Re: [Freedos-devel] Confirming I see malware inside FreeDOS official 1.3 release

Wed, 02 Oct 2024 15:57:38 -0700 


Hi Paul,

even if one can argue about whether those might be false positives
given that many modern viruses fail to work in DOS, I definitely
do not like the fact that multiple files got flagged by multiple
antivirus tools and that all files are part of the DOSZIP package!


-rw-r--r-- 1 paul paul 303K 12 fév  2017 asmc.exe
-rw-r--r-- 1 paul paul   12 12 fév  2017 build.bat
-rw-r--r-- 1 paul paul  87K 12 fév  2017 dzrc.exe
-rw-r--r-- 1 paul paul 3,0K 12 fév  2017 fcmp.exe
-rw-r--r-- 1 paul paul 9,5K 12 fév  2017 iddc.exe
-rw-r--r-- 1 paul paul 137K 12 fév  2017 libw.exe
-rw-r--r-- 1 paul paul 301K 12 fév  2017 linkw.exe
-rw-r--r-- 1 paul paul  965 12 fév  2017 linkw.lnk
-rw-r--r-- 1 paul paul  26K 12 fév  2017 make.exe

Most files here have a few (about 4 to 5) detections on virustotal.


I guess the tiny build.bat and linkw.lnk did not get any detections?


make.exe have 9/69: 
https://www.virustotal.com/gui/file/2af3a455bcab37663f2fdef1c5a7a55959121b2d7969138b082f0885929aa1c2


After triggering a re-analysis after the original 2 year old one,
three vendors still flag the file: Palo Alto Networks as generic
ML, VBA32 as BScope.Trojan.Wacatac and Trellis ENS as Artemis
"87D9CDA0A64D".

File metadata says the file is from 2016, "drops 1 file"
and contacts www.microsoft.com and various IPs, including
some suspicious ones related to Lucyk Mouse APT27.

Heuristics complain that it spawns processes, which is not
unusual for MAKE, checks and sets env vars and juggles files.

On Windows, the file accesses software.exe, sysmain.sdb,
sortdefault.nls, plenty of DLLs, conhost and condrv stuff.
It "drops" a "file" to CONDRV. Sounds vaguely acceptable.

What does not sound good is the list of registry keys used.
Also, MAKE sort of spawns itself and software.exe etc.

Another question is WHY the SOURCES zip inside the DOSZIP
package contains a bunch of compiler EXEs, if I understand
your method of unzipping everything recursively correctly?

Regards, Eric




_______________________________________________
Freedos-devel mailing list
Freedos-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-devel

Reply via email to