Today when I recompiled my application, Comodo Antivirus alerted me at the moment the exe was created that it was infected with «Packed.Win32.Krap.~IC[at]161670813». So I tried to figure out what things I have changed since the last compilation.
The only thing I can think of (in relation with virus detection) is that I changed «SendMessage» calls into «PostMessage» calls. But they have almost the same functionality. The (only?) difference is that «SendMessage» halts the calling process until the message is received by the window (control) while «PostMessage» doesn’t halt the calling process.
So my question is:
can changing a «SendMessage» call into a «PostMessage» call cause Comodo Antivirus to start recognizing the compile result as a virus, while it didn’t used to (before the change)?
did you change something with your packer? Fsecure defines Krap Packer as the following
Trojan:W32/Krap.B identifies software that has been packed with a particular Packer program known to be frequently used to compress malicious files.
The packer is custom made and has been designed to protect packed files from being debugged, emulated, or unpacked. The code in the packer stub is difficult to read and analyze since it has been obfuscated quite well. There are many decryption loops for the packer code itself which it executes during runtime and the code seems to be polymorphic.
The contents of the packed files are usually password stealers for onlinegames. They may also include some other types of malware such as trojans and worms.
I don’t know of any packer at all. Maybe the default compilation of VB6 involves packaging. In that case I wasn’t aware of it. I have never heard or read that VB6 uses code obfuscation. But I surely haven’t change that. To speed the process I have always compiled to native code (in stead of P-code).
I don’t use the deploy functionality at all, because I don’t want to bother clients with registry/access issues. When the application subfolder is placed¹ on the client computer² it can be used without any additional installation steps³.
That’s why I don’t understand this. When I had started a new application and received the alert I would be blank about it and consider about just anything to be possibly responsible for the alert. But I have been working on this for a couple of years now and used Comodo scans for at least 1.5 years now. I never had a warning before. So I’m really surprised by the warning.
Because I don’t want to send files to clients which might trigger virusscan alerts I also stopped (months ago) using lcc to make dll’s. I now use PellesC.
¹: Either by copying from an USB stick or unzipping an e-mailed file.
²: On Win 7, not in the «c:\Program Files», … because of the new folder access policy!
³: Like register COM/ActiveX components.
I could think of one other change which could be causing the alert.
So I made two exe’s, one -A- with the original code:
Private Sub cbChoice(Index As Integer, cancel As Boolean)
If someCondition Then
PostMessage workAround.hwnd, WM_RBUTTONDOWN, 0, ByVal 0
End If
End Sub
and one -B- with the possible fix:
Private Sub cbChoice(Index As Integer, cancel As Boolean)
If someCondition Then
PostMessage workAround.hwnd, WM_RBUTTONDOWN, 0, ByVal 0
PostMessage workAround.hwnd, WM_RBUTTONUP, 0, ByVal 0
End If
End Sub
The scan results
• A: considered to be infected with Packed.Win32.Krap.~IC@161670813
• B: Ok, clean
Good to know to avoid False Positives!
PS: I think code is better to read using [ quote ] than [ code ]. (Of course without the whitespace!) I had to zoom in a lot to be able to read the [ code ] - [ / code ] block. Maybe caused by browser settings(?) Too much space between the lines, making the characters too small.