Virus Warning: Plugin 'Expander'

Discuss and announce Total Commander plugins, addons and other useful tools here, both their usage and their development.

Moderators: white, Hacker, petermad, Stefan2

dschordsch
Junior Member
Junior Member
Posts: 18
Joined: 2015-12-04, 15:05 UTC

Virus Warning: Plugin 'Expander'

Post by *dschordsch »

http://totalcmd.net/plugring/expander2.html

this plugin seems to contain a virus.

Do not install it!

i contacted Flint here, but he has not answered yet, so i thought i post a warning here.
User avatar
Hacker
Moderator
Moderator
Posts: 13052
Joined: 2003-02-06, 14:56 UTC
Location: Bratislava, Slovakia

Post by *Hacker »

dschordsch,
Does not really look like it.

Roman
Mal angenommen, du drückst Strg+F, wählst die FTP-Verbindung (mit gespeichertem Passwort), klickst aber nicht auf Verbinden, sondern fällst tot um.
User avatar
MVV
Power Member
Power Member
Posts: 8702
Joined: 2008-08-03, 12:51 UTC
Location: Russian Federation

Post by *MVV »

Interesting why AVs find 64-bit versios so much suspicious...
User avatar
ZoSTeR
Power Member
Power Member
Posts: 1008
Joined: 2004-07-29, 11:00 UTC

Post by *ZoSTeR »

I guess it's because off this stuff: "FastMM Embarcadero Edition (c) 2004 - 2011 Pierre le Riche".
User avatar
Dalai
Power Member
Power Member
Posts: 9364
Joined: 2005-01-28, 22:17 UTC
Location: Meiningen (Südthüringen)

Post by *Dalai »

2ZoSTeR
I don't think so. Every executable (EXE, DLL etc) compiled with a newer Delphi version has this "signature". This applies to my own plugins, too, which have never been flagged as suspicious.

Regards
Dalai
#101164 Personal licence
Ryzen 5 2600, 16 GiB RAM, ASUS Prime X370-A, Win7 x64

Plugins: Services2, Startups, CertificateInfo, SignatureInfo, LineBreakInfo - Download-Mirror
dschordsch
Junior Member
Junior Member
Posts: 18
Joined: 2015-12-04, 15:05 UTC

Post by *dschordsch »

I just see that even for the Total Commander there is one Virus Warning reported by ClamAV (which is an AV Software known to be ineffective).

I reported this here and wrote a comment and upvoted the file as not dangerous.

Still, the Expander plugin has 15 detections. The AskParam pluging has 6 detections, both including detections by Avast, which performs good in AV Software tests.
User avatar
karlchen
Power Member
Power Member
Posts: 4601
Joined: 2003-02-06, 22:23 UTC
Location: Germany

Post by *karlchen »

dschordsch wrote:I just see that even for the Total Commander there is one Virus Warning reported by ClamAV [...]
I reported this here and wrote a comment and upvoted the file as not dangerous.
In fact, ClamAV has flagged each and every Total Commander 9.0 beta and RC installation package, 32-bit+64-bit, as "Win.Trojan.Ramnit-5647".
Roughly 5 weeks ago I had reported this as "false positives" to them just like you and told them they were the only ones to identify the TC installers as malicious.
I vaguely suspect such feedback messages are sent to /dev/null immediately.
MX Linux 21.3 64-bit xfce, Total Commander 10.52 64-bit
The people of Alderaan keep on bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine.
The Prophet's Song
dschordsch
Junior Member
Junior Member
Posts: 18
Joined: 2015-12-04, 15:05 UTC

Post by *dschordsch »

karlchen wrote:Roughly 5 weeks ago I had reported this as "false positives" to them just like you
five weeks and nothing happened? thats bad. Do you have a link to your post? I would add this as information to my post here, if you agree.
User avatar
karlchen
Power Member
Power Member
Posts: 4601
Joined: 2003-02-06, 22:23 UTC
Location: Germany

Post by *karlchen »

Hi, dschordsch.

Actually I have not kept the link. Had not thought it would be necessary. 1st wrong assumption. :oops:
Also had expected to get some kind of automatic receipt confirmation by e-mail. 2nd wrong assumption. :oops:

Hey, by the way. By now T.C. 9.0 rc3 has managed to be identified by 2 AV products as malicious. Last night ClamAV was still alone. :lol:
Some heuristical analysis has finally realized how malicious this harmless looking installer is. Viciously overwrites the previous release candidate. OMG!

