BOClean is intercepting this program b2e.exe (Bat to Exe Converter), which I have to use on my system to get my remote control’s software to run certain programs. It identifies it as a DRP-AGENT.MK.001 VARIANT.
Note that it is not the actual converter (Bat_To_Exe_Converter.exe) that triggers BOClean, nor even the exes that it creates, but when these are executed they create the b2e.exe (and a .bat file) in the temp folder.
I hope this can be fixed, otherwise I won’t be able to use BOClean
Can you please email the file to: malwaresubmit [ at ] comodo.com .
Specify in the subject line " BOClean False Positive ?".
Zip and password protect it with “infected” and include that information in the body.
I’m still having the same problem with 4.27 (updated 2008-09-05).
What seems strange (and I don’t recall happening previously) is that the program I’m running with the exe created by BAT to EXE converter is loading, so it seems that even though BOClean is identifying B2E.EXE as a trojan and says it’s been shut down, B2E.EXE has actually managed to execute before BOClean could stop it.
I’ve used an utility ‘Bat_To_Exe_Converter.exe’ to produce an .exe from a .bat with just a line to launch a program I want to start minimized.
When running the .exe thus created BOClean detects a trojan (BOC header reads ‘DRP-AGENT.MK.001 variant stopped by BOClean’) with a file in the temp dir under local configuration; the message asks Do you want the file removed also?
After answering Yes, SpyBot (TeaTimer) opens warning windows with important registry changes to be allowed or denied, namely: NT startup Value added, entry ‘run’ and ‘open’
Should those changes be allowed? are they performed by BOClean or a consequence of the trojan itself?
Files involved in the infection do not show any virus when checked with AV (Comodo AV, Malwarebytes and AVG).
Could you send up that file so we can take a look at it ? by pm
Just zip it and add it :).
After answering Yes, SpyBot (TeaTimer) opens warning windows with important registry changes to be allowed or denied, namely: NT startup Value added, entry 'run' and 'open'
I think it is as BoClean tries to delete the virus, which is partly located in the registry...
b2e.zip : Contains the .exe infected file that BOClean asks to be removed
bat_and_battoexeconverted.zip: the original .bat file and its conversion to .exe; running this last one seemingly creates b2e.exe under Docs&Settings\local user\local config\Temp\XX.tmp directory (XX changes with execution).
The utility Bat_to_Exe_Converter is about 400K zipped. Please tell me if you want to have a look at it too; it seems it produces dirty execs after all.
[i]Live Malware[/i]. Comodo is in the business of helping secure the internet, not distributing malware. Thus, it is not the appropriate place to attach or link live malware (viruses, trojans, rootkits, etc) to posts. In general, a link to the download site for 'malware' tests/demos and other 'proof of concept' applications are acceptable, provided they are not intended or designed to cause harm to a computer.
I removed the attachments. At best, please only email or PM suspected malware rather than uploading them in the forum.
Well, I reinstalled Boclean and made my own batchfile. Then converted it using this stuff and ran that one… It seems it’s a FP. Have you tried running it again lately as it could be fixed with the latest update.
Btw. shouldn’t Ganda be considered as " Live Malware " ???