pc with a lot of tools and now I can't find anything left
like malware etc..
Also I'm running a firewall.

But after build a simple vc++ project (with visual studio 2003 .net)
with release-build-configuration, the tool from trendmicro finds in the
created exe-file the virus pattern from TSPY-Agent.EA.

When I build the same project with debug-build-configuration, the
exe-file seams to be clean.

McAfee, Sophos, and Kaspersky do not find any malware both in the
release as in the debug exe-file.
(I'm using the tools from
http://www.elephantboycomputers.com/page2.html#Removing_Malware with
the newest definitions.)

Here the configuration for the debug-version:
=================================================
<Configuration
Name="Debug|Win32"
OutputDirectory="Debug"
IntermediateDirectory="Debug"
ConfigurationType="1"
CharacterSet="2">
<Tool
Name="VCCLCompilerTool"
Optimization="0"
AdditionalIncludeDirectories="E:\Projects\tool\src\tool"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
MinimalRebuild="TRUE"
BasicRuntimeChecks="3"
RuntimeLibrary="5"
UsePrecompiledHeader="3"
WarningLevel="3"
Detect64BitPortabilityProblems="TRUE"
DebugInformationFormat="4"/>
<Tool
Name="VCCustomBuildTool"/>
<Tool
Name="VCLinkerTool"
OutputFile="$(OutDir)/tool.exe"
LinkIncremental="2"
GenerateDebugInformation="TRUE"
ProgramDatabaseFile="$(OutDir)/tool.pdb"
SubSystem="2"
ImportLibrary=""
TargetMachine="1"/>
<Tool
Name="VCMIDLTool"/>
<Tool
Name="VCPostBuildEventTool"/>
<Tool
Name="VCPreBuildEventTool"/>
<Tool
Name="VCPreLinkEventTool"/>
<Tool
Name="VCResourceCompilerTool"/>
<Tool
Name="VCWebServiceProxyGeneratorTool"/>
<Tool
Name="VCXMLDataGeneratorTool"/>
<Tool
Name="VCWebDeploymentTool"/>
<Tool
Name="VCManagedWrapperGeneratorTool"/>
<Tool
Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
</Configuration>
========================================

and here for the release-version:
========================================
<Configuration
Name="Release|Win32"
OutputDirectory="Release"
IntermediateDirectory="Release"
ConfigurationType="1"
CharacterSet="2">
<Tool
Name="VCCLCompilerTool"
Optimization="2"
InlineFunctionExpansion="1"
OmitFramePointers="TRUE"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
StringPooling="TRUE"
RuntimeLibrary="4"
EnableFunctionLevelLinking="TRUE"
UsePrecompiledHeader="3"
WarningLevel="3"
Detect64BitPortabilityProblems="TRUE"
DebugInformationFormat="3"/>
<Tool
Name="VCCustomBuildTool"/>
<Tool
Name="VCLinkerTool"
OutputFile="$(OutDir)/tool.exe"
LinkIncremental="1"
GenerateDebugInformation="TRUE"
SubSystem="2"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="1"/>
<Tool
Name="VCMIDLTool"/>
<Tool
Name="VCPostBuildEventTool"/>
<Tool
Name="VCPreBuildEventTool"/>
<Tool
Name="VCPreLinkEventTool"/>
<Tool
Name="VCResourceCompilerTool"/>
<Tool
Name="VCWebServiceProxyGeneratorTool"/>
<Tool
Name="VCXMLDataGeneratorTool"/>
<Tool
Name="VCWebDeploymentTool"/>
<Tool
Name="VCManagedWrapperGeneratorTool"/>
<Tool
Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
</Configuration>
=========================================

So the best will be to reinstall all, but now I'm interesting in what
is going on in my pc.

Thanks for your help!

Axel
Top

Re: How (not) to create malware (TSPY-Agent.EA) with VC++ .Net? by Mark

Mark
Sun Dec 25 07:05:44 CST 2005

Probably a bog standard false positive, what API does your proggy use?