Virustotal: tc900x32_rc3.exe
Virustotal: tc900x32_64_rc3.exe

Waiting for more smart sophisticated AV products to follow ...

Cheers,
Karl
MX Linux 21.3 64-bit xfce, Total Commander 10.52 64-bit
The people of Alderaan keep on bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine.
The Prophet's Song
dschordsch
Junior Member
Junior Member
Posts: 18
Joined: 2015-12-04, 15:05 UTC

Post by *dschordsch »

Hi,
karlchen wrote:By now T.C. 9.0 rc3 has managed to be identified by 2 AV products as maliciousl
Oh my. I have sent reports to both AV Vendors now. See here.

Regards, dschordsch (aka Nille in the ClamWin forum).
User avatar
Horst.Epp
Power Member
Power Member
Posts: 6449
Joined: 2003-02-06, 17:36 UTC
Location: Germany

Post by *Horst.Epp »

karlchen wrote:Hi, dschordsch.

Actually I have not kept the link. Had not thought it would be necessary. 1st wrong assumption. :oops:
Also had expected to get some kind of automatic receipt confirmation by e-mail. 2nd wrong assumption. :oops:

Hey, by the way. By now T.C. 9.0 rc3 has managed to be identified by 2 AV products as malicious. Last night ClamAV was still alone. :lol:
Some heuristical analysis has finally realized how malicious this harmless looking installer is. Viciously overwrites the previous release candidate. OMG!

Virustotal: tc900x32_rc3.exe
Virustotal: tc900x32_64_rc3.exe

Waiting for more smart sophisticated AV products to follow ...

Cheers,
Karl
Sorry, but did you ever heard Antiy-AVL as AV tool.
That is in the same categorie as ClamAV, almost useless.
Windows 11 Home x64 Version 23H2 (OS Build 22631.3374)
TC 11.03 x64 / x86
Everything 1.5.0.1371a (x64), Everything Toolbar 1.3.2, Listary Pro 6.3.0.69
QAP 11.6.3.2 x64
dschordsch
Junior Member
Junior Member
Posts: 18
Joined: 2015-12-04, 15:05 UTC

Post by *dschordsch »

karlchen wrote:I vaguely suspect such feedback messages are sent to /dev/null immediately.
I just got an email that my false positive report sent to Antiy AV was rejected. The reason was 'Over Quota' which means, 'not enough space to save incoming emails' :shock:

I have now mailed their sales team. Hopefully they forward my mail to someone who can handle this issue.
dschordsch
Junior Member
Junior Member
Posts: 18
Joined: 2015-12-04, 15:05 UTC

Post by *dschordsch »

Update:

Seems that The Antiy AVS people have reacted already, it does not false detect the TC anymore:

https://www.virustotal.com/de/file/99f208920923abf165f66e41ba7d2324f25b568d721b9a815cde3c2b16cd7482/analysis/1477580250/

ClamWin still false detects it.
User avatar
karlchen
Power Member
Power Member
Posts: 4601
Joined: 2003-02-06, 22:23 UTC
Location: Germany

Post by *karlchen »

Total Commander 9.0 RC4, no more false positives today. :)
Virustotal - TC 9.0 RC4 32-bit (installer)
Virustotal - TC 9.0 RC4 64-bit (installer)
MX Linux 21.3 64-bit xfce, Total Commander 10.52 64-bit
The people of Alderaan keep on bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine.
The Prophet's Song
User avatar
karlchen
Power Member
Power Member
Posts: 4601
Joined: 2003-02-06, 22:23 UTC
Location: Germany

Post by *karlchen »

Now that totalcmd.net is available again, Virustotal results for expander v2.05 (last updated: 30.06.2014) have not really improved:
Virustotal on wdx_Expander2_0.5.zip (16 / 55)

Oops, Symantec here has just quarantined the files. Reason given: Bad reputation.

Translate this to:
There is no other hint that the files may be malicious than that some fool started shouting "stop, thief", and all others joined him.

This is what I call expert malware analysis. :evil:

...

Looking forward to the day when Symantec prevents me from logging in to my own notebook, because my reputation is too bad. :roll:
MX Linux 21.3 64-bit xfce, Total Commander 10.52 64-bit
The people of Alderaan keep on bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine.
The Prophet's Song
Post Reply