NewsForumsCodeLogsGallerySpecsSearch

Mal/Behav-016

BlitzMax Forums/MaxGUI Module/Mal/Behav-016

Czar Flavius(Posted 2010) [#1]
My friend who is using Sophos anti-virus tried to download a zip containing an exe I made using MaxGUI but the anti-virus blocked it saying it was "virus/spyware Mal/Behav-016"

I found some more info about this from http://www.sophos.com/security/analyses/viruses-and-spyware/malbehav016.html

I was just wondering if anybody else had a problem similar to this and what I can do to stop my program being flagged up as the spawn of Satan.


skidracer(Posted 2010) [#2]
What anti virus protection do you have? You have considered the possibility your machine itself may be infected and the cause?

Trend Micro groups 016 with the following:

WORM_AGOBOT.HJ
Aliases: W32/Polybot.gen!irc (McAfee), W32.Gaobot.gen!poly (Symantec), BDS/AGOBOT.241664 (Avira), Mal/Behav-016 (Sophos),
This memory-resident worm exploits certain vulnerabilities to propagate across networks. Like the earlier AGOBOT variants, it takes advantage of the following Windows vulnerabilities: ...




xlsior(Posted 2010) [#3]
and what I can do to stop my program being flagged up as the spawn of Satan.


Find out what anti-virus program he's using, and submit a bugreport to its creators reporting a false positive.


Czar Flavius(Posted 2010) [#4]
I have Avast anti-virus.

Here is the file if anybody wants to try it. I literally just compiled the exe, put it in zip and put online for him/her to download..

http://uploading.com/files/dc5ca34m/Resource_Allocator.zip/


Raph(Posted 2010) [#5]
This has happened to me plenty. If you used BLide, turn the exe compression off. That's what caused it for me.


Czar Flavius(Posted 2010) [#6]
My exe was using BLide exe compression. I will try it with it disabled and see what happens.


xlsior(Posted 2010) [#7]
Blide's exe compression is using UPX, and UPX can definitely trigger some false positives since quite a few virusses out there also use it to reduce their filesize...

UPX replaces the actual exe header with its own loader / decompression stub which then runs the actual compressed exe -- but from a virus scanners point of view, it really does look very similar to a bunch of real virusses.