--
- Mark Randall
http://www.temporal-solutions.co.uk
http://zetech.swehli.com

"Those people that think they know everything are a great annoyance to those
of us who do"
Isaac Asimov
"axel" <axwild@gmx.de> wrote in message
news:1135512395.528560.9170@g14g2000cwa.googlegroups.com...
> Hello,
>
> I scanned my pc with a lot of tools and now I can't find anything left
> like malware etc..
> Also I'm running a firewall.
>
> But after build a simple vc++ project (with visual studio 2003 .net)
> with release-build-configuration, the tool from trendmicro finds in the
> created exe-file the virus pattern from TSPY-Agent.EA.
>
> When I build the same project with debug-build-configuration, the
> exe-file seams to be clean.
>
> McAfee, Sophos, and Kaspersky do not find any malware both in the
> release as in the debug exe-file.
> (I'm using the tools from
> http://www.elephantboycomputers.com/page2.html#Removing_Malware with
> the newest definitions.)
>
> Here the configuration for the debug-version:
> =================================================
> <Configuration
> Name="Debug|Win32"
> OutputDirectory="Debug"
> IntermediateDirectory="Debug"
> ConfigurationType="1"
> CharacterSet="2">
> <Tool
> Name="VCCLCompilerTool"
> Optimization="0"
> AdditionalIncludeDirectories="E:\Projects\tool\src\tool"
> PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
> MinimalRebuild="TRUE"
> BasicRuntimeChecks="3"
> RuntimeLibrary="5"
> UsePrecompiledHeader="3"
> WarningLevel="3"
> Detect64BitPortabilityProblems="TRUE"
> DebugInformationFormat="4"/>
> <Tool
> Name="VCCustomBuildTool"/>
> <Tool
> Name="VCLinkerTool"
> OutputFile="$(OutDir)/tool.exe"
> LinkIncremental="2"
> GenerateDebugInformation="TRUE"
> ProgramDatabaseFile="$(OutDir)/tool.pdb"
> SubSystem="2"
> ImportLibrary=""
> TargetMachine="1"/>
> <Tool
> Name="VCMIDLTool"/>
> <Tool
> Name="VCPostBuildEventTool"/>
> <Tool
> Name="VCPreBuildEventTool"/>
> <Tool
> Name="VCPreLinkEventTool"/>
> <Tool
> Name="VCResourceCompilerTool"/>
> <Tool
> Name="VCWebServiceProxyGeneratorTool"/>
> <Tool
> Name="VCXMLDataGeneratorTool"/>
> <Tool
> Name="VCWebDeploymentTool"/>
> <Tool
> Name="VCManagedWrapperGeneratorTool"/>
> <Tool
> Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
> </Configuration>
> ========================================
>
> and here for the release-version:
> ========================================
> <Configuration
> Name="Release|Win32"
> OutputDirectory="Release"
> IntermediateDirectory="Release"
> ConfigurationType="1"
> CharacterSet="2">
> <Tool
> Name="VCCLCompilerTool"
> Optimization="2"
> InlineFunctionExpansion="1"
> OmitFramePointers="TRUE"
> PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
> StringPooling="TRUE"
> RuntimeLibrary="4"
> EnableFunctionLevelLinking="TRUE"
> UsePrecompiledHeader="3"
> WarningLevel="3"
> Detect64BitPortabilityProblems="TRUE"
> DebugInformationFormat="3"/>
> <Tool
> Name="VCCustomBuildTool"/>
> <Tool
> Name="VCLinkerTool"
> OutputFile="$(OutDir)/tool.exe"
> LinkIncremental="1"
> GenerateDebugInformation="TRUE"
> SubSystem="2"
> OptimizeReferences="2"
> EnableCOMDATFolding="2"
> TargetMachine="1"/>
> <Tool
> Name="VCMIDLTool"/>
> <Tool
> Name="VCPostBuildEventTool"/>
> <Tool
> Name="VCPreBuildEventTool"/>
> <Tool
> Name="VCPreLinkEventTool"/>
> <Tool
> Name="VCResourceCompilerTool"/>
> <Tool
> Name="VCWebServiceProxyGeneratorTool"/>
> <Tool
> Name="VCXMLDataGeneratorTool"/>
> <Tool
> Name="VCWebDeploymentTool"/>
> <Tool
> Name="VCManagedWrapperGeneratorTool"/>
> <Tool
> Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
> </Configuration>
> =========================================
>
> So the best will be to reinstall all, but now I'm interesting in what
> is going on in my pc.
>
> Thanks for your help!
>
> Axel
>


Top

Re: How (not) to create malware (TSPY-Agent.EA) with VC++ .Net? by axel

axel
Sun Dec 25 07:30:02 CST 2005

Here is the header from the trendmicro-tool (I hope it is what you want
to know, if not, explain me, sorry):

/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2005-12-25, 12:36:49, Running scanner "c:\AV-CLS\Trend\TSC.BIN"...
2005-12-25, 12:37:16, Scanner "c:\AV-CLS\Trend\TSC.BIN" has finished
running.
2005-12-25, 12:37:16, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: )

Start time : So Dez 25 2005 12:36:55

Load Damage Cleanup Template (DCT) "c:\AV-CLS\Trend\tsc.ptn" (version
690) [success]
....

Thanks, Axel

Top

Re: How (not) to create malware (TSPY-Agent.EA) with VC++ .Net? by Scherbina

Scherbina
Sun Dec 25 11:36:53 CST 2005

If you're sure, that your PC is clean from all that spywares, mailwares, etc
then this is the problem of trendmicro tool. Seems like they've made wrong
signature TSPY-Agent.EA.

