False Positive? (b2e.exe)

BOClean is intercepting this program b2e.exe (Bat to Exe Converter), which I have to use on my system to get my remote control’s software to run certain programs. It identifies it as a DRP-AGENT.MK.001 VARIANT.

I think I downloaded it from here: http://www.download.com/Bat-To-Exe-Converter/3000-2069_4-10555897.html

Note that it is not the actual converter (Bat_To_Exe_Converter.exe) that triggers BOClean, nor even the exes that it creates, but when these are executed they create the b2e.exe (and a .bat file) in the temp folder.

I hope this can be fixed, otherwise I won’t be able to use BOClean :frowning:

Hi m8 :slight_smile:

Can you please email the file to: malwaresubmit [ at ] comodo.com .
Specify in the subject line " BOClean False Positive ?".
Zip and password protect it with “infected” and include that information in the body.

Thank you very much :slight_smile:

Greetz, Red.

Hi

Thanks for the reply.

I’ve already e-mailed it in this way to malwaresubmit [at] avlab.comodo.com.

Is this not the correct address anymore? If not, I’ll send it to the address you gave.

The address has changed last April. Please send it to the new adress :slight_smile:

Greetz, Red.

I’m only a little bit out of date then :slight_smile:

Sent to the correct address now.

Thanks.

Should I have received a response to my e-mail or is it just a case of waiting to see if a future update lets b2e.exe work with BOClean?

I’ve got the latest update (today) and it’s still reporting it as malware.

Yep… You should receive a response or wait for a fix :slight_smile: You can also ask Kevin here.

Josh

This should be improved in the near future :

Greetz, Red.

I’m still having the same problem with 4.27 (updated 2008-09-05).

What seems strange (and I don’t recall happening previously) is that the program I’m running with the exe created by BAT to EXE converter is loading, so it seems that even though BOClean is identifying B2E.EXE as a trojan and says it’s been shut down, B2E.EXE has actually managed to execute before BOClean could stop it.

I’ve used an utility ‘Bat_To_Exe_Converter.exe’ to produce an .exe from a .bat with just a line to launch a program I want to start minimized.

When running the .exe thus created BOClean detects a trojan (BOC header reads ‘DRP-AGENT.MK.001 variant stopped by BOClean’) with a file in the temp dir under local configuration; the message asks Do you want the file removed also?
After answering Yes, SpyBot (TeaTimer) opens warning windows with important registry changes to be allowed or denied, namely: NT startup Value added, entry ‘run’ and ‘open’

Should those changes be allowed? are they performed by BOClean or a consequence of the trojan itself?

Files involved in the infection do not show any virus when checked with AV (Comodo AV, Malwarebytes and AVG).

Regards. Pixel

Could you send up that file so we can take a look at it ? by pm
Just zip it and add it :).

After answering Yes, SpyBot (TeaTimer) opens warning windows with important registry changes to be allowed or denied, namely: NT startup Value added, entry 'run' and 'open'
I think it is as BoClean tries to delete the virus, which is partly located in the registry...

Xan

I’m attaching a couple of zips:

b2e.zip : Contains the .exe infected file that BOClean asks to be removed
bat_and_battoexeconverted.zip: the original .bat file and its conversion to .exe; running this last one seemingly creates b2e.exe under Docs&Settings\local user\local config\Temp\XX.tmp directory (XX changes with execution).

The utility Bat_to_Exe_Converter is about 400K zipped. Please tell me if you want to have a look at it too; it seems it produces dirty execs after all.

What a great forum!. Thanks.

Pixel

Xan, what are you doing?

[i]Live Malware[/i]. Comodo is in the business of helping secure the internet, not distributing malware. Thus, it is not the appropriate place to attach or link live malware (viruses, trojans, rootkits, etc) to posts. In general, a link to the download site for 'malware' tests/demos and other 'proof of concept' applications are acceptable, provided they are not intended or designed to cause harm to a computer.

I removed the attachments. At best, please only email or PM suspected malware rather than uploading them in the forum.

:-[ Totally forgot sry Soya, thx for correcting it

Ok, pixel sry for the troubles but as Soya says indeed use one of these ways :

  • send it to me over pm (then you should upload it somewere, then please add a pass to it)
  • send by e-mail : skixanneke@hotmail.com

Again, indeed I’m sorry soya (changed my earlier post a bit) :-[

Xan

Lol ;D

Mods asking members to violate the forum rules :stuck_out_tongue: Btw. shouldn’t Ganda be considered as " Live Malware " ???

Greetz, Red.

Big APOLOGIES to all. I should have been more careful too.

Xan, I’ve just sent the files by e-mail. Hope they reach you alright.

Thanks again.

Pixel

Here’s the CAMAS report for the ones who could use it…

The program itself :
http://camas.comodo.com/cgi-bin/submit?file=a1562506761c05957b92b9d8fc9d905d6493bde7b0c9becc134db98d0de75a43

The detected file :
http://camas.comodo.com/cgi-bin/submit?file=e101d25e44fbb6ede17b034132de05c472f05efa960bc0ff491bda383691d472

Well, I reinstalled Boclean and made my own batchfile. Then converted it using this stuff and ran that one… It seems it’s a FP. Have you tried running it again lately as it could be fixed with the latest update.

See you

Xan

Thks Xan, I’ve looked at the CAMAS reports; I don’t really know what they are but seem tranquilizing.

Yes; after BOClean last (today’s) update it happens the same “DRP-AGENT.MK.001 VARIANT STOPPED BY BOCLEAN”. ¿?

c.u.
Pixel

I e-mailed Comodo, we’ll see what comes out of it :slight_smile:

Xan

Hello Pixel,

The detection has been removed in the latest update. If you still face any problems, let us know.

Regards,
Baskar.