PDA

View Full Version : Wormkit with a virus???


Drc
24 Oct 2008, 16:44
can anyone tell me why when i try to play worms by using wormkit my antivirus (avira) says something like this:

C.\MicroProse\Worms Armageddon\Wormkit.exe
contains recognition pattern of the DR/Delphi.Gen dropper

yakuza
24 Oct 2008, 17:13
Because your antivirus is wrong.

pisto
24 Oct 2008, 19:37
keep it, it's safe.

your AV recognizes some techniques that might be used by viruses too, by wormkit isn't a virus actually.

bonz
24 Oct 2008, 20:04
Because your antivirus is wrong.
Nope, not necessarily.
IIRC, CyberShadow once said that the madchook library he uses in WormKit is also often used by virus creators.

franpa
25 Oct 2008, 01:18
My virus scanner goes off about it too, it detects the zip as suspicious (using heurustics) and when decompressed it detect'd one of the files as a potential virus. none of it was concrete since it was just heurustics though so yeah it should be safe :P

pisto
25 Oct 2008, 14:13
you can check what wormkit does in the sources. and it's only a bunch of lines.

franpa
26 Oct 2008, 01:11
Most will still be using blind faith, not all of us know how to compile and verify it works (in case the compiled build was done from a different source ;)) and not many of us can read code.

Drc
27 Oct 2008, 23:35
i just deleted and downloaded again from cybershadow site and now my antivirus doesn't says anything :D

franpa
28 Oct 2008, 01:28
did you "update" your virus scanner since it was first detected as a virus? :)

Drc
2 Nov 2008, 00:33
did you "update" your virus scanner since it was first detected as a virus? :)

sure i did that...

now my antivirus says that wormkit.VIR its the virus....i deleted the file and wormkit still works

i don't get how its possivel

CyberShadow
2 Nov 2008, 06:25
Your antivirus probably earlier renamed WormKit.exe to WormKit.VIR, and now found the renamed file.

Drc
2 Nov 2008, 17:30
Your antivirus probably earlier renamed WormKit.exe to WormKit.VIR, and now found the renamed file.

so i don't need to worry right??? its not a virus

CyberShadow
2 Nov 2008, 18:47
Correct .

Drc
9 Dec 2008, 00:16
its not wormkit that is infected but rubberworm...my antivirus deleted all files that i had in my laptop that had rubberworm...

when i download rubberworm wormkit was included thats why my antivirus said that was infected but the real problem its rubberworm

GreeN
9 Dec 2008, 02:04
I would call it more of a culprit, than a problem.

franpa
9 Dec 2008, 04:33
for me, it is a part of WormNAT2 that is being falsely detected :/ wkpackets.dll

Gnork
9 Dec 2008, 15:11
Get yourself a REAL antivirus and stop whining about false alerts: http://www.pandasecurity.com/usa/homeusers/solutions/internet-security/

CyberShadow
9 Dec 2008, 15:38
VirusTotal (http://www.virustotal.com/analisis/5df76a5efa5d72d63d42b9e89c349235) says Panda considers wormkit.zip (same as the one from the website plus wkRubberWorm) a "suspicious file".

Gnork
9 Dec 2008, 16:43
VirusTotal (http://www.virustotal.com/analisis/5df76a5efa5d72d63d42b9e89c349235) says Panda considers wormkit.zip (same as the one from the website plus wkRubberWorm) a "suspicious file".

This happens only when heuristic scanning is enabled, though. Panda is by default configured to perform heuristic internetscans, but not on local files. And, since wormkit uses techniques which are similar to those used by some virusses, it will/should/must trigger with heuristic mode enabled. ONLY telling it's suspicious what wormkit.exe is up to, but there is NO virusname attached to the message, since it's no virus ;) Any scanner telling you its BlasterMasterW98.trojan.crap would be wrong.


Firefox will tell me the download has failed and leave a .part file, but the wormkit.zip is still created on the desktop, without problems. and - edit: on a second download try, panda isn't whining at all anymore about wormkit.zip ... maybe it learns from what it encountered a few seconds ago?

Conclusion: is very likely to get a warning message and perhaps not even a chance to download the file. For most people it's a pain in the bleep to configure their antivirus that such things don't happen. While heuristic scan is kinda very important as well nowadays. Cyber, if various antivirus programs do not like the way wormkit acts, isn't it a good idea to see how you can change the program so that it will act less like a virus?

CyberShadow
9 Dec 2008, 20:00
Sounds like a waste of time to me for the few paranoid-antivirus users out there...

bonz
9 Dec 2008, 21:25
IIRC, it's the MadHook library that CyberShadow has used with Wormkit. Sadly, also virus programmers use it.

Am I right to assume that you used it because it's free/non-commercial?

Muzer
9 Dec 2008, 21:41
No, I think it's commercial. It isn't opensource at least.

Gnork
9 Dec 2008, 21:56
Sounds like a waste of time to me for the few paranoid-antivirus users out there...

huahwhauwhuhaw actually, yes, you're right ;) hahahhuhwuhuahwuhaw

StoneFrog
9 Dec 2008, 22:49
Some Antivirus programs' "revolutionary worm and spyware detection" is nothing more than looking for certain words in the file name. :\

Try disabling your Antivirus, downloading Wormkit, renaming it? Then enable it again and see if it can tell.

Herc
10 Dec 2008, 00:15
Get yourself a REAL antivirus and stop whining about false alerts: http://www.pandasecurity.com/usa/homeusers/solutions/internet-security/

Eset's NOD32 is also good (and light) as it is written in assembly and C.Of course,you should not avoid using heuristics or if it detects it as a virus try to put it in an excluded scan list(guess other AVs will also have taht option too :-P).

franpa
10 Dec 2008, 00:16
Of course I am fully aware my virus scanner only suspects A virus, it has never shown an actual virus name... it actually shows a message saying that a "suspicious" file was quarentined.

It is not the madchook.dll library, I can scan that a million times without triggering any warnings.

Drc
12 Jan 2009, 03:22
TR/ATRAPS.Gen' [trojan]

this is what my antivirus says when i donwload wormkit from the website

MihaiS
12 Jan 2009, 03:42
TR/ATRAPS.Gen' [trojan]

this is what my antivirus says when i donwload wormkit from the website

My anti-virus says that Wormkit can kill my family and rape my English teacher.

Isn't it obvious by now that Wormkit can put your computer's integrity at risk?

bonz
12 Jan 2009, 09:27
Yes, you're risking endless hours of fun with the additional content in the form of wK modules.
:eek::eek::eek::eek::eek:

Shirdel
14 Jan 2009, 13:18
I have NOD32, and there's no problems with WormKit whatsoever.
But.. That's probably for 2 reasons.
1. I only have WormNAT2 in my WormKitModules folder. (In general)
2. NOD32's ran out. :S