--
Vladimir

"axel" <axwild@gmx.de> wrote in message
news:1135512395.528560.9170@g14g2000cwa.googlegroups.com...
> Hello,
>
> I scanned my pc with a lot of tools and now I can't find anything left
> like malware etc..
> Also I'm running a firewall.
>
> But after build a simple vc++ project (with visual studio 2003 .net)
> with release-build-configuration, the tool from trendmicro finds in the
> created exe-file the virus pattern from TSPY-Agent.EA.
>
> When I build the same project with debug-build-configuration, the
> exe-file seams to be clean.
>
> McAfee, Sophos, and Kaspersky do not find any malware both in the
> release as in the debug exe-file.
> (I'm using the tools from
> http://www.elephantboycomputers.com/page2.html#Removing_Malware with
> the newest definitions.)
>
> Here the configuration for the debug-version:
> =================================================
> <Configuration
> Name="Debug|Win32"
> OutputDirectory="Debug"
> IntermediateDirectory="Debug"
> ConfigurationType="1"
> CharacterSet="2">
> <Tool
> Name="VCCLCompilerTool"
> Optimization="0"
> AdditionalIncludeDirectories="E:\Projects\tool\src\tool"
> PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
> MinimalRebuild="TRUE"
> BasicRuntimeChecks="3"
> RuntimeLibrary="5"
> UsePrecompiledHeader="3"
> WarningLevel="3"
> Detect64BitPortabilityProblems="TRUE"
> DebugInformationFormat="4"/>
> <Tool
> Name="VCCustomBuildTool"/>
> <Tool
> Name="VCLinkerTool"
> OutputFile="$(OutDir)/tool.exe"
> LinkIncremental="2"
> GenerateDebugInformation="TRUE"
> ProgramDatabaseFile="$(OutDir)/tool.pdb"
> SubSystem="2"
> ImportLibrary=""
> TargetMachine="1"/>
> <Tool
> Name="VCMIDLTool"/>
> <Tool
> Name="VCPostBuildEventTool"/>
> <Tool
> Name="VCPreBuildEventTool"/>
> <Tool
> Name="VCPreLinkEventTool"/>
> <Tool
> Name="VCResourceCompilerTool"/>
> <Tool
> Name="VCWebServiceProxyGeneratorTool"/>
> <Tool
> Name="VCXMLDataGeneratorTool"/>
> <Tool
> Name="VCWebDeploymentTool"/>
> <Tool
> Name="VCManagedWrapperGeneratorTool"/>
> <Tool
> Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
> </Configuration>
> ========================================
>
> and here for the release-version:
> ========================================
> <Configuration
> Name="Release|Win32"
> OutputDirectory="Release"
> IntermediateDirectory="Release"
> ConfigurationType="1"
> CharacterSet="2">
> <Tool
> Name="VCCLCompilerTool"
> Optimization="2"
> InlineFunctionExpansion="1"
> OmitFramePointers="TRUE"
> PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
> StringPooling="TRUE"
> RuntimeLibrary="4"
> EnableFunctionLevelLinking="TRUE"
> UsePrecompiledHeader="3"
> WarningLevel="3"
> Detect64BitPortabilityProblems="TRUE"
> DebugInformationFormat="3"/>
> <Tool
> Name="VCCustomBuildTool"/>
> <Tool
> Name="VCLinkerTool"
> OutputFile="$(OutDir)/tool.exe"
> LinkIncremental="1"
> GenerateDebugInformation="TRUE"
> SubSystem="2"
> OptimizeReferences="2"
> EnableCOMDATFolding="2"
> TargetMachine="1"/>
> <Tool
> Name="VCMIDLTool"/>
> <Tool
> Name="VCPostBuildEventTool"/>
> <Tool
> Name="VCPreBuildEventTool"/>
> <Tool
> Name="VCPreLinkEventTool"/>
> <Tool
> Name="VCResourceCompilerTool"/>
> <Tool
> Name="VCWebServiceProxyGeneratorTool"/>
> <Tool
> Name="VCXMLDataGeneratorTool"/>
> <Tool
> Name="VCWebDeploymentTool"/>
> <Tool
> Name="VCManagedWrapperGeneratorTool"/>
> <Tool
> Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
> </Configuration>
> =========================================
>
> So the best will be to reinstall all, but now I'm interesting in what
> is going on in my pc.
>
> Thanks for your help!
>
> Axel
>


Top

Re: How (not) to create malware (TSPY-Agent.EA) with VC++ .Net? by axel

axel
Thu Jan 05 10:35:07 CST 2006

Thanks all,
now I'm sure, that my PC is clean after formating.
So the problem is the signature-file from trend!
Axel

Top

Re: How (not) to create malware (TSPY-Agent.EA) with VC++ .Net? by axel

axel
Thu Jan 05 10:36:01 CST 2006

Thanks all,
now I'm sure, that my PC is clean after formating the hard drive.
So the problem is the signature-file from trend!
Axel

Top